├── .gitignore
├── ExdiKdSample
├── dirs
├── ExdiKdSample
│ ├── ReadMe.txt
│ ├── resource.h
│ ├── ExdiKdSample.rc
│ ├── GeneratedSources
│ │ ├── ExdiKDSample.tlb
│ │ ├── dlldata.c
│ │ └── ExdiKdSample_i.c
│ ├── ExdiKdSample.rgs
│ ├── targetver.h
│ ├── stdafx.cpp
│ ├── LiveExdiSampleServer.rgs
│ ├── ExdiKdSample.def
│ ├── dllmain.h
│ ├── dllmain.cpp
│ ├── StaticExdiSampleServer.rgs
│ ├── stdafx.h
│ ├── ComHelpers.h
│ ├── ExdiKdSample.idl
│ ├── ExdiKdSample.vcxproj.user
│ ├── sources
│ ├── ExdiKdSample.cpp
│ ├── KDCommandLogger.h
│ ├── InterfaceMarshalHelper.h
│ ├── BasicExdiBreakpoint.h
│ ├── ArgumentHelpers.h
│ ├── LiveExdiSampleServer.h
│ └── dbgeng_exdi_io.h
├── readme.docx
├── images
│ ├── EXDI6.png
│ ├── EXDI7.png
│ ├── EXDI8.png
│ ├── EXDI9.png
│ ├── EXDi.png
│ ├── EXDi2.png
│ ├── EXDi3.png
│ ├── EXDi4.png
│ ├── EXDi5.png
│ └── EXDI10.png
├── KdControllerLib
│ ├── KdControllerLib.vcxproj.user
│ ├── stdafx.cpp
│ ├── stdafx.h
│ ├── targetver.h
│ ├── sources
│ ├── ExceptionHelpers.h
│ ├── AsynchronousKDController.h
│ ├── BufferedStreamReader.h
│ ├── KdControllerLib.vcxproj.filters
│ ├── HandleHelpers.h
│ ├── KDController.h
│ ├── BufferWrapper.h
│ ├── BufferedStreamReader.cpp
│ ├── AsynchronousKdController.cpp
│ └── KdControllerLib.vcxproj
├── KernelConnect0198271677.debugTarget
├── Readme.md
└── ExdiKdSample.sln
├── hvmm
├── hvmm
│ ├── hvmm.h
│ ├── lib
│ │ └── Win1017666
│ │ │ ├── winhvr.exp
│ │ │ ├── winhvr.lib
│ │ │ ├── winhvr.sys
│ │ │ ├── create_lib.bat
│ │ │ ├── Developer Command Prompt for VS 2017.lnk
│ │ │ ├── winhvr_short.def
│ │ │ └── winhvr.def
│ ├── hvmm.inf
│ ├── hvmm.vcxproj.user
│ ├── mDbgPrint.h
│ ├── hvmm.vcxproj.filters
│ ├── AMD64.asm
│ ├── misc.c
│ ├── mWin.h
│ ├── hvmm.c
│ └── hvmm.vcxproj
└── hvmm.sln
├── images
├── image02.png
├── image03.png
├── image04.png
└── screen.png
├── LiveCloudKd
├── stdafx.h
├── stdafx.cpp
├── targetver.h
├── resource.h
├── LiveCloudKd.vcxproj.user
├── file.c
├── LiveCloudKd.sln
├── LiveCloudKd.vcxproj.filters
├── hvdd.h
├── misc.h
├── misc.c
├── hooker.h
└── dmp.h
├── LiveCloudKdSdk
├── files
│ ├── hvmm.sys
│ ├── hvlib.dll
│ └── hvlib.lib
└── public
│ ├── HvlibEnumPublic.h
│ └── HvlibHandle.h
├── LiveCloudKdExample
├── files
│ └── hvlib.lib
├── images
│ └── Demo.png
├── LiveCloudKdExample
│ ├── LiveCloudKdExample.h
│ ├── LiveCloudKdExample.vcxproj.filters
│ ├── LiveCloudKdExample.sln
│ └── LiveCloudKdExample.vcxproj.user
└── README.md
├── leechcore_device_hvmm
├── images
│ ├── 1.png
│ └── 2.png
├── README.md
├── leechcore_device_hvmm.vcxproj.filters
├── leechcore_device_hvmm.vcxproj.user
└── leechcore_device_hvmm.h
└── LiveCloudKdPy
├── Example.py
└── README.md
/.gitignore:
--------------------------------------------------------------------------------
1 | *.log
2 | *.obj
3 | *.tlog
4 | *.ipch
5 | *.pdb
6 |
--------------------------------------------------------------------------------
/ExdiKdSample/dirs:
--------------------------------------------------------------------------------
1 | DIRS = \
2 | KdControllerLib \
3 | ExdiKdSample
4 |
--------------------------------------------------------------------------------
/hvmm/hvmm/hvmm.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/hvmm/hvmm/hvmm.h
--------------------------------------------------------------------------------
/images/image02.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/images/image02.png
--------------------------------------------------------------------------------
/images/image03.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/images/image03.png
--------------------------------------------------------------------------------
/images/image04.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/images/image04.png
--------------------------------------------------------------------------------
/images/screen.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/images/screen.png
--------------------------------------------------------------------------------
/LiveCloudKd/stdafx.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/LiveCloudKd/stdafx.h
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/ReadMe.txt:
--------------------------------------------------------------------------------
1 | Please refer to the included documentation for project details.
--------------------------------------------------------------------------------
/ExdiKdSample/readme.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/ExdiKdSample/readme.docx
--------------------------------------------------------------------------------
/LiveCloudKd/stdafx.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/LiveCloudKd/stdafx.cpp
--------------------------------------------------------------------------------
/LiveCloudKd/targetver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/LiveCloudKd/targetver.h
--------------------------------------------------------------------------------
/ExdiKdSample/images/EXDI6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/ExdiKdSample/images/EXDI6.png
--------------------------------------------------------------------------------
/ExdiKdSample/images/EXDI7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/ExdiKdSample/images/EXDI7.png
--------------------------------------------------------------------------------
/ExdiKdSample/images/EXDI8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/ExdiKdSample/images/EXDI8.png
--------------------------------------------------------------------------------
/ExdiKdSample/images/EXDI9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/ExdiKdSample/images/EXDI9.png
--------------------------------------------------------------------------------
/ExdiKdSample/images/EXDi.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/ExdiKdSample/images/EXDi.png
--------------------------------------------------------------------------------
/ExdiKdSample/images/EXDi2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/ExdiKdSample/images/EXDi2.png
--------------------------------------------------------------------------------
/ExdiKdSample/images/EXDi3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/ExdiKdSample/images/EXDi3.png
--------------------------------------------------------------------------------
/ExdiKdSample/images/EXDi4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/ExdiKdSample/images/EXDi4.png
--------------------------------------------------------------------------------
/ExdiKdSample/images/EXDi5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/ExdiKdSample/images/EXDi5.png
--------------------------------------------------------------------------------
/LiveCloudKdSdk/files/hvmm.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/LiveCloudKdSdk/files/hvmm.sys
--------------------------------------------------------------------------------
/ExdiKdSample/images/EXDI10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/ExdiKdSample/images/EXDI10.png
--------------------------------------------------------------------------------
/LiveCloudKdSdk/files/hvlib.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/LiveCloudKdSdk/files/hvlib.dll
--------------------------------------------------------------------------------
/LiveCloudKdSdk/files/hvlib.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/LiveCloudKdSdk/files/hvlib.lib
--------------------------------------------------------------------------------
/LiveCloudKdExample/files/hvlib.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/LiveCloudKdExample/files/hvlib.lib
--------------------------------------------------------------------------------
/LiveCloudKdExample/images/Demo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/LiveCloudKdExample/images/Demo.png
--------------------------------------------------------------------------------
/leechcore_device_hvmm/images/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/leechcore_device_hvmm/images/1.png
--------------------------------------------------------------------------------
/leechcore_device_hvmm/images/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/leechcore_device_hvmm/images/2.png
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/resource.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/ExdiKdSample/ExdiKdSample/resource.h
--------------------------------------------------------------------------------
/hvmm/hvmm/lib/Win1017666/winhvr.exp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/hvmm/hvmm/lib/Win1017666/winhvr.exp
--------------------------------------------------------------------------------
/hvmm/hvmm/lib/Win1017666/winhvr.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/hvmm/hvmm/lib/Win1017666/winhvr.lib
--------------------------------------------------------------------------------
/hvmm/hvmm/lib/Win1017666/winhvr.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/hvmm/hvmm/lib/Win1017666/winhvr.sys
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/ExdiKdSample.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/ExdiKdSample/ExdiKdSample/ExdiKdSample.rc
--------------------------------------------------------------------------------
/hvmm/hvmm/lib/Win1017666/create_lib.bat:
--------------------------------------------------------------------------------
1 | dumpbin /exports D:\Project\hyperv60\Win1017666\winhvr.sys > tmp.txt
2 | lib.exe /def:winhvr.def /OUT:winhvr.lib /machine:x64
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/GeneratedSources/ExdiKDSample.tlb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/ExdiKdSample/ExdiKdSample/GeneratedSources/ExdiKDSample.tlb
--------------------------------------------------------------------------------
/hvmm/hvmm/lib/Win1017666/Developer Command Prompt for VS 2017.lnk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/LiveCloudKd/HEAD/hvmm/hvmm/lib/Win1017666/Developer Command Prompt for VS 2017.lnk
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/ExdiKdSample.rgs:
--------------------------------------------------------------------------------
1 | HKCR
2 | {
3 | NoRemove AppID
4 | {
5 | ForceRemove %APPID% = s 'ExdiTestServer1'
6 | {
7 | val DllSurrogate = s ''
8 | }
9 | }
10 | }
--------------------------------------------------------------------------------
/ExdiKdSample/KdControllerLib/KdControllerLib.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/hvmm/hvmm/lib/Win1017666/winhvr_short.def:
--------------------------------------------------------------------------------
1 | LIBRARY winhvr.sys
2 | EXPORTS
3 | WinHvGetPartitionId
4 | WinHvGetPartitionProperty
5 | WinHvInstallIntercept
6 | WinHvPostMessage
7 | WinHvSignalEvent
8 | WinHvAllocatePartitionSintIndex
9 | WinHvAssertVirtualInterrupt
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/stdafx.cpp:
--------------------------------------------------------------------------------
1 | //----------------------------------------------------------------------------
2 | //
3 | // stdafx.cpp
4 | //
5 | // This file is used to generate precompiled header files.
6 | //
7 | // Copyright (c) Microsoft. All rights reserved.
8 | //
9 | //----------------------------------------------------------------------------
10 |
11 | #include "stdafx.h"
12 |
--------------------------------------------------------------------------------
/ExdiKdSample/KdControllerLib/stdafx.cpp:
--------------------------------------------------------------------------------
1 | //----------------------------------------------------------------------------
2 | //
3 | // stdafx.cpp
4 | //
5 | // This file is used to generate precompiled header files.
6 | //
7 | // Copyright (c) Microsoft. All rights reserved.
8 | //
9 | //----------------------------------------------------------------------------
10 |
11 | #include "stdafx.h"
12 |
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/LiveExdiSampleServer.rgs:
--------------------------------------------------------------------------------
1 | HKCR
2 | {
3 | NoRemove CLSID
4 | {
5 | ForceRemove {67030926-1754-4FDA-9788-7F731CBDAE42} = s 'LiveExdiSampleServer Class'
6 | {
7 | InprocServer32 = s '%MODULE%'
8 | {
9 | val ThreadingModel = s 'Apartment'
10 | }
11 | TypeLib = s '{FEA1B500-2641-4B1D-88A3-E795429C842B}'
12 | Version = s '1.0'
13 | val AppID = s '%APPID%'
14 | }
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/ExdiKdSample.def:
--------------------------------------------------------------------------------
1 | ;----------------------------------------------------------------------------
2 | ;
3 | ; Copyright (c) Microsoft. All rights reserved.
4 | ;
5 | ;----------------------------------------------------------------------------
6 |
7 | LIBRARY
8 |
9 | EXPORTS
10 | DllCanUnloadNow PRIVATE
11 | DllGetClassObject PRIVATE
12 | DllRegisterServer PRIVATE
13 | DllUnregisterServer PRIVATE
14 | DllInstall PRIVATE
15 |
--------------------------------------------------------------------------------
/LiveCloudKd/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by LiveCloudKd.rc
4 |
5 | // Next default values for new objects
6 | //
7 | #ifdef APSTUDIO_INVOKED
8 | #ifndef APSTUDIO_READONLY_SYMBOLS
9 | #define _APS_NEXT_RESOURCE_VALUE 101
10 | #define _APS_NEXT_COMMAND_VALUE 40001
11 | #define _APS_NEXT_CONTROL_VALUE 1001
12 | #define _APS_NEXT_SYMED_VALUE 101
13 | #endif
14 | #endif
15 |
--------------------------------------------------------------------------------
/LiveCloudKdExample/LiveCloudKdExample/LiveCloudKdExample.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #include
4 | #include
5 |
6 | #define HANDLE_TYPE_EXAMPLE
7 |
8 | #include "HvlibHandle.h"
9 |
10 | #define DUMP_BLOCK_SIZE 1024*1024
11 | #define DUMP_PAGE_SIZE 0x1000
12 |
13 | BOOL
14 | CreateDestinationFile(
15 | LPCWSTR Filename,
16 | PHANDLE Handle
17 | );
18 |
19 | BOOL
20 | WriteFileSynchronous(
21 | HANDLE Handle,
22 | PVOID Buffer,
23 | ULONG NbOfBytesToWrite
24 | );
25 |
--------------------------------------------------------------------------------
/ExdiKdSample/KdControllerLib/stdafx.h:
--------------------------------------------------------------------------------
1 | //----------------------------------------------------------------------------
2 | //
3 | // stdafx.h
4 | //
5 | // The headers referenced in this file will be precompiled.
6 | //
7 | // Copyright (c) Microsoft. All rights reserved.
8 | //
9 | //----------------------------------------------------------------------------
10 |
11 | #pragma once
12 |
13 | #include "targetver.h"
14 |
15 | #include
16 | #include
17 |
18 | #include
19 | #include
20 |
--------------------------------------------------------------------------------
/hvmm/hvmm/hvmm.inf:
--------------------------------------------------------------------------------
1 | ;
2 | ; hvlckd.inf
3 | ;
4 |
5 | [Version]
6 | Signature="$WINDOWS NT$"
7 | Class=System
8 | ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}
9 | Provider=%ManufacturerName%
10 | DriverVer=
11 | CatalogFile=hvmm.cat
12 |
13 | [DestinationDirs]
14 | DefaultDestDir = 12
15 |
16 |
17 | [SourceDisksNames]
18 | 1 = %DiskName%,,,""
19 |
20 | [SourceDisksFiles]
21 |
22 |
23 | [Manufacturer]
24 | %ManufacturerName%=Standard,NT$ARCH$
25 |
26 | [Standard.NT$ARCH$]
27 |
28 |
29 | [Strings]
30 | ManufacturerName="" ;TODO: Replace with your manufacturer name
31 | ClassName=""
32 | DiskName="hvmm"
33 |
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/dllmain.h:
--------------------------------------------------------------------------------
1 | //----------------------------------------------------------------------------
2 | //
3 | // dllmain.h
4 | //
5 | // Declaration of the module class.
6 | //
7 | // Copyright (c) Microsoft. All rights reserved.
8 | //
9 | //----------------------------------------------------------------------------
10 |
11 | class CStaticExdiSampleModule : public ATL::CAtlDllModuleT< CStaticExdiSampleModule >
12 | {
13 | public :
14 | DECLARE_LIBID(LIBID_ExdiKdSampleLib)
15 | DECLARE_REGISTRY_APPID_RESOURCEID(IDR_STATICEXDISAMPLE, "{B1C91B48-34B6-406F-9481-FFB6A16D4C4F}")
16 | };
17 |
18 | extern class CStaticExdiSampleModule _AtlModule;
19 |
--------------------------------------------------------------------------------
/ExdiKdSample/KdControllerLib/targetver.h:
--------------------------------------------------------------------------------
1 | //----------------------------------------------------------------------------
2 | //
3 | // targetver.h
4 | //
5 | // Target version definition file.
6 | //
7 | // Copyright (c) Microsoft. All rights reserved.
8 | //
9 | //----------------------------------------------------------------------------
10 | #pragma once
11 |
12 | // Including SDKDDKVer.h defines the highest available Windows platform.
13 |
14 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
15 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
16 |
17 | #include
18 |
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/dllmain.cpp:
--------------------------------------------------------------------------------
1 | //----------------------------------------------------------------------------
2 | //
3 | // dllmain.cpp
4 | //
5 | // Implementation of DllMain().
6 | //
7 | // Copyright (c) Microsoft. All rights reserved.
8 | //
9 | //----------------------------------------------------------------------------
10 |
11 | #include "stdafx.h"
12 | #include "resource.h"
13 | #include "ExdiKdSample.h"
14 | #include "dllmain.h"
15 |
16 | CStaticExdiSampleModule _AtlModule;
17 |
18 | // DLL Entry Point
19 | extern "C" BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
20 | {
21 | hInstance;
22 | return _AtlModule.DllMain(dwReason, lpReserved);
23 | }
24 |
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/StaticExdiSampleServer.rgs:
--------------------------------------------------------------------------------
1 | HKCR
2 | {
3 | NoRemove CLSID
4 | {
5 | ForceRemove {53838F70-0936-44A9-AB4E-ABB568401508} = s 'StaticExdiSampleServer Class'
6 | {
7 | InprocServer32 = s '%MODULE%'
8 | {
9 | val ThreadingModel = s 'Apartment'
10 | }
11 | TypeLib = s '{FEA1B500-2641-4B1D-88A3-E795429C842B}'
12 | Version = s '1.0'
13 | val AppID = s '%APPID%'
14 | }
15 | }
16 | }
17 |
18 | HKLM
19 | {
20 | NoRemove SOFTWARE
21 | {
22 | NoRemove Microsoft
23 | {
24 | NoRemove eXdi
25 | {
26 | NoRemove DriverList
27 | {
28 | val {53838F70-0936-44A9-AB4E-ABB568401508} = s 'exdikd'
29 | }
30 | }
31 | }
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/leechcore_device_hvmm/README.md:
--------------------------------------------------------------------------------
1 | This is MemProcFS plugin for reading Hyper-V memory using Hyper-V Memory Manager library
2 |
3 | Sources was taken from https://github.com/ufrisk/LeechCore
4 |
5 | - MemProcFs can be found on https://github.com/ufrisk/MemProcFS by @ulfrisk
6 |
7 | - LiveCloudKd: https://github.com/gerhart01/LiveCloudKd
8 |
9 | Copy leechcore_device_hvmm.dll with hvlib.dll and hvmm.sys to MemProcFS folder
10 |
11 | start MemProcFs:
12 | ```
13 | MemProcFS.exe -device hvmm -v
14 | ```
15 |
16 | you must see something like that:
17 |
18 | 
19 |
20 | Next you can go to M: driver and use pypykatz plugin, f.e.
21 |
22 | 
23 |
24 | Also you can read instructions about plugin usage at:
25 | https://github.com/ufrisk/LeechCore/wiki/Device_LiveCloudKd
26 |
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/stdafx.h:
--------------------------------------------------------------------------------
1 | //----------------------------------------------------------------------------
2 | //
3 | // stdafx.h
4 | //
5 | // The headers referenced in this file will be precompiled.
6 | //
7 | // Copyright (c) Microsoft. All rights reserved.
8 | //
9 | //----------------------------------------------------------------------------
10 |
11 | #pragma once
12 |
13 | #ifndef STRICT
14 | #define STRICT
15 | #endif
16 |
17 | #include "targetver.h"
18 |
19 | #define _ATL_APARTMENT_THREADED
20 |
21 | #define _ATL_NO_AUTOMATIC_NAMESPACE
22 |
23 | #define _ATL_CSTRING_EXPLICIT_CONSTRUCTORS // some CString constructors will be explicit
24 |
25 |
26 | #define ATL_NO_ASSERT_ON_DESTROY_NONEXISTENT_WINDOW
27 |
28 | #define _CRT_SECURE_NO_WARNINGS
29 | #include "resource.h"
30 | #include
31 | #include
32 | #include
33 |
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/ComHelpers.h:
--------------------------------------------------------------------------------
1 | //----------------------------------------------------------------------------
2 | //
3 | // ComHelpers.h
4 | //
5 | // Helper methods used to facilitate COM-related tasks.
6 | //
7 | // Copyright (c) Microsoft. All rights reserved.
8 | //
9 | //----------------------------------------------------------------------------
10 |
11 | #pragma once
12 | #include
13 | #include
14 |
15 | namespace COMHelpers
16 | {
17 | static inline LPOLESTR CopyStringToTaskMem(const wchar_t *pString)
18 | {
19 | assert(pString != nullptr);
20 | size_t stringSizeInBytes = (wcslen(pString) + 1) * sizeof(wchar_t);
21 | LPOLESTR pResult = (LPOLESTR)CoTaskMemAlloc(stringSizeInBytes);
22 | if (pResult != nullptr)
23 | {
24 | memcpy(pResult, pString, stringSizeInBytes);
25 | }
26 | return pResult;
27 | }
28 | }
--------------------------------------------------------------------------------
/hvmm/hvmm/hvmm.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Win10x17666
5 | DbgengKernelDebugger
6 | False
7 | None
8 |
9 |
10 | C:\Program Files (x86)\Windows Kits\10\Testing\Tests\Utilities\DefaultDriverPackageInstallationTask.dll
11 | Win10x64
12 |
13 | Microsoft.DriverKit.DefaultDriverPackageInstallationClass.PerformDefaultDriverPackageInstallation
14 |
15 |
16 |
--------------------------------------------------------------------------------
/ExdiKdSample/KdControllerLib/sources:
--------------------------------------------------------------------------------
1 | MSC_WARNING_LEVEL=/W4 /WX
2 |
3 | TARGETNAME=KdControllerLib
4 | TARGETTYPE=LIBRARY
5 |
6 | !if "$(DBGSDK_REF_PATH)" == ""
7 | DBGSDK_REF_PATH=$(SDKTOOLS_REF_PATH)
8 | !endif
9 |
10 | USE_LIBCMT=1
11 | USE_NATIVE_EH=1
12 | USE_STL=1
13 | STL_VER=100
14 |
15 | SOURCES=\
16 | AsynchronousKdController.cpp \
17 | BufferedStreamReader.cpp \
18 | KDController.cpp
19 |
20 | PASS0_BINPLACE = \
21 | -:DEST $(DBG_PRI_LAYOUT)\sdk\samples\exdi\ExdiKdSample\KdControllerLib *.cpp \
22 | -:DEST $(DBG_PRI_LAYOUT)\sdk\samples\exdi\ExdiKdSample\KdControllerLib *.h \
23 | -:DEST $(DBG_PRI_LAYOUT)\sdk\samples\exdi\ExdiKdSample\KdControllerLib KDController.* \
24 | -:DEST $(DBG_PRI_LAYOUT)\sdk\samples\exdi\ExdiKdSample\KdControllerLib KdControllerLib.* \
25 | -:DEST $(DBG_PRI_LAYOUT)\sdk\samples\exdi\ExdiKdSample\KdControllerLib sources \
26 |
--------------------------------------------------------------------------------
/LiveCloudKdExample/README.md:
--------------------------------------------------------------------------------
1 | Demo project with next functions of LiveCloudKdSdk:
2 |
3 | (Before compiling check include and library directories, that must point to LiveCloudKdSdkPublic.h and LiveCloudKdSdk.lib, which can be taken from LiveCloudKdSdk project)
4 |
5 | - read physical memory
6 | - read virtual memory
7 | - suspend VM (need Powershell Hyper-V modules, for Windows containers have to use SuspendResumeWriteSpecRegister SUSPEND_RESUME_METHOD parameter)
8 | - resume VM (need Powershell Hyper-V modules, for Windows containers have to use SuspendResumeWriteSpecRegister SUSPEND_RESUME_METHOD parameter)
9 | - dump VM to file
10 |
11 | Demo1 function uses full PHVDD_PARTITION structure for working with partition.
12 | Demo2 using more simple HANDLE structures for using with non-C languages. (ULONG, PVOID, WCHAR types only). For using it include LiveCloudKdSdkHandle.h instead LiveCloudKdSdkPublic.h in your project.
13 |
14 | 
15 |
--------------------------------------------------------------------------------
/ExdiKdSample/KdControllerLib/ExceptionHelpers.h:
--------------------------------------------------------------------------------
1 | //----------------------------------------------------------------------------
2 | //
3 | // ExceptionHandlers.h
4 | //
5 | // Auxiliary definitions used to handle exceptions.
6 | //
7 | // Copyright (c) Microsoft. All rights reserved.
8 | //
9 | //----------------------------------------------------------------------------
10 |
11 | #pragma once
12 |
13 | #include
14 | #include
15 |
16 | #define CATCH_AND_RETURN_HRESULT \
17 | catch(_com_error const &error) \
18 | { \
19 | return error.Error(); \
20 | } \
21 | catch(std::bad_alloc const &) \
22 | { \
23 | return E_OUTOFMEMORY; \
24 | } \
25 | catch (...) \
26 | { \
27 | return E_FAIL; \
28 | }
29 |
--------------------------------------------------------------------------------
/ExdiKdSample/KernelConnect0198271677.debugTarget:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
15 |
18 |
21 |
22 |
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/GeneratedSources/dlldata.c:
--------------------------------------------------------------------------------
1 | /*********************************************************
2 | DllData file -- generated by MIDL compiler
3 |
4 | DO NOT ALTER THIS FILE
5 |
6 | This file is regenerated by MIDL on every IDL file compile.
7 |
8 | To completely reconstruct this file, delete it and rerun MIDL
9 | on all the IDL files in this DLL, specifying this file for the
10 | /dlldata command line option
11 |
12 | *********************************************************/
13 |
14 |
15 | #include
16 |
17 | #ifdef __cplusplus
18 | extern "C" {
19 | #endif
20 |
21 | EXTERN_PROXY_FILE( ExdiKdSample )
22 |
23 |
24 | PROXYFILE_LIST_START
25 | /* Start of list */
26 | REFERENCE_PROXY_FILE( ExdiKdSample ),
27 | /* End of list */
28 | PROXYFILE_LIST_END
29 |
30 |
31 | DLLDATA_ROUTINES( aProxyFileList, GET_DLL_CLSID )
32 |
33 | #ifdef __cplusplus
34 | } /*extern "C" */
35 | #endif
36 |
37 | /* end of generated dlldata file */
38 |
--------------------------------------------------------------------------------
/LiveCloudKdPy/Example.py:
--------------------------------------------------------------------------------
1 | #
2 | # hvlib.py examples
3 | # GPL3 License
4 | # version 1.0.0
5 | #
6 |
7 |
8 | from hvlib import *
9 |
10 | def get_vm_id():
11 | print("Please select the ID of the virtual machine")
12 | vm_id = int(input('').split(" ")[0])
13 | return vm_id
14 |
15 | objHvlib = hvlib("")
16 |
17 | if objHvlib == None:
18 | exit
19 |
20 | # Set logging level
21 | vm_ops = objHvlib.GetPreferredSettings()
22 | vm_ops.LogLevel = 1
23 |
24 | bResult = objHvlib.EnumPartitions(vm_ops)
25 |
26 | if bResult == False:
27 | exit
28 |
29 | vm_id = get_vm_id()
30 |
31 | page_size = 0x1000
32 | phys_address = 0x10000
33 |
34 | vm_handle = objHvlib.SelectPartition(vm_id)
35 | buffer1 = objHvlib.ReadPhysicalMemoryBlock(vm_handle, phys_address, page_size)
36 | KernelBase = objHvlib.GetData(vm_handle, HvddInformationClass.HvddKernelBase)
37 | objHvlib.PrintHex(KernelBase)
38 | buffer2 = objHvlib.ReadVirtualMemoryBlock(vm_handle, KernelBase, page_size)
39 |
40 | bResult = objHvlib.WriteVirtualMemoryBlock(vm_handle, KernelBase, buffer2)
41 | bResult = objHvlib.WritePhysicalMemoryBlock(vm_handle,phys_address, buffer1)
--------------------------------------------------------------------------------
/LiveCloudKdExample/LiveCloudKdExample/LiveCloudKdExample.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
23 |
24 | Header Files
25 |
26 |
27 |
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/ExdiKdSample.idl:
--------------------------------------------------------------------------------
1 | //----------------------------------------------------------------------------
2 | //
3 | // ExdiKdSample.idl
4 | //
5 | // Copyright (c) Microsoft. All rights reserved.
6 | //
7 | //----------------------------------------------------------------------------
8 |
9 | import "oaidl.idl";
10 | import "ocidl.idl";
11 | #include "exdi3.idl"
12 |
13 | //Used for internal synchronization
14 | [object, oleautomation, uuid(650FE759-CC39-49A8-8BBA-13DE47107B98)]
15 | interface IAsynchronousCommandNotificationReceiver : IUnknown
16 | {
17 | HRESULT OnAsynchronousCommandCompleted();
18 | HRESULT PerformKeepaliveChecks();
19 | }
20 |
21 | [
22 | uuid(FEA1B500-2641-4B1D-88A3-E795429C842B),
23 | version(1.0),
24 | ]
25 | library ExdiKdSampleLib
26 | {
27 | importlib("stdole2.tlb");
28 | [
29 | uuid(53838F70-0936-44A9-AB4E-ABB568401508)
30 | ]
31 | coclass StaticExdiSampleServer
32 | {
33 | [default] interface IeXdiServer3;
34 | interface IeXdiARM4Context3;
35 | interface IeXdiX86_64Context3;
36 | interface IeXdiArmV8Arch64Context3;
37 | };
38 |
39 | [
40 | uuid(67030926-1754-4FDA-9788-7F731CBDAE42)
41 | ]
42 | coclass LiveExdiSampleServer
43 | {
44 | [default] interface IeXdiServer3;
45 | interface IeXdiARM4Context3;
46 | interface IeXdiX86_64Context3;
47 | interface IeXdiArmV8Arch64Context3;
48 | interface IAsynchronousCommandNotificationReceiver;
49 | };
50 | };
51 |
52 | import "shobjidl.idl";
53 |
--------------------------------------------------------------------------------
/LiveCloudKdExample/LiveCloudKdExample/LiveCloudKdExample.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.29009.5
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "LiveCloudKdExample", "LiveCloudKdExample\LiveCloudKdExample.vcxproj", "{A9DBACD3-577B-4533-82E9-37EAB201F756}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {A9DBACD3-577B-4533-82E9-37EAB201F756}.Debug|x64.ActiveCfg = Debug|x64
17 | {A9DBACD3-577B-4533-82E9-37EAB201F756}.Debug|x64.Build.0 = Debug|x64
18 | {A9DBACD3-577B-4533-82E9-37EAB201F756}.Debug|x86.ActiveCfg = Debug|Win32
19 | {A9DBACD3-577B-4533-82E9-37EAB201F756}.Debug|x86.Build.0 = Debug|Win32
20 | {A9DBACD3-577B-4533-82E9-37EAB201F756}.Release|x64.ActiveCfg = Release|x64
21 | {A9DBACD3-577B-4533-82E9-37EAB201F756}.Release|x64.Build.0 = Release|x64
22 | {A9DBACD3-577B-4533-82E9-37EAB201F756}.Release|x86.ActiveCfg = Release|Win32
23 | {A9DBACD3-577B-4533-82E9-37EAB201F756}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {77C6CCFC-CE30-48E6-BB77-970A62AD41B8}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/leechcore_device_hvmm/leechcore_device_hvmm.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 |
26 |
27 | Source Files
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/ExdiKdSample.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | C:\Distr\Test\WinDBG101903x64\kd.exe
5 | -kx exdi:CLSID={53838F70-0936-44A9-AB4E-ABB568401508},Kd=VerAddr:123456
6 | RemoteWithoutAuthentication
7 | WindowsRemoteDebugger
8 | C:\Distr\Test\WinDBG101903x64\
9 | 192.168.174.130
10 | C:\Distr\Test\WinDBG101903x64\
11 |
12 |
13 | WindowsRemoteDebugger
14 | C:\Windows\system32\DllHost.exe
15 | /Processid:{B1C91B48-34B6-406F-9481-FFB6A16D4C4F}
16 | C:\Distr\Test\WinDBG101903x64\
17 | 192.168.174.130
18 | RemoteWithoutAuthentication
19 | C:\Distr\Test\WinDBG101903x64\
20 |
21 |
--------------------------------------------------------------------------------
/ExdiKdSample/Readme.md:
--------------------------------------------------------------------------------
1 | This project is modified EXDPlugins example from WinDBG SDK
2 | (C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sdk\samples\exdi\ExdiKdSample)
3 |
4 | It uses LiveCloudKdSdk library for reading and writing memory operations, get registers.
5 |
6 | There is readme.docx in ExdiKdSample project in WinDBG SDK directory, which describe architecture of EXDi interface. If shortly,
7 | EXDI is an interface that allows extending WinDBG by adding support for hardware debuggers. We haven't hardware debuggers for Hyper-V, but we can add LiveCloudKdSdk functions calling to EXDi interface.
8 |
9 | 
10 |
11 | For installation:
12 |
13 | 1. Copy LiveCloudKd.exe, hvlib.dll, hvmm.sys and ExdiKdSample.dll to WinDBG x64 directory
14 | 2. Register ExdiKdSample.dll using regsvr32.exe ExdiKdSample.dll command
15 | 3. Start LiveCloudKd with /w option: LiveCloudKd.exe /w. It is automatically launch WinDBG with EXDi interface.
16 |
17 | 
18 |
19 | You can use WinDBG Preview with EXDi plugin too. But WinDBG Preview has bug with automatically starting EXDi plugin from command line, therefore it must be start manually.
20 |
21 | 1. Launch LiveCloudKd.exe /x.
22 | 2. Copy string, which provided by LiveCloudKd.
23 |
24 | 
25 |
26 | 3. Start WinDBGX, go to File-Start debugging-Attach to Kernel, open EXDi tab and paste string to field.
27 |
28 | 
29 |
30 | 4. You can read\write to guest OS memory and execute WinDBG commands, that work for dump files. Remember, that it is static plugin example, and you can't do single step (F11, F8) or running commands (F5).
31 |
32 | 
33 |
34 | Detailed information about live debugging you can find on [this page](LiveDebugging.md)
35 |
--------------------------------------------------------------------------------
/ExdiKdSample/KdControllerLib/AsynchronousKDController.h:
--------------------------------------------------------------------------------
1 | //----------------------------------------------------------------------------
2 | //
3 | // AsynchronousKdController.h
4 | //
5 | // An extension of the KDController class that allows running certain commands
6 | // (e.g. running target) asynchronously.
7 | //
8 | // Copyright (c) Microsoft. All rights reserved.
9 | //
10 | //----------------------------------------------------------------------------
11 |
12 | #pragma once
13 | #include
14 |
15 | #include "KDController.h"
16 |
17 | namespace KDControllerLib
18 | {
19 | class AsynchronousKDController : public KDController
20 | {
21 | public:
22 | static AsynchronousKDController *Create(_In_ LPCTSTR pDebuggingToolsPath,
23 | _In_ LPCTSTR pConnectionArguments);
24 |
25 | virtual std::string ExecuteCommand(_In_ LPCSTR pCommand) override;
26 |
27 | void StartAsynchronousCommand(_In_ LPCSTR pCommand);
28 | bool IsAsynchronousCommandInProgress();
29 | bool GetAsynchronousCommandResult(_In_ DWORD timeoutInMilliseconds, _Out_opt_ std::string *pResult);
30 |
31 | //High-level commands
32 | void StartStepCommand(unsigned processorNumber);
33 | void StartRunCommand();
34 |
35 | unsigned CreateCodeBreakpoint(_In_ AddressType address);
36 | void DeleteCodeBreakpoint(_In_ unsigned breakpointNumber);
37 |
38 | ~AsynchronousKDController();
39 | protected:
40 | AsynchronousKDController(_In_ HANDLE processHandle, _In_ HANDLE stdInput, _In_ HANDLE stdOutput);
41 |
42 | private:
43 | HANDLE m_asynchronousCommandThread;
44 | std::string m_currentAsynchronousCommand;
45 | std::string m_currentAsynchronousCommandResult;
46 |
47 | static DWORD CALLBACK AsynchronousCommandThreadBody(LPVOID p);
48 |
49 | std::vector m_breakpointSlots;
50 | };
51 | }
--------------------------------------------------------------------------------
/LiveCloudKdExample/LiveCloudKdExample/LiveCloudKdExample.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | C:\Distr\Test\WinDBG101903x64\LiveCloudKdExample.exe
5 | WindowsRemoteDebugger
6 | C:\Distr\Test\WinDBG1022H2x64\LiveCloudKdExample.exe
7 | C:\Distr\Test\WinDBG1022H2x64
8 | 192.168.1.114
9 | C:\Distr\Test\WinDBG1022H2x64
10 | F:\Projects\HyperVDebug\files\hvlib.dll
11 | RemoteWithoutAuthentication
12 | true
13 |
14 |
15 | C:\Distr\Test\WinDBG101903x64\LiveCloudKdExample.exe
16 | WindowsRemoteDebugger
17 | C:\Distr\Test\WinDBG1022H2x64\LiveCloudKdExample.exe
18 | C:\Distr\Test\WinDBG1022H2x64
19 | 192.168.1.114
20 | C:\Distr\Test\WinDBG1022H2x64
21 | F:\Projects\HyperVDebug\files\hvlib.dll
22 | RemoteWithoutAuthentication
23 | true
24 |
25 |
--------------------------------------------------------------------------------
/ExdiKdSample/KdControllerLib/BufferedStreamReader.h:
--------------------------------------------------------------------------------
1 | //----------------------------------------------------------------------------
2 | //
3 | // BufferedStreamReader.h
4 | //
5 | // A class used to read a stream line-by-line with an arbitrary delimiter.
6 | //
7 | // Copyright (c) Microsoft. All rights reserved.
8 | //
9 | //----------------------------------------------------------------------------
10 |
11 | #pragma once
12 |
13 | #include
14 | #include
15 | #include
16 | #include "BufferWrapper.h"
17 |
18 | namespace KDControllerLib
19 | {
20 | //This class is used to read a given stream (represented by a HANDLE) on a line-by-line basis, where
21 | //the 'line delimiter' is an arbitrary-length string.
22 | //It is used by KDController to read the entire response of kd.exe up until the '\r\nkd> ' sequence.
23 | //NOTE: The class does not own the handle.
24 | //NOTE: This class is optimized for simplicity, not performance. Do not use it in performance-critical code.
25 | class BufferedStreamReader final
26 | {
27 | public:
28 | typedef std::vector MatchCollection;
29 |
30 | BufferedStreamReader(_In_ HANDLE stream);
31 | ~BufferedStreamReader();
32 |
33 | std::string Read(_In_ const std::regex &delimiter, _Out_opt_ MatchCollection *pRegexMatchesExcept0 = nullptr);
34 |
35 | private:
36 | static size_t const c_readChunkSize = 65536;
37 |
38 | HANDLE m_stream;
39 |
40 | //Contains the data already read from the stream but not returned to client yet.
41 | SimpleCharBuffer m_internalBuffer;
42 | size_t m_frontGapSize;
43 |
44 | //Returns false when no buffered data is available and a normal read should be performed
45 | bool TryReadBufferedData(_Inout_ std::string *pBuffer,
46 | _In_ const std::regex &delimiter,
47 | _Out_opt_ MatchCollection *pRegexMatchesExcept0);
48 |
49 | void RemoveFrontGapInBuffer();
50 | };
51 | }
--------------------------------------------------------------------------------
/hvmm/hvmm/mDbgPrint.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | #define DBG_PRINT_LEVEL DPFLTR_ERROR_LEVEL
5 | #define DbgLog(format, ...) { DbgPrintEx(DPFLTR_IHVDRIVER_ID, DBG_PRINT_LEVEL,"%-50s [%08X]\n", format, __VA_ARGS__ ); }
6 | #define DbgLog16(format, value) { DbgPrintEx(DPFLTR_IHVDRIVER_ID, DBG_PRINT_LEVEL,"%-50s [%016I64X]\n", format, value ); }
7 | //#define DbgTraceLog(value) { DbgPrintEx(DPFLTR_IHVDRIVER_ID, DBG_PRINT_LEVEL,"%08X:\n", value ); }
8 | #define DbgPrintString(value) { DbgPrintEx(DPFLTR_IHVDRIVER_ID, DBG_PRINT_LEVEL,"%s \n", value ); }
9 | #define DbgPrintUStringString(value1,value2) { DbgPrintEx(DPFLTR_IHVDRIVER_ID, DBG_PRINT_LEVEL,"%s %wZ \n", value1, value2); }
10 |
11 | //
12 | //Enable additional debug logs
13 | //
14 |
15 | #define DBG_PRINT_STRINGS
16 |
17 | __forceinline void KDbgPrintString(PCSTR value) {
18 | /* print_##type will be replaced with print_int or print_double */
19 | #ifdef DBG_PRINT_STRINGS
20 | DbgPrintString(value);
21 | #else
22 | UNREFERENCED_PARAMETER(value);
23 | #endif
24 | }
25 |
26 |
27 | //__forceinline void KDbgLog(PCSTR format, ...) {
28 | //#ifdef DBG_PRINT_STRINGS
29 | // va_list vl;
30 | // va_start(vl, format);
31 | // DbgLog(format, vl);
32 | // //va_end(vl);
33 | //#else
34 | // UNREFERENCED_PARAMETER(format);
35 | //#endif
36 | //}
37 |
38 | __forceinline void KDbgLog(PCSTR format, ULONG value) {
39 | #ifdef DBG_PRINT_STRINGS
40 | DbgLog(format, value);
41 | //va_end(vl);
42 | #else
43 | UNREFERENCED_PARAMETER(format);
44 | UNREFERENCED_PARAMETER(value);
45 | #endif
46 | }
47 |
48 | __forceinline void KDbgLog16(PCSTR format, ULONG64 value) {
49 | #ifdef DBG_PRINT_STRINGS
50 | DbgLog16(format, value);
51 | //va_end(vl);
52 | #else
53 | UNREFERENCED_PARAMETER(format);
54 | UNREFERENCED_PARAMETER(value);
55 | #endif
56 | }
57 |
58 |
59 | //__forceinline void KDbgLog16(PCSTR format, ...) {
60 | //#ifdef DBG_PRINT_STRINGS
61 | // va_list vl;
62 | // va_start(vl, format);
63 | // DbgLog16(format, vl);
64 | // //va_end(vl);
65 | //#else
66 | // UNREFERENCED_PARAMETER(format);
67 | //#endif
68 | //}
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/sources:
--------------------------------------------------------------------------------
1 | MSC_WARNING_LEVEL=/W4 /WX
2 |
3 | TARGETNAME=ExdiKdSample
4 | TARGETTYPE=DYNLINK
5 |
6 | MIDL_FLAGS=$(MIDL_FLAGS) /I ..\..\..\..\external\exdi
7 |
8 | _NT_TARGET_VERSION=$(_NT_TARGET_VERSION_WIN7)
9 |
10 | USE_LIBCMT=1
11 | USE_NATIVE_EH=1
12 | USE_STL=1
13 | STL_VER=100
14 |
15 | USE_ATL=1
16 | ATL_VER=70
17 | !if "$(DBGSDK_REF_PATH)" == ""
18 | DBGSDK_REF_PATH=$(SDKTOOLS_REF_PATH)
19 | !endif
20 |
21 | SOURCES=\
22 | dllmain.cpp \
23 | ExdiKdSample.idl \
24 | ExdiKdSample.cpp \
25 | LiveExdiSampleServer.cpp \
26 | StaticExdiSampleServer.cpp \
27 | $(O)\ExdiKdSample_i.c \
28 | ExdiKdSample.rc
29 |
30 | TARGETLIBS=\
31 | $(SDK_LIB_PATH)\kernel32.lib \
32 | $(SDK_LIB_PATH)\user32.lib \
33 | $(SDK_LIB_PATH)\advapi32.lib \
34 | $(SDK_LIB_PATH)\ole32.lib \
35 | $(SDK_LIB_PATH)\oleaut32.lib \
36 | $(SDK_LIB_PATH)\uuid.lib \
37 | $(PROJECT_OBJ_ROOT)\debuggers\samples\exdi\ExdiKdSample\KdControllerLib\$(O)\KdControllerLib.lib
38 |
39 | INCLUDES = \
40 | ..\KDControllerLib; \
41 | $(INCLUDES)
42 |
43 | # We ship samples as source code projects. Need to binplace in test dir to support running funcional tests
44 | # against these samples.
45 | PASS2_BINPLACE=\
46 | -:DEST dbg\test $(OBJ_PATH)\$(O)\$(TARGETNAME).dll \
47 |
48 | PASS0_BINPLACE = \
49 | -:DEST $(DBG_PRI_LAYOUT)\sdk\samples\exdi\ExdiKdSample\ExdiKdSample *.cpp \
50 | -:DEST $(DBG_PRI_LAYOUT)\sdk\samples\exdi\ExdiKdSample\ExdiKdSample *.h \
51 | -:DEST $(DBG_PRI_LAYOUT)\sdk\samples\exdi\ExdiKdSample\ExdiKdSample *.rgs \
52 | -:DEST $(DBG_PRI_LAYOUT)\sdk\samples\exdi\ExdiKdSample\ExdiKdSample *.txt \
53 | -:DEST $(DBG_PRI_LAYOUT)\sdk\samples\exdi\ExdiKdSample\ExdiKdSample ExdiKdSample.* \
54 | -:DEST $(DBG_PRI_LAYOUT)\sdk\samples\exdi\ExdiKdSample\ExdiKdSample product.* \
55 | -:DEST $(DBG_PRI_LAYOUT)\sdk\samples\exdi\ExdiKdSample\ExdiKdSample sources \
56 | -:DEST $(DBG_PRI_LAYOUT)\sdk\samples\exdi\ExdiKdSample ..\dirs \
57 | -:DEST $(DBG_PRI_LAYOUT)\sdk\samples\exdi\ExdiKdSample ..\ExdiKdSample.sln \
58 | -:DEST $(DBG_PRI_LAYOUT)\sdk\samples\exdi\ExdiKdSample ..\readme.docx \
59 |
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/ExdiKdSample.cpp:
--------------------------------------------------------------------------------
1 | //----------------------------------------------------------------------------
2 | //
3 | // ExdiKdSample.cpp
4 | //
5 | // Contains exported functions required by COM.
6 | //
7 | // Copyright (c) Microsoft. All rights reserved.
8 | //
9 | //----------------------------------------------------------------------------
10 |
11 | #include "stdafx.h"
12 | #include "resource.h"
13 | #include "ExdiKdSample.h"
14 | #include "dllmain.h"
15 |
16 | using namespace ATL;
17 |
18 | // Used to determine whether the DLL can be unloaded by OLE.
19 | STDAPI DllCanUnloadNow(void)
20 | {
21 | return _AtlModule.DllCanUnloadNow();
22 | }
23 |
24 | // Returns a class factory to create an object of the requested type.
25 | STDAPI DllGetClassObject(_In_ REFCLSID rclsid, _In_ REFIID riid, _Outptr_ LPVOID* ppv)
26 | {
27 | return _AtlModule.DllGetClassObject(rclsid, riid, ppv);
28 | }
29 |
30 | // DllRegisterServer - Adds entries to the system registry.
31 | STDAPI DllRegisterServer(void)
32 | {
33 | // registers object, typelib and all interfaces in typelib
34 | HRESULT hr = _AtlModule.DllRegisterServer();
35 | return hr;
36 | }
37 |
38 | // DllUnregisterServer - Removes entries from the system registry.
39 | STDAPI DllUnregisterServer(void)
40 | {
41 | HRESULT hr = _AtlModule.DllUnregisterServer();
42 | return hr;
43 | }
44 |
45 | // DllInstall - Adds/Removes entries to the system registry per user per machine.
46 | STDAPI DllInstall(BOOL bInstall, _In_opt_ LPCWSTR pszCmdLine)
47 | {
48 | HRESULT hr = E_FAIL;
49 | #if _ATL_VER >= 0x0B00 //11.00
50 | static const wchar_t szUserSwitch[] = L"user";
51 |
52 | if (pszCmdLine != NULL)
53 | {
54 | if (_wcsnicmp(pszCmdLine, szUserSwitch, _countof(szUserSwitch)) == 0)
55 | {
56 | ATL::AtlSetPerUserRegistration(true);
57 | }
58 | }
59 | #else
60 | UNREFERENCED_PARAMETER(pszCmdLine);
61 | #endif
62 |
63 | if (bInstall)
64 | {
65 | hr = DllRegisterServer();
66 | if (FAILED(hr))
67 | {
68 | DllUnregisterServer();
69 | }
70 | }
71 | else
72 | {
73 | hr = DllUnregisterServer();
74 | }
75 |
76 | return hr;
77 | }
78 |
79 |
80 |
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/KDCommandLogger.h:
--------------------------------------------------------------------------------
1 | //----------------------------------------------------------------------------
2 | //
3 | // KDCommandLogger.h
4 | //
5 | // A helper class that shows KD.EXE commands being executed.
6 | //
7 | // Copyright (c) Microsoft. All rights reserved.
8 | //
9 | //----------------------------------------------------------------------------
10 |
11 | #pragma once
12 | #include "KDController.h"
13 |
14 | class KDCommandLogger : public KDControllerLib::IKDTextHandler
15 | {
16 | public:
17 | KDCommandLogger(bool allocateConsole)
18 | : m_consoleAllocated(allocateConsole)
19 | {
20 | if (allocateConsole)
21 | {
22 | AllocConsole();
23 | }
24 |
25 | SetConsoleCP(CP_ACP);
26 | m_standardOutput = GetStdHandle(STD_OUTPUT_HANDLE);
27 | SetConsoleTitle(_T("Blind KD - please close when done debugging"));
28 |
29 | COORD newConsoleSize = {100, SHRT_MAX - 1};
30 | SetConsoleScreenBufferSize(m_standardOutput, newConsoleSize);
31 |
32 | SMALL_RECT windowSize = {0, 0, newConsoleSize.X - 1, 49};
33 | SetConsoleWindowInfo(m_standardOutput, TRUE, &windowSize);
34 | }
35 |
36 | ~KDCommandLogger()
37 | {
38 | if (m_consoleAllocated)
39 | {
40 | FreeConsole();
41 | }
42 | }
43 |
44 | public:
45 | void HandleText(KDControllerLib::KDTextType textType, _In_z_ const char *pText)
46 | {
47 | if (textType == KDControllerLib::KDTextType::Command)
48 | {
49 | SetConsoleTextAttribute(m_standardOutput, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_INTENSITY);
50 | }
51 | else
52 | {
53 | SetConsoleTextAttribute(m_standardOutput, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
54 | }
55 |
56 | assert(pText != nullptr);
57 | DWORD done;
58 | WriteFile(m_standardOutput, pText, static_cast(strlen(pText)), &done, nullptr);
59 | assert(done == strlen(pText));
60 | WriteFile(m_standardOutput, "\n", 1, &done, nullptr);
61 | assert(done == 1);
62 | }
63 |
64 |
65 | private:
66 | bool m_consoleAllocated;
67 | HANDLE m_standardOutput;
68 | };
--------------------------------------------------------------------------------
/hvmm/hvmm/hvmm.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 | {8E41214B-6785-4CFE-B992-037D68949A14}
18 | inf;inv;inx;mof;mc;
19 |
20 |
21 |
22 |
23 | Header Files\Driver Files
24 |
25 |
26 |
27 |
28 | Source Files
29 |
30 |
31 | Source Files
32 |
33 |
34 | Source Files
35 |
36 |
37 | Source Files
38 |
39 |
40 | Source Files
41 |
42 |
43 |
44 |
45 | Header Files
46 |
47 |
48 | Header Files
49 |
50 |
51 | Header Files
52 |
53 |
54 | Header Files
55 |
56 |
57 |
58 |
59 | Source Files
60 |
61 |
62 |
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/InterfaceMarshalHelper.h:
--------------------------------------------------------------------------------
1 | //----------------------------------------------------------------------------
2 | //
3 | // InterfaceMarshalHelper.h
4 | //
5 | // A simple wrapper class that helps marshalling COM interfaces across apartments.
6 | //
7 | // Copyright (c) Microsoft. All rights reserved.
8 | //
9 | //----------------------------------------------------------------------------
10 |
11 | #pragma once
12 | #include
13 | #include
14 | #include
15 |
16 | template class InterfaceMarshalHelper
17 | {
18 | public:
19 | InterfaceMarshalHelper(_In_ TInterface *pInterface, DWORD marshalFlags) //flags such as MSHLFLAGS_TABLESTRONG
20 | {
21 | m_creatorThreadId = GetCurrentThreadId();
22 |
23 | HRESULT result = CreateStreamOnHGlobal(NULL, TRUE, &m_pStream);
24 | if (FAILED(result))
25 | {
26 | throw std::exception("Failed to create a global stream");
27 | }
28 |
29 | result = CoMarshalInterface(m_pStream, __uuidof(TInterface), pInterface, MSHCTX_INPROC, NULL, marshalFlags);
30 | if (FAILED(result))
31 | {
32 | throw std::exception("Failed to marshal the interface");
33 | }
34 |
35 | InitializeCriticalSection(&m_criticalSection);
36 | }
37 |
38 | ~InterfaceMarshalHelper()
39 | {
40 | assert(m_creatorThreadId == GetCurrentThreadId());
41 | if (m_pStream != nullptr)
42 | {
43 | m_pStream->Seek(LARGE_INTEGER(), SEEK_SET, NULL);
44 | CoReleaseMarshalData(m_pStream);
45 |
46 | m_pStream->Release();
47 | m_pStream = nullptr;
48 | }
49 | DeleteCriticalSection(&m_criticalSection);
50 | }
51 |
52 | TInterface *TryUnmarshalInterfaceForCurrentThread()
53 | {
54 | EnterCriticalSection(&m_criticalSection);
55 | m_pStream->Seek(LARGE_INTEGER(), SEEK_SET, NULL);
56 | TInterface *pInterface = nullptr;
57 | HRESULT result = CoUnmarshalInterface(m_pStream, __uuidof(TInterface), reinterpret_cast(&pInterface));
58 | LeaveCriticalSection(&m_criticalSection);
59 |
60 | if (FAILED(result))
61 | {
62 | pInterface = nullptr;
63 | }
64 |
65 | return pInterface;
66 | }
67 |
68 | private:
69 | IStream *m_pStream;
70 | CRITICAL_SECTION m_criticalSection;
71 | DWORD m_creatorThreadId;
72 | };
73 |
--------------------------------------------------------------------------------
/ExdiKdSample/KdControllerLib/KdControllerLib.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 | Header Files
32 |
33 |
34 | Header Files
35 |
36 |
37 | Header Files
38 |
39 |
40 | Header Files
41 |
42 |
43 | Header Files
44 |
45 |
46 |
47 |
48 | Source Files
49 |
50 |
51 | Source Files
52 |
53 |
54 | Source Files
55 |
56 |
57 | Source Files
58 |
59 |
60 |
--------------------------------------------------------------------------------
/leechcore_device_hvmm/leechcore_device_hvmm.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | C:\Distr\Test\MemProcFs\MemProcFs.exe
5 | -device hvmm://id=0,unix -v
6 | C:\Distr\Test\MemProcFs
7 | 192.168.174.130
8 | C:\Distr\Test\MemProcFs
9 | WindowsRemoteDebugger
10 | false
11 | RemoteWithoutAuthentication
12 |
13 |
14 | C:\Distr\Test\MemProcFs\MemProcFs.exe
15 | -device hvmm://id=0,unix -v
16 | C:\Distr\Test\MemProcFs
17 | 192.168.174.130
18 | C:\Distr\Test\MemProcFs
19 | WindowsRemoteDebugger
20 | false
21 | RemoteWithoutAuthentication
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 | WindowsRemoteDebugger
35 | true
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 | WindowsRemoteDebugger
44 | true
45 |
46 |
--------------------------------------------------------------------------------
/ExdiKdSample/KdControllerLib/HandleHelpers.h:
--------------------------------------------------------------------------------
1 | //----------------------------------------------------------------------------
2 | //
3 | // HandleHelpers.h
4 | //
5 | // Wrapper classes for the system handles.
6 | //
7 | // Copyright (c) Microsoft. All rights reserved.
8 | //
9 | //----------------------------------------------------------------------------
10 |
11 | #pragma once
12 |
13 | namespace KDControllerLib
14 | {
15 | class HandleWrapper
16 | {
17 | public:
18 | HandleWrapper()
19 | : m_handle(INVALID_HANDLE_VALUE)
20 | {
21 | }
22 |
23 | HandleWrapper(_In_ HANDLE handle)
24 | : m_handle(handle)
25 | {
26 | }
27 |
28 | ~HandleWrapper()
29 | {
30 | Close();
31 | }
32 |
33 | HANDLE Detach()
34 | {
35 | HANDLE handle = m_handle;
36 | m_handle = INVALID_HANDLE_VALUE;
37 | return handle;
38 | }
39 |
40 | HANDLE Get() const
41 | {
42 | return m_handle;
43 | }
44 |
45 | bool IsValid() const
46 | {
47 | return m_handle != INVALID_HANDLE_VALUE;
48 | }
49 |
50 | HANDLE *operator&()
51 | {
52 | //Used to pass to a _Out_ PHANDLE argument. Similar to CComPtr in ATL.
53 | //If the handle is already valid, such use case will lead to a handle leak.
54 | assert(m_handle == INVALID_HANDLE_VALUE);
55 | return &m_handle;
56 | }
57 |
58 | void Close()
59 | {
60 | if (m_handle == INVALID_HANDLE_VALUE)
61 | {
62 | return;
63 | }
64 |
65 | CloseHandle(m_handle);
66 | m_handle = INVALID_HANDLE_VALUE;
67 | }
68 |
69 | void Attach(_In_ HANDLE handle)
70 | {
71 | Close();
72 | m_handle = handle;
73 | }
74 |
75 | static void CloseAndInvalidate(_Inout_ HANDLE *pHandle)
76 | {
77 | //assert(pHandle != nullptr);
78 | //CloseHandle(*pHandle);
79 | *pHandle = INVALID_HANDLE_VALUE;
80 | }
81 |
82 | private:
83 | HANDLE m_handle;
84 |
85 | HandleWrapper(_In_ const HandleWrapper &anotherHandleWrapper);
86 | void operator=(_In_ const HandleWrapper &anotherHandleWrapper);
87 | };
88 |
89 | class ValidHandleWrapper : public HandleWrapper
90 | {
91 | public:
92 | ValidHandleWrapper(_In_ HANDLE handle)
93 | : HandleWrapper(handle)
94 | {
95 | assert(handle != INVALID_HANDLE_VALUE);
96 | }
97 | };
98 |
99 | }
--------------------------------------------------------------------------------
/hvmm/hvmm/AMD64.asm:
--------------------------------------------------------------------------------
1 |
2 | EXTERN pPsGetCurrentProcessOrig:QWORD
3 | EXTERN pAddrOfArchNewPsGetCurrentProcess:QWORD
4 | EXTERN pHandleOfLiveCloudKd:QWORD
5 | EXTERN pHandleOfVmwp:QWORD
6 | EXTERN VidPsProcessCheckWorker:NEAR
7 |
8 | mPUSHAD MACRO
9 | push rax
10 | push rbx
11 | push rcx
12 | push rdx
13 | push rdi
14 | push rsi
15 | push r8
16 | push r9
17 | push r10
18 | push r11
19 | push r12
20 | push r13
21 | push r14
22 | push r15
23 | ENDM
24 |
25 | mPOPAD MACRO
26 | pop r15
27 | pop r14
28 | pop r13
29 | pop r12
30 | pop r11
31 | pop r10
32 | pop r9
33 | pop r8
34 | pop rsi
35 | pop rdi
36 | pop rdx
37 | pop rcx
38 | pop rbx
39 | pop rax
40 | ENDM
41 |
42 | .CODE
43 |
44 | ModCR0 PROC
45 | cli
46 | push rsi
47 | push rdi
48 | push rbx
49 | xor rdx,rdx
50 | xor rbx,rbx
51 | xor rsi,rsi
52 | xor rdi,rdi
53 | mov rax, cr0
54 | mov rbx, 10000h
55 | not rbx
56 | and rax, rbx
57 | mov cr0, rax
58 | pop rbx
59 | pop rdi
60 | pop rsi
61 | sti
62 | ret
63 | ModCR0 ENDP
64 |
65 | ArchReadMsr PROC
66 | rdmsr
67 | shl rdx, 20h
68 | or rax,rdx
69 | ret
70 | ArchReadMSR ENDP
71 |
72 | ArchNewPsGetCurrentProcess02 PROC
73 | ;int 3
74 | mov rax, qword ptr gs:[188h]
75 | mov rax,qword ptr [rax+0B8h]
76 | mov rcx, rax
77 | mov rdx, qword ptr [rsp+8]
78 | call VidPsProcessCheckWorker
79 | ;mov qword ptr [rsp], rdx
80 | add rsp, 8
81 | ret
82 | ArchNewPsGetCurrentProcess02 ENDP
83 |
84 | ArchNewPsGetCurrentProcess PROC
85 | mov rax, qword ptr gs:[188h]
86 | mov rax,qword ptr [rax+0B8h]
87 | cmp rax, pHandleOfLiveCloudKd
88 | jne @label1
89 | mov rcx, [rsp+8]
90 | mov rdx, 0FFFFF801440D23A5h
91 | cmp rcx, rdx
92 | je @label2
93 | mov rdx, 0fffff801440d6847h
94 | cmp rcx, rdx
95 | je @label2
96 | mov rdx, 0fffff801440fb79fh
97 | cmp rcx, rdx
98 | je @label2
99 | mov rdx, 0fffff801440f5012h
100 | cmp rcx, rdx
101 | ;je @label2
102 | ; mov rdx, 0fffff801440de272h
103 | ; cmp rcx, rdx
104 | jne @label1
105 | @label2:
106 | mov rax, pHandleOfVmwp
107 | @label1:
108 | ret
109 | ArchNewPsGetCurrentProcess ENDP
110 |
111 |
112 | ArchPsGetCurrentProcess PROC
113 | mov rax, qword ptr gs:[188h]
114 | mov rax,qword ptr [rax+0B8h]
115 | mov rcx, 0FFFFF78000000000h
116 | mov rcx, qword ptr [rcx]
117 | call rcx
118 | ret
119 | ArchPsGetCurrentProcess ENDP
120 |
121 | ArchmReplacePsGetCurrentProcess PROC
122 | mov [rdx],rcx
123 | ret
124 | ArchmReplacePsGetCurrentProcess ENDP
125 |
126 | ArchInt3 PROC
127 | int 3
128 | ret
129 | ArchInt3 ENDP
130 |
131 | END
132 |
--------------------------------------------------------------------------------
/LiveCloudKd/LiveCloudKd.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | C:\Distr\Test\WinDBG101903x64\LiveCloudKd.exe
5 | C:\Distr\Test\WinDBG101903x64
6 | 192.168.174.132
7 | RemoteWithoutAuthentication
8 | NativeOnly
9 | C:\Distr\Test\WinDBG101903x64
10 | WindowsRemoteDebugger
11 | D:\Projects\HyperVDebug\files\LiveCloudKdSdk.dll;
12 |
13 |
14 |
15 |
16 | C:\Distr\Test\LiveCloudKd2.exe
17 | C:\Distr\Test
18 | 192.168.1.44
19 | RemoteWithoutAuthentication
20 | NativeOnly
21 | C:\Distr\Test
22 | WindowsRemoteDebugger
23 |
24 |
25 | C:\Distr\Test\WinDBG6.12\LiveCloudKd2.exe
26 | C:\Distr\Test\WinDBG6.12
27 | WindowsRemoteDebugger
28 | C:\Distr\Test\WinDBG101903x64\LiveCloudKd.exe
29 | 192.168.174.130
30 | C:\Distr\Test\WinDBG101903x64
31 | NativeOnly
32 | C:\Distr\Test\WinDBG101903x64
33 | RemoteWithoutAuthentication
34 | D:\Projects\HyperVDebug\files\LiveCloudKdSdk.dll
35 |
36 |
37 |
38 |
--------------------------------------------------------------------------------
/LiveCloudKd/file.c:
--------------------------------------------------------------------------------
1 | /*++
2 | Microsoft Hyper-V Virtual Machine Physical Memory Dumper
3 | Copyright (C) Matt Suiche. All rights reserved.
4 |
5 | Module Name:
6 |
7 | - file.c
8 |
9 | Abstract:
10 |
11 | - This header file contains definition used by LiveCloudKd (2010) and open-sourced in December 2018 after
12 | collaborating with Arthur Khudyaev (@gerhart_x) to revive the project.
13 |
14 | More information can be found on the original repository: https://github.com/comaeio/LiveCloudKd
15 |
16 | Original 2010 blogpost: https://blogs.technet.microsoft.com/markrussinovich/2010/10/09/livekd-for-virtual-machine-debugging/
17 |
18 | Environment:
19 |
20 | - User mode
21 |
22 | Revision History:
23 |
24 | - Arthur Khudyaev (@gerhart_x) - 18-Apr-2019 - Add additional methods (using Microsoft winhv.sys and own hvmm.sys driver) for reading guest memory
25 | - Arthur Khudyaev (@gerhart_x) - 20-Feb-2019 - Migrate parto of code to LiveCloudKd plugin
26 | - Arthur Khudyaev (@gerhart_x) - 26-Jan-2019 - Migration to MemProcFS/LeechCore
27 | - Matthieu Suiche (@msuiche) 11-Dec-2018 - Open-sourced LiveCloudKd in December 2018 on GitHub
28 | - Arthur Khudyaev (@gerhart_x) - 28-Oct-2018 - Add partial Windows 10 support
29 | - Matthieu Suiche (@msuiche) 09-Dec-2010 - Initial version from LiveCloudKd and presented at BlueHat 2010
30 |
31 | --*/
32 | #include "hvdd.h"
33 |
34 | BOOL
35 | CreateDestinationFile(LPCWSTR Filename,
36 | PHANDLE Handle)
37 | {
38 | *Handle = CreateFile(Filename,
39 | GENERIC_WRITE,
40 | 0,
41 | NULL,
42 | CREATE_ALWAYS,
43 | FILE_FLAG_NO_BUFFERING,
44 | NULL);
45 |
46 | if (Handle == INVALID_HANDLE_VALUE) return FALSE;
47 |
48 | return TRUE;
49 | }
50 |
51 | BOOL
52 | WriteFileSynchronous(
53 | HANDLE Handle,
54 | PVOID Buffer,
55 | ULONG NbOfBytesToWrite
56 | )
57 | /*++
58 |
59 | Routine Description:
60 |
61 | Desc.
62 |
63 | Arguments:
64 |
65 | Arg1 - Desc.
66 |
67 | Arg2 - Desc.
68 |
69 | Arg3 - Desc.
70 |
71 | Return Value:
72 |
73 | Ret1 - Desc.
74 |
75 | Ret2 - Desc.
76 |
77 | --*/
78 | {
79 | DWORD WrittenBytes;
80 | BOOL Ret;
81 |
82 | WrittenBytes = 0;
83 | Ret = FALSE;
84 |
85 | Ret = WriteFile(Handle, Buffer, NbOfBytesToWrite, &WrittenBytes, NULL);
86 | if ((Ret == FALSE) && (GetLastError() == ERROR_IO_PENDING))
87 | {
88 | do
89 | {
90 | Ret = WaitForSingleObjectEx(Handle, INFINITE, TRUE);
91 | } while (Ret == WAIT_IO_COMPLETION);
92 | }
93 |
94 | if (WrittenBytes == NbOfBytesToWrite)
95 | {
96 | Ret = TRUE;
97 | }
98 |
99 | return Ret;
100 | }
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample/BasicExdiBreakpoint.h:
--------------------------------------------------------------------------------
1 | //----------------------------------------------------------------------------
2 | //
3 | // BasicExdiBreakpoint.h
4 | //
5 | // A sample implementation of the IeXdiCodeBreakpoint interface used to represent
6 | // breakpoints maintained by EXDI servers.
7 | //
8 | // Copyright (c) Microsoft. All rights reserved.
9 | //
10 | //----------------------------------------------------------------------------
11 |
12 | #pragma once
13 | #include "ExdiKdSample.h"
14 |
15 | interface DECLSPEC_UUID("8EC0B42F-9B46-4674-AC60-64105713BB35") IBasicExdiBreakpoint : public IUnknown
16 | {
17 | public:
18 | virtual unsigned GetBreakpointNumber() = 0;
19 | };
20 |
21 | class BasicExdiBreakpoint : public CComObjectRootEx,
22 | public IeXdiCodeBreakpoint3,
23 | public IBasicExdiBreakpoint
24 | {
25 | public:
26 | BasicExdiBreakpoint()
27 | : m_address(0)
28 | , m_breakpointNumber(0)
29 | {
30 | }
31 |
32 | BEGIN_COM_MAP(BasicExdiBreakpoint)
33 | COM_INTERFACE_ENTRY(IeXdiCodeBreakpoint3)
34 | COM_INTERFACE_ENTRY(IBasicExdiBreakpoint)
35 | END_COM_MAP()
36 |
37 | virtual unsigned GetBreakpointNumber()
38 | {
39 | return m_breakpointNumber;
40 | }
41 |
42 | void Initialize(ULONGLONG address, unsigned breakpointNumber)
43 | {
44 | m_address = address;
45 | m_breakpointNumber = breakpointNumber;
46 | }
47 |
48 | virtual HRESULT STDMETHODCALLTYPE GetAttributes(
49 | /* [out] */ PADDRESS_TYPE pAddress,
50 | /* [out] */ PCBP_KIND pcbpk,
51 | /* [out] */ PMEM_TYPE pmt,
52 | /* [out] */ DWORD *pdwExecMode,
53 | /* [out] */ DWORD *pdwTotalBypassCount,
54 | /* [out] */ DWORD *pdwBypassedOccurences,
55 | /* [out] */ BOOL *pfEnabled)
56 | {
57 | if (pAddress == nullptr || pcbpk == nullptr || pmt == nullptr || pdwExecMode == nullptr ||
58 | pdwTotalBypassCount == nullptr || pdwBypassedOccurences == nullptr || pfEnabled == nullptr)
59 | {
60 | return E_POINTER;
61 | }
62 |
63 | *pAddress = m_address;
64 | *pcbpk = cbptSW;
65 | *pmt = mtVirtual;
66 |
67 | *pdwExecMode = 0;
68 | *pdwTotalBypassCount = 0;
69 | *pdwBypassedOccurences = 0;
70 | *pfEnabled = TRUE;
71 | return S_OK;
72 | }
73 |
74 | virtual HRESULT STDMETHODCALLTYPE SetState(
75 | /* [in] */ BOOL fEnabled,
76 | /* [in] */ BOOL fResetBypassedOccurences)
77 | {
78 | UNREFERENCED_PARAMETER(fResetBypassedOccurences);
79 |
80 | if (!fEnabled)
81 | {
82 | return E_NOTIMPL;
83 | }
84 |
85 | return S_OK;
86 | }
87 |
88 | private:
89 | ULONGLONG m_address;
90 | unsigned m_breakpointNumber;
91 | };
--------------------------------------------------------------------------------
/LiveCloudKd/LiveCloudKd.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.27703.2018
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "LiveCloudKd", "LiveCloudKd.vcxproj", "{92504F8B-8817-49A7-89D3-7DF94E485FB4}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|ARM = Debug|ARM
11 | Debug|ARM64 = Debug|ARM64
12 | Debug|x64 = Debug|x64
13 | Debug|x86 = Debug|x86
14 | Debug2016|ARM = Debug2016|ARM
15 | Debug2016|ARM64 = Debug2016|ARM64
16 | Debug2016|x64 = Debug2016|x64
17 | Debug2016|x86 = Debug2016|x86
18 | Release|ARM = Release|ARM
19 | Release|ARM64 = Release|ARM64
20 | Release|x64 = Release|x64
21 | Release|x86 = Release|x86
22 | EndGlobalSection
23 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
24 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Debug|ARM.ActiveCfg = Debug|Win32
25 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Debug|ARM64.ActiveCfg = Debug|Win32
26 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Debug|x64.ActiveCfg = Debug|x64
27 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Debug|x64.Build.0 = Debug|x64
28 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Debug|x64.Deploy.0 = Debug|x64
29 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Debug|x86.ActiveCfg = Debug|Win32
30 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Debug|x86.Build.0 = Debug|Win32
31 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Debug2016|ARM.ActiveCfg = Debug2016|Win32
32 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Debug2016|ARM64.ActiveCfg = Debug2016|Win32
33 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Debug2016|x64.ActiveCfg = Debug2016|x64
34 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Debug2016|x64.Build.0 = Debug2016|x64
35 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Debug2016|x64.Deploy.0 = Debug2016|x64
36 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Debug2016|x86.ActiveCfg = Debug2016|Win32
37 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Debug2016|x86.Build.0 = Debug2016|Win32
38 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Release|ARM.ActiveCfg = Release|Win32
39 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Release|ARM64.ActiveCfg = Release|Win32
40 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Release|x64.ActiveCfg = Release|x64
41 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Release|x64.Build.0 = Release|x64
42 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Release|x64.Deploy.0 = Release|x64
43 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Release|x86.ActiveCfg = Release|Win32
44 | {92504F8B-8817-49A7-89D3-7DF94E485FB4}.Release|x86.Build.0 = Release|Win32
45 | EndGlobalSection
46 | GlobalSection(SolutionProperties) = preSolution
47 | HideSolutionNode = FALSE
48 | EndGlobalSection
49 | GlobalSection(ExtensibilityGlobals) = postSolution
50 | SolutionGuid = {1C9086E4-DFC1-4BD6-9C59-D3108D239908}
51 | EndGlobalSection
52 | EndGlobal
53 |
--------------------------------------------------------------------------------
/hvmm/hvmm.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.27703.2018
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "hvmm", "hvmm\hvmm.vcxproj", "{B277739E-4630-4282-8229-53CDCD176655}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|ARM = Debug|ARM
11 | Debug|ARM64 = Debug|ARM64
12 | Debug|x64 = Debug|x64
13 | Debug|x86 = Debug|x86
14 | Release|ARM = Release|ARM
15 | Release|ARM64 = Release|ARM64
16 | Release|x64 = Release|x64
17 | Release|x86 = Release|x86
18 | EndGlobalSection
19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | {B277739E-4630-4282-8229-53CDCD176655}.Debug|ARM.ActiveCfg = Debug|ARM
21 | {B277739E-4630-4282-8229-53CDCD176655}.Debug|ARM.Build.0 = Debug|ARM
22 | {B277739E-4630-4282-8229-53CDCD176655}.Debug|ARM.Deploy.0 = Debug|ARM
23 | {B277739E-4630-4282-8229-53CDCD176655}.Debug|ARM64.ActiveCfg = Debug|ARM64
24 | {B277739E-4630-4282-8229-53CDCD176655}.Debug|ARM64.Build.0 = Debug|ARM64
25 | {B277739E-4630-4282-8229-53CDCD176655}.Debug|ARM64.Deploy.0 = Debug|ARM64
26 | {B277739E-4630-4282-8229-53CDCD176655}.Debug|x64.ActiveCfg = Debug|x64
27 | {B277739E-4630-4282-8229-53CDCD176655}.Debug|x64.Build.0 = Debug|x64
28 | {B277739E-4630-4282-8229-53CDCD176655}.Debug|x64.Deploy.0 = Debug|x64
29 | {B277739E-4630-4282-8229-53CDCD176655}.Debug|x86.ActiveCfg = Debug|Win32
30 | {B277739E-4630-4282-8229-53CDCD176655}.Debug|x86.Build.0 = Debug|Win32
31 | {B277739E-4630-4282-8229-53CDCD176655}.Debug|x86.Deploy.0 = Debug|Win32
32 | {B277739E-4630-4282-8229-53CDCD176655}.Release|ARM.ActiveCfg = Release|ARM
33 | {B277739E-4630-4282-8229-53CDCD176655}.Release|ARM.Build.0 = Release|ARM
34 | {B277739E-4630-4282-8229-53CDCD176655}.Release|ARM.Deploy.0 = Release|ARM
35 | {B277739E-4630-4282-8229-53CDCD176655}.Release|ARM64.ActiveCfg = Release|ARM64
36 | {B277739E-4630-4282-8229-53CDCD176655}.Release|ARM64.Build.0 = Release|ARM64
37 | {B277739E-4630-4282-8229-53CDCD176655}.Release|ARM64.Deploy.0 = Release|ARM64
38 | {B277739E-4630-4282-8229-53CDCD176655}.Release|x64.ActiveCfg = Release|x64
39 | {B277739E-4630-4282-8229-53CDCD176655}.Release|x64.Build.0 = Release|x64
40 | {B277739E-4630-4282-8229-53CDCD176655}.Release|x64.Deploy.0 = Release|x64
41 | {B277739E-4630-4282-8229-53CDCD176655}.Release|x86.ActiveCfg = Release|Win32
42 | {B277739E-4630-4282-8229-53CDCD176655}.Release|x86.Build.0 = Release|Win32
43 | {B277739E-4630-4282-8229-53CDCD176655}.Release|x86.Deploy.0 = Release|Win32
44 | EndGlobalSection
45 | GlobalSection(SolutionProperties) = preSolution
46 | HideSolutionNode = FALSE
47 | EndGlobalSection
48 | GlobalSection(ExtensibilityGlobals) = postSolution
49 | SolutionGuid = {32BFED71-B486-48C9-BF4F-2D706124B971}
50 | EndGlobalSection
51 | EndGlobal
52 |
--------------------------------------------------------------------------------
/LiveCloudKd/LiveCloudKd.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 | {03b94e68-4d08-4a5c-8f49-e5779cf6ba31}
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 | Header Files
32 |
33 |
34 | Header Files
35 |
36 |
37 | Header Files
38 |
39 |
40 | Header Files\HyperV
41 |
42 |
43 | Header Files\HyperV
44 |
45 |
46 | Header Files\HyperV
47 |
48 |
49 | Header Files
50 |
51 |
52 | Header Files
53 |
54 |
55 |
56 |
57 | Source Files
58 |
59 |
60 | Source Files
61 |
62 |
63 | Source Files
64 |
65 |
66 | Source Files
67 |
68 |
69 | Source Files
70 |
71 |
72 | Source Files
73 |
74 |
75 |
--------------------------------------------------------------------------------
/ExdiKdSample/ExdiKdSample.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KdControllerLib", "KdControllerLib\KdControllerLib.vcxproj", "{F864C8F4-8773-4B37-8DD9-E48514D3733B}"
5 | EndProject
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ExdiKdSample", "ExdiKdSample\ExdiKdSample.vcxproj", "{96C3D2FC-5BE0-4B23-B8BD-50C33B6CFA34}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Win32 = Debug|Win32
11 | Debug|x64 = Debug|x64
12 | Release|Win32 = Release|Win32
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {F864C8F4-8773-4B37-8DD9-E48514D3733B}.Debug|Win32.ActiveCfg = Debug|Win32
17 | {F864C8F4-8773-4B37-8DD9-E48514D3733B}.Debug|Win32.Build.0 = Debug|Win32
18 | {F864C8F4-8773-4B37-8DD9-E48514D3733B}.Debug|Win32.Deploy.0 = Debug|Win32
19 | {F864C8F4-8773-4B37-8DD9-E48514D3733B}.Debug|x64.ActiveCfg = Debug|x64
20 | {F864C8F4-8773-4B37-8DD9-E48514D3733B}.Debug|x64.Build.0 = Debug|x64
21 | {F864C8F4-8773-4B37-8DD9-E48514D3733B}.Release|Win32.ActiveCfg = Release|Win32
22 | {F864C8F4-8773-4B37-8DD9-E48514D3733B}.Release|Win32.Build.0 = Release|Win32
23 | {F864C8F4-8773-4B37-8DD9-E48514D3733B}.Release|Win32.Deploy.0 = Release|Win32
24 | {F864C8F4-8773-4B37-8DD9-E48514D3733B}.Release|x64.ActiveCfg = Release|x64
25 | {F864C8F4-8773-4B37-8DD9-E48514D3733B}.Release|x64.Build.0 = Release|x64
26 | {96C3D2FC-5BE0-4B23-B8BD-50C33B6CFA34}.Debug|Win32.ActiveCfg = Debug|Win32
27 | {96C3D2FC-5BE0-4B23-B8BD-50C33B6CFA34}.Debug|Win32.Build.0 = Debug|Win32
28 | {96C3D2FC-5BE0-4B23-B8BD-50C33B6CFA34}.Debug|Win32.Deploy.0 = Debug|Win32
29 | {96C3D2FC-5BE0-4B23-B8BD-50C33B6CFA34}.Debug|x64.ActiveCfg = Debug|x64
30 | {96C3D2FC-5BE0-4B23-B8BD-50C33B6CFA34}.Debug|x64.Build.0 = Debug|x64
31 | {96C3D2FC-5BE0-4B23-B8BD-50C33B6CFA34}.Release|Win32.ActiveCfg = Release|Win32
32 | {96C3D2FC-5BE0-4B23-B8BD-50C33B6CFA34}.Release|Win32.Build.0 = Release|Win32
33 | {96C3D2FC-5BE0-4B23-B8BD-50C33B6CFA34}.Release|Win32.Deploy.0 = Release|Win32
34 | {96C3D2FC-5BE0-4B23-B8BD-50C33B6CFA34}.Release|x64.ActiveCfg = Release|x64
35 | {96C3D2FC-5BE0-4B23-B8BD-50C33B6CFA34}.Release|x64.Build.0 = Release|x64
36 | {CECA0D2D-EA3A-4C65-B96A-AF3F1271F8D0}.Debug|Win32.ActiveCfg = Debug|Win32
37 | {CECA0D2D-EA3A-4C65-B96A-AF3F1271F8D0}.Debug|Win32.Build.0 = Debug|Win32
38 | {CECA0D2D-EA3A-4C65-B96A-AF3F1271F8D0}.Debug|Win32.Deploy.0 = Debug|Win32
39 | {CECA0D2D-EA3A-4C65-B96A-AF3F1271F8D0}.Debug|x64.ActiveCfg = Debug|Win32
40 | {CECA0D2D-EA3A-4C65-B96A-AF3F1271F8D0}.Release|Win32.ActiveCfg = Release|Win32
41 | {CECA0D2D-EA3A-4C65-B96A-AF3F1271F8D0}.Release|Win32.Build.0 = Release|Win32
42 | {CECA0D2D-EA3A-4C65-B96A-AF3F1271F8D0}.Release|Win32.Deploy.0 = Release|Win32
43 | {CECA0D2D-EA3A-4C65-B96A-AF3F1271F8D0}.Release|x64.ActiveCfg = Release|Win32
44 | EndGlobalSection
45 | GlobalSection(SolutionProperties) = preSolution
46 | HideSolutionNode = FALSE
47 | EndGlobalSection
48 | EndGlobal
49 |
--------------------------------------------------------------------------------
/leechcore_device_hvmm/leechcore_device_hvmm.h:
--------------------------------------------------------------------------------
1 | // device_hvmm.h : definitions related the Hyper-V live memory diving.
2 | //
3 | // (c) Ulf Frisk, 2018
4 | // Author: Ulf Frisk, pcileech@frizk.net
5 | //
6 | // (c) Arthur Khudyaev, 2020
7 | // Author: Arthur Khudyaev, @gerhart_x
8 | //
9 |
10 | #ifndef __DEVICE_HVMM_H__
11 | #define __DEVICE_HVMM_H__
12 | #include "HvlibHandle.h"
13 | #include
14 | #include "leechcore_device.h"
15 | #include "conio.h"
16 | #include "shlwapi.h"
17 |
18 | //
19 | // The number of runs may vary if Dynamic Memory is enabled inside the Hyper-V virtual machine.
20 | //
21 |
22 | #define MAX_NUMBER_OF_RUNS MAX_NUMBER_OF_RUNS_BYTES / sizeof(PHYSICAL_MEMORY_RANGE) //correlation with MAX_NUMBER_OF_RUNS_BYTES from LiveCloudKdSdkMisc.h
23 |
24 | #define HVMM_PROBE_MAXPAGES 0x1
25 |
26 | //
27 | // hvmm driver definitions
28 | //
29 |
30 | #define DEVICEHVMM_SERVICENAME "hvmm"
31 | #define DEVICEHVMM_OBJECT "\\\\.\\hvmm"
32 | #define DEVICEHVMM_DRIVERFILE "hvmm.sys"
33 |
34 | //
35 | // MemProcFs param values
36 | //
37 |
38 | #define HVMM_ID_PARAM_NAME "id="
39 | #define HVMM_PARAM_NAME "hvmm://"
40 | #define HVMM_PARAM_DELIMITER ","
41 |
42 | #define HVMM_LISTVM_PARAM_NAME "listvm"
43 | #define HVMM_UNIX_PARAM_NAME "unix"
44 | #define HVMM_LOGLEVEL_PARAM_NAME "loglevel"
45 | #define HVMM_ENUM_GUEST_OS_BUILD_PARAM_NAME "enumguestosbuild"
46 |
47 | typedef struct pmem_info_runs {
48 | __int64 start;
49 | __int64 length;
50 | } PHYSICAL_MEMORY_RANGE;
51 |
52 | struct PmemMemoryInfo {
53 | LARGE_INTEGER CR3;
54 | LARGE_INTEGER NtBuildNumber;
55 | LARGE_INTEGER KernBase;
56 | LARGE_INTEGER KDBG;
57 | LARGE_INTEGER KPCR[MAX_PROCESSORS];
58 | LARGE_INTEGER PfnDataBase;
59 | LARGE_INTEGER PsLoadedModuleList;
60 | LARGE_INTEGER PsActiveProcessHead;
61 | LARGE_INTEGER NtBuildNumberAddr;
62 | LARGE_INTEGER Padding[0xfe];
63 | LARGE_INTEGER NumberOfRuns;
64 | PHYSICAL_MEMORY_RANGE Run[MAX_NUMBER_OF_RUNS];
65 | };
66 |
67 | typedef struct tdDEVICE_CONTEXT_HVMM {
68 | HANDLE hFile;
69 | ULONG64 Partition;
70 | QWORD paMax;
71 | ULONG Vmid;
72 | BOOLEAN VmidPreselected;
73 | BOOLEAN ListVm;
74 | BOOLEAN SimpleMemory;
75 | ULONG LogLevel;
76 | BOOLEAN EnumGuestOsBuild;
77 | BOOLEAN RemoteMode;
78 | LPWSTR szVmNamesList;
79 | struct PmemMemoryInfo MemoryInfo;
80 | } DEVICE_CONTEXT_HVMM, *PDEVICE_CONTEXT_HVMM;
81 |
82 | /*
83 | * Open a "connection" to the Hyper-V partition.
84 | * -- result
85 | */
86 |
87 | BOOL HVMMStart(_Inout_ PLC_CONTEXT ctxLC);
88 | BOOLEAN HVMM_ReadFile(
89 | ULONG64 PartitionHandle,
90 | UINT64 StartPosition,
91 | PVOID lpBuffer,
92 | UINT64 nNumberOfBytesToRead
93 | );
94 |
95 | BOOLEAN HVMM_WriteFile(
96 | ULONG64 PartitionHandle,
97 | UINT64 StartPosition,
98 | PVOID lpBuffer,
99 | UINT64 nNumberOfBytesToRead
100 | );
101 |
102 | BOOL IsDigital(PLC_CONTEXT ctxLC, PCHAR str, ULONG64 len);
103 |
104 | #endif
--------------------------------------------------------------------------------
/ExdiKdSample/KdControllerLib/KDController.h:
--------------------------------------------------------------------------------
1 | //----------------------------------------------------------------------------
2 | //
3 | // KDController.cpp
4 | //
5 | // A class allowing running KD.EXE and sending commands to it.
6 | //
7 | // Copyright (c) Microsoft. All rights reserved.
8 | //
9 | //----------------------------------------------------------------------------
10 | #pragma once
11 | #include "BufferedStreamReader.h"
12 | #include
13 | #include