├── core ├── vmx.h ├── vt.c ├── config.h ├── comio.h ├── i386 │ ├── common-asm.S │ ├── io-asm.S │ ├── reg-asm.S │ └── vmx-asm.S ├── vmhandlers.h ├── network.h ├── asm-offset.c ├── idt.h ├── debug.h ├── linux.h ├── process.h ├── common.h ├── vmmstring.h ├── ept.h ├── network.c ├── pill_common.c ├── types.h ├── pill.h ├── process.c ├── idt.c ├── common.c ├── vt.h ├── events.h ├── mmu.h ├── comio.c ├── msr.h ├── x86.c └── pill_linux.c ├── hyperdbg ├── tools │ ├── hypergui │ │ ├── hypergui.rc │ │ ├── hyperdbg.ico │ │ ├── sources │ │ ├── makefile │ │ ├── loader.h │ │ ├── common.h │ │ ├── types.h │ │ ├── common.c │ │ └── loader.c │ └── symbol2c.py ├── font_256.h ├── scancode.h ├── pager.h ├── pci.h ├── hyperdbg_guest.h ├── hyperdbg_host.h ├── hyperdbg.h ├── symsearch.h ├── syms.h ├── gui.h ├── xpvideo.h ├── sw_bp.h ├── keyboard.h ├── hyperdbg_cmd.h ├── hyperdbg_common.h ├── video.h ├── hyperdbg_guest.c ├── symsearch.c ├── hyperdbg_print.h ├── sw_bp.c ├── pager.c └── scancode.c ├── libudis86 ├── udis86.h ├── syn.h ├── input.h ├── syn.c ├── extern.h ├── udis86.c ├── syn-att.c ├── syn-intel.c ├── ltypes.h └── input.c ├── docs ├── CREDITS ├── README └── INSTALL ├── Kbuild ├── Makefile.linux └── Makefile.windows /core/vmx.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rmusser01/hyperdbg/HEAD/core/vmx.h -------------------------------------------------------------------------------- /hyperdbg/tools/hypergui/hypergui.rc: -------------------------------------------------------------------------------- 1 | LANGUAGE 0, 0 2 | 128 ICON "hyperdbg.ico" 3 | -------------------------------------------------------------------------------- /hyperdbg/tools/hypergui/hyperdbg.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rmusser01/hyperdbg/HEAD/hyperdbg/tools/hypergui/hyperdbg.ico -------------------------------------------------------------------------------- /hyperdbg/font_256.h: -------------------------------------------------------------------------------- 1 | #ifndef _FONT_256_H 2 | #define _FONT_256_H 3 | 4 | #include 5 | 6 | extern Bit8u font_data[]; 7 | 8 | #endif /* _FONT_256_H */ 9 | -------------------------------------------------------------------------------- /libudis86/udis86.h: -------------------------------------------------------------------------------- 1 | #ifndef UDIS86 2 | #define UDIS86 3 | 4 | extern "C" { 5 | #include "ltypes.h" 6 | #include "input.h" 7 | #include "itab.h" 8 | #include "decode.h" 9 | #include "extern.h" 10 | }; 11 | 12 | #endif 13 | -------------------------------------------------------------------------------- /hyperdbg/tools/hypergui/sources: -------------------------------------------------------------------------------- 1 | TARGETNAME=hypergui 2 | TARGETPATH=bin 3 | TARGETTYPE=PROGRAM 4 | UMTYPE=windows 5 | USE_LIBCMT=1 6 | USE_MSVCRT=1 7 | TARGETLIBS= \ 8 | $(SDK_LIB_PATH)\shell32.lib 9 | 10 | SOURCES=common.c loader.c hypergui.c hypergui.rc 11 | -------------------------------------------------------------------------------- /hyperdbg/tools/hypergui/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of NT OS/2 5 | # 6 | ! INCLUDE $(NTMAKEENV)\makefile.def 7 | 8 | 9 | -------------------------------------------------------------------------------- /libudis86/syn.h: -------------------------------------------------------------------------------- 1 | /* ----------------------------------------------------------------------------- 2 | * syn.h 3 | * 4 | * Copyright (c) 2006, Vivek Mohan 5 | * All rights reserved. See LICENSE 6 | * ----------------------------------------------------------------------------- 7 | */ 8 | #ifndef UD_SYN_H 9 | #define UD_SYN_H 10 | 11 | /* #include */ 12 | #include "vmmstring.h" 13 | #include 14 | #include "ltypes.h" 15 | 16 | extern const char* ud_reg_tab[]; 17 | 18 | static void mkasm(struct ud* u, const char* fmt, ...) 19 | { 20 | va_list ap; 21 | va_start(ap, fmt); 22 | u->insn_fill += vmm_vsnprintf((char*) u->insn_buffer + u->insn_fill, 64, fmt, ap); 23 | va_end(ap); 24 | } 25 | 26 | #endif 27 | -------------------------------------------------------------------------------- /docs/CREDITS: -------------------------------------------------------------------------------- 1 | HyperDbg and the hardware-assisted virtual machine monitor are developed by: 2 | 3 | Aristide Fattori 4 | Lorenzo Martignoni 5 | Roberto Paleari 6 | 7 | The minimalistic hypervisor is inspired by Joanna Rutkowska's bluepill[1] and 8 | Shawn Embleton's virtual machine monitor[2]. 9 | 10 | The x86 disassembler embedded into HyperDbg is based on the udis86 library, 11 | authored and maintained by Vivek Thampi[3]. 12 | 13 | The version of the snprintf() and vsnprintf() we use has been developed by 14 | Patrick Powell . 15 | 16 | The font used in the GUI has been created by Droids Corporation[4]. 17 | 18 | The icon was designed by filischi[5]. 19 | 20 | References: 21 | 22 | [1] http://invisiblethingslab.com/ 23 | [2] https://www.rootkit.com/newsread.php?newsid=758 24 | [3] http://udis86.sourceforge.net/ 25 | [4] http://www.droids-corp.org/ 26 | [5] http://filischi.blogspot.com 27 | 28 | -------------------------------------------------------------------------------- /core/vt.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #include "vt.h" 26 | 27 | struct CPU_CONTEXT context; 28 | -------------------------------------------------------------------------------- /hyperdbg/scancode.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _SCANCODE_H 26 | #define _SCANCODE_H 27 | 28 | extern char scancodes_map[255]; 29 | 30 | void init_scancodes_map(void); 31 | 32 | #endif /* _SCANCODE_H */ 33 | -------------------------------------------------------------------------------- /hyperdbg/pager.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _PAGER_H 26 | #define _PAGER_H 27 | 28 | #include "types.h" 29 | 30 | void PagerLoop(Bit32u color); 31 | hvm_bool PagerAddLine(Bit8u *line); 32 | 33 | #endif /* _PAGER_H */ 34 | 35 | -------------------------------------------------------------------------------- /hyperdbg/pci.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _PCI_H 26 | #define _PCI_H 27 | 28 | #include "hyperdbg.h" 29 | 30 | void PCIInit(void); 31 | hvm_status PCIDetectDisplay(hvm_address* pdisplay_address); 32 | 33 | #endif /* _PCI_H */ 34 | -------------------------------------------------------------------------------- /hyperdbg/hyperdbg_guest.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _HYPERDBG_GUEST_H 26 | #define _HYPERDBG_GUEST_H 27 | 28 | #include "hyperdbg.h" 29 | 30 | hvm_status HyperDbgGuestInit(void); 31 | hvm_status HyperDbgGuestFini(void); 32 | 33 | #endif /* _HYPERDBG_GUEST_H */ 34 | -------------------------------------------------------------------------------- /core/config.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _CONFIG_H 26 | #define _CONFIG_H 27 | 28 | /* Comment out the following line to disable debugging */ 29 | #define DEBUG 30 | 31 | /* Stack area reserved to the HVM */ 32 | #define VMM_STACK_SIZE 0x8000 33 | 34 | #endif /* _CONFIG_H */ 35 | -------------------------------------------------------------------------------- /hyperdbg/hyperdbg_host.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _HYPERDBG_HOST_H 26 | #define _HYPERDBG_HOST_H 27 | 28 | #include "hyperdbg.h" 29 | #include "events.h" 30 | 31 | hvm_status HyperDbgHostInit(void); 32 | hvm_status HyperDbgHostFini(void); 33 | 34 | #endif /* _HYPERDBG_HOST_H */ 35 | -------------------------------------------------------------------------------- /hyperdbg/tools/hypergui/loader.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _LOADER_H 26 | #define _LOADER_H 27 | 28 | #include 29 | 30 | DWORD LoaderLoadDriver(VOID); 31 | DWORD LoaderRemoveDriver(VOID); 32 | BOOL LoaderInit(VOID); 33 | BOOL LoaderFini(VOID); 34 | 35 | #endif /* _LOADER_H */ 36 | -------------------------------------------------------------------------------- /hyperdbg/hyperdbg.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _HYPERDBG_H 26 | #define _HYPERDBG_H 27 | 28 | #ifndef HYPERDBG_VERSION 29 | #define HYPERDBG_VERSION "20100325" 30 | #endif 31 | 32 | #define HYPERDBG_URL "http://code.google.com/p/hyperdbg/" 33 | 34 | #include "types.h" 35 | 36 | #endif /* _HYPERDBG_H */ 37 | -------------------------------------------------------------------------------- /hyperdbg/symsearch.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _SYMSEARCH_H 26 | #define _SYMSEARCH_H 27 | 28 | #include "hyperdbg.h" 29 | #include "syms.h" 30 | 31 | PSYMBOL SymbolGetFromAddress(hvm_address); 32 | PSYMBOL SymbolGetNearest(hvm_address); 33 | PSYMBOL SymbolGetFromName(Bit8u*); 34 | 35 | #endif /* _SYMSEARCH_H */ 36 | -------------------------------------------------------------------------------- /hyperdbg/syms.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _SYMS_H 26 | #define _SYMS_H 27 | 28 | #include "hyperdbg_common.h" 29 | 30 | typedef struct _SYMBOL { 31 | unsigned char* name; 32 | hvm_address addr; 33 | } SYMBOL, *PSYMBOL; 34 | 35 | extern SYMBOL syms[]; /* Symbols array */ 36 | extern const Bit32u NOS; /* Number of symbols */ 37 | 38 | #endif /* _SYMS_H */ 39 | -------------------------------------------------------------------------------- /hyperdbg/tools/hypergui/common.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _COMMON_H 26 | #define _COMMON_H 27 | 28 | #include 29 | #include 30 | #include 31 | 32 | #define HYPERDBG_SERVICE_NAME "HyperDbg" 33 | #define HYPERDBG_DRIVER_FILENAME "hyperdbg.sys" 34 | 35 | #define debug(f, ...) fprintf(stderr, f "\n", __VA_ARGS__) 36 | 37 | VOID ShowError(const char *msg, ...); 38 | VOID LogMessage(const char *fmt, ...); 39 | 40 | #endif /* _COMMON_H */ 41 | -------------------------------------------------------------------------------- /hyperdbg/gui.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _GUI_H 26 | #define _GUI_H 27 | 28 | #include "hyperdbg.h" 29 | #include "video.h" 30 | 31 | extern Bit8u out_matrix[OUT_SIZE_Y][OUT_SIZE_X]; 32 | 33 | void VideoUpdateShell(Bit8u* buffer); 34 | void VideoInitShell(void); 35 | void VideoDrawFrame(void); 36 | void VideoPrintHeader(void); 37 | void VideoResetOutMatrix(void); 38 | void VideoResetOutMatrixCache(void); 39 | void VideoRefreshOutArea(unsigned int); 40 | 41 | #endif /* _GUI_H */ 42 | -------------------------------------------------------------------------------- /libudis86/input.h: -------------------------------------------------------------------------------- 1 | /* ----------------------------------------------------------------------------- 2 | * input.h 3 | * 4 | * Copyright (c) 2006, Vivek Mohan 5 | * All rights reserved. See LICENSE 6 | * ----------------------------------------------------------------------------- 7 | */ 8 | #ifndef UD_INPUT_H 9 | #define UD_INPUT_H 10 | 11 | #include "ltypes.h" 12 | #include 13 | 14 | uint8_t inp_next(struct ud*); 15 | uint8_t inp_peek(struct ud*); 16 | uint8_t inp_uint8(struct ud*); 17 | uint16_t inp_uint16(struct ud*); 18 | uint32_t inp_uint32(struct ud*); 19 | uint64_t inp_uint64(struct ud*); 20 | void inp_move(struct ud*, size_t); 21 | void inp_back(struct ud*); 22 | 23 | /* inp_init() - Initializes the input system. */ 24 | #define inp_init(u) \ 25 | do { \ 26 | u->inp_curr = 0; \ 27 | u->inp_fill = 0; \ 28 | u->inp_ctr = 0; \ 29 | u->inp_end = 0; \ 30 | } while (0) 31 | 32 | /* inp_start() - Should be called before each de-code operation. */ 33 | #define inp_start(u) u->inp_ctr = 0 34 | 35 | /* inp_back() - Resets the current pointer to its position before the current 36 | * instruction disassembly was started. 37 | */ 38 | #define inp_reset(u) \ 39 | do { \ 40 | u->inp_curr -= u->inp_ctr; \ 41 | u->inp_ctr = 0; \ 42 | } while (0) 43 | 44 | /* inp_sess() - Returns the pointer to current session. */ 45 | #define inp_sess(u) (u->inp_sess) 46 | 47 | /* inp_cur() - Returns the current input byte. */ 48 | #define inp_curr(u) ((u)->inp_cache[(u)->inp_curr]) 49 | 50 | #endif 51 | -------------------------------------------------------------------------------- /core/comio.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _PILL_COMIO_H 26 | #define _PILL_COMIO_H 27 | 28 | #define COM_PORT_IRQ 0x004 29 | #define COM_PORT_ADDRESS 0x3f8 30 | 31 | #include "common.h" 32 | #include "types.h" 33 | 34 | /* COM level communication */ 35 | void ComInit(void); 36 | void ComPrint(const char* fmt, ...) asm("_ComPrint"); 37 | Bit8u ComIsInitialized(void); 38 | 39 | /* Hardware port level communication */ 40 | void PortInit(void); 41 | void PortSendByte(Bit8u b); 42 | Bit8u PortRecvByte(void); 43 | 44 | #endif /* _PILL_COMIO_H */ 45 | -------------------------------------------------------------------------------- /hyperdbg/xpvideo.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Jon Larimer 7 | Lorenzo Martignoni 8 | Roberto Paleari 9 | Aristide Fattori 10 | Mattia Pagnozzi 11 | 12 | This program is free software: you can redistribute it and/or modify it under 13 | the terms of the GNU General Public License as published by the Free Software 14 | Foundation, either version 3 of the License, or (at your option) any later 15 | version. 16 | 17 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 18 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 19 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 20 | 21 | You should have received a copy of the GNU General Public License along with 22 | this program. If not, see . 23 | 24 | */ 25 | 26 | /* xpvideo.h 27 | * 28 | * Routines for detecting resolution and video adapter framebuffer address in Window XP 29 | * 30 | * Jon Larimer 31 | * June 8, 2010 32 | * 33 | */ 34 | 35 | #ifdef XPVIDEO 36 | 37 | #ifndef _XPVIDEO_H 38 | #define _XPVIDEO_H 39 | 40 | #include "hyperdbg.h" 41 | 42 | /* Get XP display info using top secret undocumented and very hacky techniques */ 43 | hvm_status XpVideoGetWindowsXPDisplayData(hvm_address *addr, Bit32u *framebuffer_size, Bit32u *width, Bit32u *height, Bit32u *stride); 44 | 45 | #endif /* _XPVIDEO_H */ 46 | 47 | #endif 48 | -------------------------------------------------------------------------------- /hyperdbg/sw_bp.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _SW_BP_H 26 | #define _SW_BP_H 27 | 28 | #include "hyperdbg.h" 29 | #include "hyperdbg_print.h" 30 | #include "hyperdbg_common.h" 31 | 32 | hvm_address SwBreakpointSet(hvm_address cr3, hvm_address address, hvm_bool isPerm, hvm_bool isCr3Dipendent); 33 | hvm_bool SwBreakpointGetBPInfo(hvm_address cr3, hvm_address address, hvm_bool *isCr3Dipendent, hvm_bool *isPerm, hvm_address *ours_cr3); 34 | hvm_bool SwBreakpointDelete(hvm_address cr3, hvm_address address); 35 | hvm_bool SwBreakpointDeletePerm(hvm_address cr3, hvm_address address); 36 | hvm_bool SwBreakpointDeleteById(Bit32u id); 37 | void SwBreakpointGetBPList(PCMD_RESULT result); 38 | #endif 39 | -------------------------------------------------------------------------------- /core/i386/common-asm.S: -------------------------------------------------------------------------------- 1 | // Copyright notice 2 | // ================ 3 | // 4 | // Copyright (C) 2010 5 | // Lorenzo Martignoni 6 | // Roberto Paleari 7 | // Aristide Fattori 8 | // 9 | // This program is free software: you can redistribute it and/or modify it under 10 | // the terms of the GNU General Public License as published by the Free Software 11 | // Foundation, either version 3 of the License, or (at your option) any later 12 | // version. 13 | // 14 | // HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 15 | // WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 16 | // A PARTICULAR PURPOSE. See the GNU General Public License for more details. 17 | // 18 | // You should have received a copy of the GNU General Public License along with 19 | // this program. If not, see . 20 | // 21 | 22 | .text 23 | .globl _CmInitSpinLock, _CmAcquireSpinLock, _CmReleaseSpinLock 24 | .globl CmInitSpinLock, CmAcquireSpinLock, CmReleaseSpinLock 25 | 26 | CmInitSpinLock: 27 | _CmInitSpinLock: 28 | pushl %ebp 29 | movl %esp,%ebp 30 | pushl %eax 31 | movl 0x8(%ebp), %eax /* lck */ 32 | andl $0, (%eax) 33 | popl %eax 34 | leave 35 | ret 36 | 37 | CmAcquireSpinLock: 38 | _CmAcquireSpinLock: 39 | pushl %ebp 40 | movl %esp,%ebp 41 | pushl %eax 42 | movl 0x8(%ebp),%eax /* lck */ 43 | do_lock: 44 | lock btsl $0,(%eax) 45 | jc do_lock 46 | popl %eax 47 | leave 48 | ret 49 | 50 | CmReleaseSpinLock: 51 | _CmReleaseSpinLock: 52 | pushl %ebp 53 | movl %esp,%ebp 54 | pushl %eax 55 | movl 0x8(%ebp),%eax /* lck */ 56 | lock btrl $0,(%eax) 57 | popl %eax 58 | leave 59 | ret 60 | -------------------------------------------------------------------------------- /core/vmhandlers.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _VMHANDLERS_H 26 | #define _VMHANDLERS_H 27 | 28 | #include "vt.h" 29 | #include "events.h" 30 | 31 | void HandleVMCALL(void); 32 | void HandleVMLAUNCH(void); 33 | void HandleNMI(Bit32u trap, Bit32u error_code, Bit32u qualification); 34 | void HandleIO(Bit16u port, hvm_bool isoutput, Bit8u size, hvm_bool isstring, hvm_bool isrep); 35 | void HandleCR(Bit8u crno, VtCrAccessType accesstype, hvm_bool ismemory, VtRegister gpr); 36 | void HandleHLT(void); 37 | 38 | #ifdef ENABLE_EPT 39 | void HandleEPTViolation(hvm_address guest_linear, hvm_address guest_phy, hvm_bool is_linear_valid, Bit8u attempt_type, hvm_bool in_page_walk, hvm_bool fill_an_entry); 40 | #endif 41 | 42 | EVENT_PUBLISH_STATUS HypercallSwitchOff(PEVENT_ARGUMENTS args); 43 | 44 | #endif /* _VMHANDLERS_H */ 45 | -------------------------------------------------------------------------------- /core/network.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _NETWORK_H 26 | #define _NETWORK_H 27 | 28 | #include "types.h" 29 | 30 | Bit16u vmm_ntohs(Bit16u v); 31 | Bit32u vmm_ntohl(Bit32u v); 32 | 33 | void inet_ntoa(Bit32u a, char *destination_buffer); 34 | void inet_ntoa_v6(Bit16u *a, char *internal_buffer); 35 | 36 | typedef enum { 37 | SocketStateUnknown = 0, 38 | SocketStateListen, 39 | SocketStateEstablished, 40 | } SOCKET_STATE; 41 | 42 | typedef struct _SOCKET { 43 | SOCKET_STATE state; 44 | Bit32u remote_ip; 45 | Bit32u local_ip; 46 | Bit16u remote_port; 47 | Bit16u local_port; 48 | Bit32u pid; 49 | Bit16u protocol; 50 | Bit16u local_ipv6[8]; 51 | Bit16u remote_ipv6[8]; 52 | } SOCKET; 53 | 54 | hvm_status NetworkBuildSocketList(hvm_address cr3, SOCKET *buf, Bit32u maxsize, Bit32u *psize); 55 | 56 | #endif /* _NETWORK_H */ 57 | -------------------------------------------------------------------------------- /libudis86/syn.c: -------------------------------------------------------------------------------- 1 | /* ----------------------------------------------------------------------------- 2 | * syn.c 3 | * 4 | * Copyright (c) 2002, 2003, 2004 Vivek Mohan 5 | * All rights reserved. See (LICENSE) 6 | * ----------------------------------------------------------------------------- 7 | */ 8 | 9 | /* ----------------------------------------------------------------------------- 10 | * Intel Register Table - Order Matters (types.h)! 11 | * ----------------------------------------------------------------------------- 12 | */ 13 | const char* ud_reg_tab[] = 14 | { 15 | "al", "cl", "dl", "bl", 16 | "ah", "ch", "dh", "bh", 17 | "spl", "bpl", "sil", "dil", 18 | "r8b", "r9b", "r10b", "r11b", 19 | "r12b", "r13b", "r14b", "r15b", 20 | 21 | "ax", "cx", "dx", "bx", 22 | "sp", "bp", "si", "di", 23 | "r8w", "r9w", "r10w", "r11w", 24 | "r12w", "r13W" , "r14w", "r15w", 25 | 26 | "eax", "ecx", "edx", "ebx", 27 | "esp", "ebp", "esi", "edi", 28 | "r8d", "r9d", "r10d", "r11d", 29 | "r12d", "r13d", "r14d", "r15d", 30 | 31 | "rax", "rcx", "rdx", "rbx", 32 | "rsp", "rbp", "rsi", "rdi", 33 | "r8", "r9", "r10", "r11", 34 | "r12", "r13", "r14", "r15", 35 | 36 | "es", "cs", "ss", "ds", 37 | "fs", "gs", 38 | 39 | "cr0", "cr1", "cr2", "cr3", 40 | "cr4", "cr5", "cr6", "cr7", 41 | "cr8", "cr9", "cr10", "cr11", 42 | "cr12", "cr13", "cr14", "cr15", 43 | 44 | "dr0", "dr1", "dr2", "dr3", 45 | "dr4", "dr5", "dr6", "dr7", 46 | "dr8", "dr9", "dr10", "dr11", 47 | "dr12", "dr13", "dr14", "dr15", 48 | 49 | "mm0", "mm1", "mm2", "mm3", 50 | "mm4", "mm5", "mm6", "mm7", 51 | 52 | "st0", "st1", "st2", "st3", 53 | "st4", "st5", "st6", "st7", 54 | 55 | "xmm0", "xmm1", "xmm2", "xmm3", 56 | "xmm4", "xmm5", "xmm6", "xmm7", 57 | "xmm8", "xmm9", "xmm10", "xmm11", 58 | "xmm12", "xmm13", "xmm14", "xmm15", 59 | 60 | "rip" 61 | }; 62 | -------------------------------------------------------------------------------- /libudis86/extern.h: -------------------------------------------------------------------------------- 1 | /* ----------------------------------------------------------------------------- 2 | * extern.h 3 | * 4 | * Copyright (c) 2004, 2005, 2006, Vivek Mohan 5 | * All rights reserved. See LICENSE 6 | * ----------------------------------------------------------------------------- 7 | */ 8 | #ifndef UD_EXTERN_H 9 | #define UD_EXTERN_H 10 | 11 | #ifdef __cplusplus 12 | extern "C" { 13 | #endif 14 | 15 | /* #include */ 16 | #include "ltypes.h" 17 | #include 18 | 19 | /* ============================= PUBLIC API ================================= */ 20 | 21 | extern void ud_init(struct ud*); 22 | 23 | extern void ud_set_mode(struct ud*, uint8_t); 24 | 25 | extern void ud_set_pc(struct ud*, uint64_t); 26 | 27 | extern void ud_set_input_hook(struct ud*, int (*)(struct ud*)); 28 | 29 | extern void ud_set_input_buffer(struct ud*, uint8_t*, size_t); 30 | 31 | #ifndef __UD_STANDALONE__ 32 | /* extern void ud_set_input_file(struct ud*, FILE*); */ 33 | #endif /* __UD_STANDALONE__ */ 34 | 35 | extern void ud_set_vendor(struct ud*, unsigned); 36 | 37 | extern void ud_set_syntax(struct ud*, void (*)(struct ud*)); 38 | 39 | extern void ud_input_skip(struct ud*, size_t); 40 | 41 | extern int ud_input_end(struct ud*); 42 | 43 | extern unsigned int ud_decode(struct ud*); 44 | 45 | extern unsigned int ud_disassemble(struct ud*); 46 | 47 | extern void ud_translate_intel(struct ud*); 48 | 49 | extern void ud_translate_att(struct ud*); 50 | 51 | extern char* ud_insn_asm(struct ud* u); 52 | 53 | extern uint8_t* ud_insn_ptr(struct ud* u); 54 | 55 | extern uint64_t ud_insn_off(struct ud*); 56 | 57 | extern char* ud_insn_hex(struct ud*); 58 | 59 | extern unsigned int ud_insn_len(struct ud* u); 60 | 61 | extern const char* ud_lookup_mnemonic(enum ud_mnemonic_code c); 62 | 63 | /* ========================================================================== */ 64 | 65 | #ifdef __cplusplus 66 | } 67 | #endif 68 | #endif 69 | -------------------------------------------------------------------------------- /core/asm-offset.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #include "vt.h" 26 | 27 | #define _OFFSETOF(s, m) \ 28 | (&(((s*)0)->m)) 29 | #define DEFINE(_sym, _val) \ 30 | __asm__ __volatile__ ( "\n->" #_sym " %0 " #_val : : "i" (_val) ) 31 | #define BLANK() \ 32 | __asm__ __volatile__ ( "\n->" : : ) 33 | #define OFFSET(_sym, _str, _mem) \ 34 | DEFINE(_sym, _OFFSETOF(_str, _mem)); 35 | 36 | #define CONTEXT_SYMBOL(s) \ 37 | OFFSET(CONTEXT_##s, struct CPU_CONTEXT, GuestContext.s); 38 | 39 | void __foo__ (void) 40 | { 41 | CONTEXT_SYMBOL(rip); 42 | CONTEXT_SYMBOL(resumerip); 43 | CONTEXT_SYMBOL(rsp); 44 | CONTEXT_SYMBOL(cs); 45 | CONTEXT_SYMBOL(cr0); 46 | CONTEXT_SYMBOL(cr3); 47 | CONTEXT_SYMBOL(cr4); 48 | CONTEXT_SYMBOL(rflags); 49 | BLANK(); 50 | 51 | CONTEXT_SYMBOL(rax); 52 | CONTEXT_SYMBOL(rbx); 53 | CONTEXT_SYMBOL(rcx); 54 | CONTEXT_SYMBOL(rdx); 55 | CONTEXT_SYMBOL(rdi); 56 | CONTEXT_SYMBOL(rsi); 57 | CONTEXT_SYMBOL(rbp); 58 | } 59 | -------------------------------------------------------------------------------- /core/idt.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _IDT_H 26 | #define _IDT_H 27 | 28 | #include "types.h" 29 | 30 | #define IDT_TYPE_TASK_GATE 0b00101 31 | #define IDT_TYPE_32_INT_GATE 0b01110 32 | #define IDT_TYPE_16_INT_GATE 0b00110 33 | #define IDT_TYPE_32_TRAP_GATE 0b01111 34 | #define IDT_TYPE_16_TRAP_GATE 0b00111 35 | 36 | typedef struct { 37 | unsigned LowOffset :16; 38 | unsigned Selector :16; 39 | unsigned Access :16; 40 | unsigned HighOffset :16; 41 | } IDT_ENTRY, *PIDT_ENTRY; 42 | 43 | typedef struct _IDTR { 44 | unsigned Limit :16; 45 | unsigned BaseLo :16; 46 | unsigned BaseHi :16; 47 | } IDTR; 48 | 49 | /* Defined in i386/vmx-asm.S */ 50 | void NullIDTHandler(void); 51 | 52 | void RegisterIDTHandler(Bit16u index, void (*handler) (void)); 53 | PIDT_ENTRY GetIDTEntry(Bit8u num); 54 | void HookIDT(Bit8u entryno, Bit16u selector, void (*handler)(void)); 55 | 56 | #endif /* _IDT_H */ 57 | -------------------------------------------------------------------------------- /core/debug.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _PILL_DEBUG_H 26 | #define _PILL_DEBUG_H 27 | 28 | #include "comio.h" 29 | #include "config.h" 30 | 31 | /////////// 32 | // Log // 33 | /////////// 34 | 35 | #ifdef GUEST_WINDOWS 36 | #include 37 | #define GuestLog(fmt, ...) do { DbgPrint("[vmm] " fmt "\n", ## __VA_ARGS__); } while(0) 38 | #elif defined GUEST_LINUX 39 | #include 40 | #define GuestLog(fmt, ...) do { printk(KERN_DEBUG "[vmm] " fmt "\n", ## __VA_ARGS__); } while(0) 41 | #else 42 | #error Invalid guest 43 | #endif 44 | 45 | #define NullLog(fmt, ...) do { } while(0) 46 | #define SerialLog(fmt, ...) \ 47 | do { \ 48 | if (ComIsInitialized()) { \ 49 | ComPrint(("[vmm] " fmt "\n"), ## __VA_ARGS__); \ 50 | } \ 51 | } while(0) 52 | 53 | /* Modify this macro to use a different logging method */ 54 | #ifdef DEBUG 55 | #define Log(fmt, ...) SerialLog(fmt, ## __VA_ARGS__) 56 | #elif defined GUEST_LINUX 57 | #define Log(fmt, ...) 58 | #else 59 | #error Invalid guest 60 | #endif 61 | 62 | #endif /* _PILL_DEBUG_H */ 63 | -------------------------------------------------------------------------------- /core/linux.h: -------------------------------------------------------------------------------- 1 | #ifndef _PILL_LINUX_H 2 | #define _PILL_LINUX_H 3 | 4 | #include "process.h" 5 | #include "types.h" 6 | #include "network.h" 7 | #include /* for MODULE_NAME_LEN */ 8 | /*********** 9 | * DEFINES * 10 | ***********/ 11 | 12 | /* Processes */ 13 | 14 | 15 | /* Modules */ 16 | 17 | /* Module name length in the MODULE_DATA structure */ 18 | #define MODULE_DATA_NAME_LEN 32 19 | /* Module name length in the struct module definition ( linux/module.h ) */ 20 | #ifndef MODULE_NAME_LEN 21 | #define MODULE_NAME_LEN (64 - sizeof(unsigned long)) 22 | #endif 23 | /* Length of Kernel instruction dump in bytes */ 24 | #define K_DUMP_MAX 150 25 | 26 | 27 | /* Sockets */ 28 | 29 | /*********** 30 | * STRUCTS * 31 | ***********/ 32 | 33 | typedef struct { 34 | Bit32u name; 35 | Bit32u task; 36 | Bit32u tstruct; 37 | Bit32u pid; 38 | Bit32u mm; 39 | } LinuxTaskOffsets; 40 | 41 | typedef struct { 42 | /* Process variables */ 43 | int readInit; 44 | hvm_address initTaskAddress; 45 | Bit32u initTaskPID; 46 | LinuxTaskOffsets savedOffsets; 47 | /* Module variables */ 48 | int readModules; 49 | hvm_address warnOnSlowpath; 50 | hvm_address sprintSymbol; 51 | hvm_address firstModule; 52 | /* Sockets variables */ 53 | } VMMLinuxStaticMemory; 54 | 55 | /********************* 56 | * FUNC DECLARATIONS * 57 | *********************/ 58 | 59 | hvm_status LinuxInitStructures(void); 60 | hvm_status LinuxReadTask(hvm_address addr, PROCESS_DATA* ptask); 61 | hvm_status LinuxAnalyzeInitTask(void); 62 | hvm_status LinuxGetNextProcess(hvm_address cr3, PROCESS_DATA* pprev, PROCESS_DATA* pnext); 63 | hvm_status LinuxGetModulesAddr(hvm_address * addr); 64 | hvm_status LinuxGetNextModule(hvm_address cr3, MODULE_DATA* pprev, MODULE_DATA* pnext); 65 | hvm_status LinuxFindProcess(hvm_address cr3, hvm_address *pts); 66 | hvm_status LinuxFindProcessPid(hvm_address cr3, hvm_address *pid); 67 | hvm_status LinuxFindProcessTid(hvm_address cr3, hvm_address *tid); 68 | hvm_status LinuxBuildSocketList(hvm_address cr3, SOCKET * buf, Bit32u maxsize, Bit32u *psize); 69 | #endif 70 | -------------------------------------------------------------------------------- /core/process.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _PROCESS_H 26 | #define _PROCESS_H 27 | 28 | #include "types.h" 29 | 30 | typedef struct _PROCESS_DATA { 31 | hvm_address pid; 32 | hvm_address cr3; 33 | hvm_address pobj; /* Pointer to the process object (e.g., EPROCESS, on Windows) */ 34 | char name[32]; 35 | } PROCESS_DATA, *PPROCESS_DATA; 36 | 37 | typedef struct _MODULE_DATA { 38 | hvm_address baseaddr; 39 | hvm_address entrypoint; 40 | hvm_address pobj; /* Pointer to the module object (e.g., LDR_MODULE on Windows) */ 41 | char name[32]; 42 | } MODULE_DATA, *PMODULE_DATA; 43 | 44 | typedef void (*hvm_process_callback)(PPROCESS_DATA); 45 | 46 | /* 'cr3' here is just a valid CR3 of the guest */ 47 | hvm_status ProcessGetNextProcess(hvm_address cr3, PPROCESS_DATA pprev, PPROCESS_DATA pnext); 48 | hvm_status ProcessGetNextModule (hvm_address cr3, PMODULE_DATA pprev, PMODULE_DATA pnext); 49 | hvm_status ProcessGetNameByPid(hvm_address cr3, hvm_address pid, char *name); 50 | hvm_status ProcessFindProcessPid(hvm_address cr3, hvm_address *pid); 51 | hvm_status ProcessFindProcessTid(hvm_address cr3, hvm_address *tid); 52 | 53 | #endif /* _PROCESS_H */ 54 | -------------------------------------------------------------------------------- /core/common.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _PILL_COMMON_H 26 | #define _PILL_COMMON_H 27 | 28 | #define MIN(a,b) (((a)<(b))?(a):(b)) 29 | 30 | #ifdef GUEST_LINUX 31 | 32 | #define STATUS_SUCCESS 0 33 | #define STATUS_UNSUCCESSFUL -1; 34 | 35 | #define USESTACK __attribute__((regparm(0))) 36 | #define GUEST_MALLOC(size) kmalloc((size), GFP_KERNEL) 37 | #define GUEST_FREE(p,size) kfree(p) 38 | 39 | #elif defined GUEST_WINDOWS 40 | 41 | #define USESTACK 42 | #define GUEST_MALLOC(size) MmAllocateNonCachedMemory(size) 43 | #define GUEST_FREE(p,size) MmFreeNonCachedMemory((p), (size)) 44 | 45 | #else 46 | #error Invalid guest 47 | #endif 48 | 49 | #include "types.h" 50 | #include "vt.h" 51 | 52 | /* Assembly functions (defined in i386/common.asm) */ 53 | void USESTACK CmInitSpinLock(Bit32u *plock); 54 | void USESTACK CmAcquireSpinLock(Bit32u *plock); 55 | void USESTACK CmReleaseSpinLock(Bit32u *plock); 56 | 57 | void CmSetBit32(Bit32u* dword, Bit32u bit); 58 | void CmClearBit32(Bit32u* dword, Bit32u bit); 59 | void CmClearBit16(Bit16u* word, Bit32u bit); 60 | void CmSleep(Bit32u microseconds); 61 | 62 | int wide2ansi(Bit8u* dst, Bit8u* src, Bit32u n); 63 | 64 | #endif /* _PILL_COMMON_H */ 65 | -------------------------------------------------------------------------------- /hyperdbg/tools/hypergui/types.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _TYPES_H 26 | #define _TYPES_H 27 | 28 | #if defined(WIN32) 29 | /* Windows */ 30 | typedef unsigned char Bit8u; 31 | typedef signed char Bit8s; 32 | typedef unsigned short Bit16u; 33 | typedef signed short Bit16s; 34 | typedef unsigned int Bit32u; 35 | typedef signed int Bit32s; 36 | typedef unsigned __int64 Bit64u; 37 | typedef signed __int64 Bit64s; 38 | #else 39 | /* Linux */ 40 | #error "TODO: Linux data types" 41 | #endif 42 | 43 | #define GET32L(val64) ((Bit32u)(((Bit64u)(val64)) & 0xFFFFFFFF)) 44 | #define GET32H(val64) ((Bit32u)(((Bit64u)(val64)) >> 32)) 45 | 46 | #if HVM_ARCH_BITS == 64 47 | typedef Bit64u hvm_address; 48 | #else 49 | typedef Bit32u hvm_address; 50 | #endif 51 | 52 | typedef Bit32u hvm_bool; 53 | #define TRUE 1 54 | #define FALSE 0 55 | 56 | /* Status values */ 57 | typedef Bit32u hvm_status; 58 | #define HVM_STATUS_SUCCESS 0x00000000 59 | #define HVM_STATUS_UNSUCCESSFUL 0xC0000001 60 | #define HVM_STATUS_INVALID_PARAMETER 0xC000000D 61 | #define HVM_SUCCESS(x) ((x) == HVM_STATUS_SUCCESS) 62 | 63 | /* Common types */ 64 | #ifndef NULL 65 | #define NULL 0 66 | #endif 67 | 68 | #endif /* _TYPES_H */ 69 | -------------------------------------------------------------------------------- /hyperdbg/keyboard.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _KEYBOARD_H 26 | #define _KEYBOARD_H 27 | 28 | /* In READ mode. Can be read at any time */ 29 | #define KEYB_REGISTER_STATUS 0x64 30 | 31 | /* In WRITE mode. Writing this port sets Bit 3 of the status register to 1 and 32 | the byte is treated as a controller command */ 33 | #define KEYB_REGISTER_COMMAND 0x64 34 | 35 | /* In READ mode. Should be read if bit 0 of status register is 1 */ 36 | #define KEYB_REGISTER_OUTPUT 0x60 37 | 38 | /* In WRITE mode. Data should only be written if Bit 1 of the status register 39 | is zero (register is empty) */ 40 | #define KEYB_REGISTER_DATA 0x60 41 | 42 | /* Read a keystroke from keyboard. If 'unget' is true, the read character is 43 | sent back to the device. */ 44 | hvm_status KeyboardReadKeystroke(Bit8u* pc, hvm_bool unget, hvm_bool* pisMouse); 45 | Bit8u KeyboardScancodeToKeycode(Bit8u c); 46 | hvm_status KeyboardInit(void); 47 | 48 | /* Enable/disable mouse */ 49 | hvm_status KeyboardSetMouse(hvm_bool enabled); 50 | 51 | typedef struct { 52 | hvm_bool lshift; 53 | hvm_bool rshift; 54 | hvm_bool lctrl; 55 | hvm_bool lalt; 56 | } KEYBOARD_STATUS; 57 | 58 | /* Global that holds current keyboard status */ 59 | extern KEYBOARD_STATUS keyboard_status; 60 | 61 | #endif /* _KEYBOARD_H */ 62 | -------------------------------------------------------------------------------- /core/vmmstring.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _STRING_H 26 | #define _STRING_H 27 | 28 | #include "types.h" 29 | #include 30 | 31 | unsigned char* vmm_strncat(unsigned char *dst, unsigned char *src, Bit32u n); 32 | Bit32s vmm_memcmp(void *s1, void *s2, Bit32u n); 33 | void* vmm_memcpy(void *dst, void *src, Bit32u n); 34 | unsigned char* vmm_strncpy(unsigned char *dst, unsigned char *src, Bit32u n); 35 | Bit32s vmm_strncmp(unsigned char *str1, unsigned char *str2, Bit32u n); 36 | Bit32s vmm_strncmpi(unsigned char *str1, unsigned char *str2, Bit32u n); 37 | Bit32u vmm_strlen(unsigned char *str); 38 | hvm_bool vmm_strtoul(char *str, Bit32u *out); 39 | void vmm_memset(void *s, int c, Bit32u n); 40 | int vmm_atoi(const char* str); 41 | 42 | int vmm_snprintf(char* c, size_t s, const char* cc, ...); 43 | int vmm_vsnprintf(char* c, size_t s, const char* cc, va_list l); 44 | 45 | unsigned char vmm_tolower(unsigned char c); 46 | unsigned char vmm_toupper(unsigned char c); 47 | 48 | hvm_bool vmm_islower(char c); 49 | hvm_bool vmm_isupper(char c); 50 | hvm_bool vmm_isalpha(char c); 51 | hvm_bool vmm_isdigit(char c); 52 | hvm_bool vmm_isxdigit(char c); 53 | 54 | #endif /* _STRING_H */ 55 | -------------------------------------------------------------------------------- /hyperdbg/hyperdbg_cmd.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _HYPERDBG_CMD_H 26 | #define _HYPERDBG_CMD_H 27 | 28 | #include "hyperdbg.h" 29 | 30 | /* ################ */ 31 | /* #### MACROS #### */ 32 | /* ################ */ 33 | 34 | #define HYPERDBG_CMD_CHAR_SW_BP 'b' 35 | #define HYPERDBG_CMD_CHAR_SW_PERM_BP 'B' 36 | #define HYPERDBG_CMD_CHAR_CONTINUE 'c' 37 | #define HYPERDBG_CMD_CHAR_DISAS 'd' 38 | #define HYPERDBG_CMD_CHAR_DELETE_SW_BP 'D' 39 | #define HYPERDBG_CMD_CHAR_LIST_BP 'L' 40 | #define HYPERDBG_CMD_CHAR_HELP 'h' 41 | #define HYPERDBG_CMD_CHAR_INFO 'i' 42 | #define HYPERDBG_CMD_CHAR_SYMBOL_NEAREST 'n' 43 | #define HYPERDBG_CMD_CHAR_SHOWMODULES 'm' 44 | #define HYPERDBG_CMD_CHAR_SHOWPROCESSES 'p' 45 | #define HYPERDBG_CMD_CHAR_SHOWREGISTERS 'r' 46 | #define HYPERDBG_CMD_CHAR_SHOWSOCKETS 'w' 47 | #define HYPERDBG_CMD_CHAR_SINGLESTEP 's' 48 | #define HYPERDBG_CMD_CHAR_BACKTRACE 't' 49 | #define HYPERDBG_CMD_CHAR_SYMBOL 'S' 50 | #define HYPERDBG_CMD_CHAR_DUMPMEMORY 'x' 51 | #define HYPERDBG_CMD_CHAR_UNLINK_PROC 'f' 52 | #define HYPERDBG_CMD_CHAR_RELINK_PROC 'u' 53 | 54 | #define CHAR_IS_SPACE(c) (c==' ' || c=='\t' || c=='\f') 55 | 56 | hvm_bool HyperDbgProcessCommand(Bit8u *cmd); 57 | 58 | #endif /* _HYPERDBG_CMD_H */ 59 | -------------------------------------------------------------------------------- /core/ept.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _EPT_H 26 | #define _EPT_H 27 | #include "types.h" 28 | 29 | #define HOST_GB 4 /* Amount of GB in system (use 4 on 32 bit to get a full mapping) */ 30 | 31 | #define READ 0x1 32 | #define WRITE 0x2 33 | #define EXEC 0x4 34 | 35 | #define MEM_TYPE_UNCACHEABLE 0 36 | #define MEM_TYPE_WRITECOMBINE 1 37 | #define MEM_TYPE_WRITETHROUGH 4 38 | #define MEM_TYPE_WRITEPROTECT 5 39 | #define MEM_TYPE_WRITEBACK 6 40 | 41 | extern hvm_address VIRT_PT_BASES[HOST_GB*512]; 42 | 43 | #pragma pack (push, 1) 44 | 45 | typedef struct 46 | { 47 | hvm_phy_address Eptp; 48 | hvm_phy_address Rsvd; 49 | 50 | } INVEPT_DESCRIPTOR, *PINVEPT_DESCRIPTOR; 51 | 52 | #pragma pack (pop) 53 | 54 | extern INVEPT_DESCRIPTOR EPTInveptDesc; 55 | 56 | extern hvm_address Pml4; 57 | extern hvm_phy_address Phys_Pml4; 58 | 59 | void EPTInit(void); 60 | Bit8u EPTGetMemoryType(hvm_address address); 61 | void EPTAlterPT(hvm_address guest_phy, Bit8u perms, hvm_bool isRemove); 62 | hvm_address EPTGetEntry(hvm_address guest_phy); 63 | void EPTProtectPhysicalRange(hvm_address base, Bit32u size, Bit8u permsToRemove); 64 | 65 | #define EPTRemovePTperms(guest_phy, permsToRemove) EPTAlterPT(guest_phy, permsToRemove, TRUE); 66 | #define EPTMapPhysicalAddress(guest_phy, perms) EPTAlterPT(guest_phy, perms, FALSE); 67 | 68 | #endif /* _EPT_H */ 69 | -------------------------------------------------------------------------------- /hyperdbg/tools/hypergui/common.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #include 26 | #include 27 | #include 28 | 29 | #include "common.h" 30 | 31 | extern HWND g_hWndEdit; 32 | 33 | void ShowError(const char *msg, ...) { 34 | va_list ap; 35 | char tmp[1024]; 36 | 37 | va_start(ap, msg); 38 | _vsnprintf(tmp, sizeof(tmp), msg, ap); 39 | va_end(ap); 40 | 41 | MessageBox(NULL, tmp, "Error", MB_ICONEXCLAMATION | MB_OK); 42 | } 43 | 44 | void LogMessage(const char *fmt, ...) 45 | { 46 | va_list ap; 47 | char newdata[1024], *data; 48 | SYSTEMTIME lt; 49 | LRESULT n; 50 | 51 | GetLocalTime(<); 52 | _snprintf(newdata, sizeof(newdata), "[%02d-%02d-%04d %02d:%02d:%02d.%03d] ", 53 | lt.wDay, lt.wMonth, lt.wYear, lt.wHour, lt.wMinute, lt.wSecond, lt.wMilliseconds); 54 | 55 | va_start(ap, fmt); 56 | _vsnprintf((char*)newdata + strlen(newdata), 57 | sizeof(newdata) - strlen(newdata) - 1, 58 | fmt, ap); 59 | va_end(ap); 60 | 61 | strncat(newdata, "\r\r\n", sizeof(newdata)); 62 | 63 | n = SendMessage(g_hWndEdit, EM_GETLIMITTEXT, 0, 0); 64 | data = (char*) malloc(n + strlen(newdata)); 65 | if(!data) { 66 | ShowError("Dynamic allocation error."); 67 | return; 68 | } 69 | 70 | /* read existing text */ 71 | SendMessage(g_hWndEdit, WM_GETTEXT, n, (LPARAM) data); 72 | 73 | /* add new text */ 74 | strncat(data, newdata, (n + strlen(newdata))); 75 | 76 | /* update text */ 77 | SendMessage(g_hWndEdit, WM_SETTEXT, 0, (LPARAM) data); 78 | } 79 | -------------------------------------------------------------------------------- /Kbuild: -------------------------------------------------------------------------------- 1 | #-*-makefile-*- 2 | 3 | .SUFFIXES=.c .o .S 4 | 5 | KVERSION= $(shell uname -r) 6 | KDIR= /lib/modules/$(KVERSION)/build 7 | 8 | hdbg-src:= hyperdbg 9 | core-src:= core 10 | i386-src:= $(core-src)/i386 11 | libudis86-src:= libudis86 12 | 13 | DEFINE += -DHVM_ARCH_BITS=32 -DENABLE_HYPERDBG \ 14 | -DGUEST_LINUX -DVIDEO_DEFAULT_RESOLUTION_X=1024 -DVIDEO_DEFAULT_RESOLUTION_Y=768 -DENABLE_EPT -DHYPERDBG_VERSION=$(shell date +%Y%m%d) 15 | 16 | INCLUDE += -I$(src)/$(hdbg-src) -I$(src)/$(core-src) -I$(src)/$(i386-src) -I$(src)/$(libudis86-src) 17 | EXTRA_CFLAGS += $(DEFINE) $(INCLUDE) -fno-omit-frame-pointer 18 | 19 | # DBG += CONFIG_DEBUG_SECTION_MISMATCH=y 20 | 21 | core-objs:= $(core-src)/pill_linux.o $(core-src)/pill_common.o \ 22 | $(core-src)/comio.o $(core-src)/idt.o $(core-src)/x86.o $(core-src)/vmmstring.o $(core-src)/events.o \ 23 | $(core-src)/common.o $(core-src)/vmhandlers.o $(core-src)/vmx.o $(core-src)/mmu.o $(core-src)/snprintf.o \ 24 | $(core-src)/process.o $(core-src)/network.o $(core-src)/vt.o $(core-src)/linux.o $(core-src)/ept.o 25 | 26 | i386-objs:= $(i386-src)/io-asm.o $(i386-src)/common-asm.o $(i386-src)/reg-asm.o $(i386-src)/vmx-asm.o 27 | 28 | hyperdbg-objs:= $(hdbg-src)/gui.o $(hdbg-src)/font_256.o $(hdbg-src)/hyperdbg_cmd.o $(hdbg-src)/hyperdbg_guest.o \ 29 | $(hdbg-src)/hyperdbg_host.o $(hdbg-src)/hyperdbg_print.o $(hdbg-src)/keyboard.o $(hdbg-src)/pager.o $(hdbg-src)/pci.o \ 30 | $(hdbg-src)/scancode.o $(hdbg-src)/sw_bp.o $(hdbg-src)/syms.o $(hdbg-src)/symsearch.o \ 31 | $(hdbg-src)/video.o $(hdbg-src)/xpvideo.o 32 | 33 | libudis86-objs:= $(libudis86-src)/decode.o $(libudis86-src)/input.o $(libudis86-src)/itab.o $(libudis86-src)/syn-att.o \ 34 | $(libudis86-src)/syn.o $(libudis86-src)/syn-intel.o $(libudis86-src)/udis86.o 35 | 36 | obj-m := hcore.o 37 | hcore-objs := $(core-objs) $(i386-objs) $(hyperdbg-objs) $(libudis86-objs) 38 | 39 | all: asm-offset.h 40 | make $(DBG) -C $(KDIR) M=$(PWD) modules 41 | 42 | clean: 43 | make -C $(KDIR) M=$(PWD) clean 44 | -rm -f $(core-src)/asm-offset.s $(core-src)/asm-offset.h 45 | 46 | asm-offset.h: asm-offset.s 47 | @(echo "/*"; \ 48 | echo " * DO NOT MODIFY."; \ 49 | echo " *"; \ 50 | echo " * This file was auto-generated from $<"; \ 51 | echo " *"; \ 52 | echo " */"; \ 53 | echo " "; \ 54 | echo "#ifndef __TEST_H__"; \ 55 | echo "#define __TEST_H__"; \ 56 | echo " "; \ 57 | sed -ne "/^->/{s:^->\([^ ]*\) [\$$#]*\([^ ]*\) \(.*\):#define \1 \2 /* \3 */:; s:->::; p;}"; \ 58 | echo " "; \ 59 | echo "#endif") < $(core-src)/$< >$(core-src)/$@ 60 | 61 | 62 | asm-offset.s: $(core-src)/asm-offset.c 63 | $(CC) $(DEFINE) -S -o $(core-src)/$@ $< 64 | -------------------------------------------------------------------------------- /Makefile.linux: -------------------------------------------------------------------------------- 1 | #-*-makefile-*- 2 | 3 | .SUFFIXES=.c .o .S 4 | 5 | KVERSION= $(shell uname -r) 6 | KDIR= /lib/modules/$(KVERSION)/build 7 | 8 | hdbg-src:= hyperdbg 9 | core-src:= core 10 | i386-src:= $(core-src)/i386 11 | libudis86-src:= libudis86 12 | 13 | DEFINE += -DHVM_ARCH_BITS=32 -DENABLE_HYPERDBG \ 14 | -DGUEST_LINUX -DVIDEO_DEFAULT_RESOLUTION_X=1024 -DVIDEO_DEFAULT_RESOLUTION_Y=768 -DENABLE_EPT -DHYPERDBG_VERSION=$(shell date +%Y%m%d) 15 | 16 | INCLUDE += -I$(src)/$(hdbg-src) -I$(src)/$(core-src) -I$(src)/$(i386-src) -I$(src)/$(libudis86-src) 17 | EXTRA_CFLAGS += $(DEFINE) $(INCLUDE) -fno-omit-frame-pointer 18 | 19 | # DBG += CONFIG_DEBUG_SECTION_MISMATCH=y 20 | 21 | core-objs:= $(core-src)/pill_linux.o $(core-src)/pill_common.o \ 22 | $(core-src)/comio.o $(core-src)/idt.o $(core-src)/x86.o $(core-src)/vmmstring.o $(core-src)/events.o \ 23 | $(core-src)/common.o $(core-src)/vmhandlers.o $(core-src)/vmx.o $(core-src)/mmu.o $(core-src)/snprintf.o \ 24 | $(core-src)/process.o $(core-src)/network.o $(core-src)/vt.o $(core-src)/linux.o $(core-src)/ept.o 25 | 26 | i386-objs:= $(i386-src)/io-asm.o $(i386-src)/common-asm.o $(i386-src)/reg-asm.o $(i386-src)/vmx-asm.o 27 | 28 | hyperdbg-objs:= $(hdbg-src)/gui.o $(hdbg-src)/font_256.o $(hdbg-src)/hyperdbg_cmd.o $(hdbg-src)/hyperdbg_guest.o \ 29 | $(hdbg-src)/hyperdbg_host.o $(hdbg-src)/hyperdbg_print.o $(hdbg-src)/keyboard.o $(hdbg-src)/pager.o $(hdbg-src)/pci.o \ 30 | $(hdbg-src)/scancode.o $(hdbg-src)/sw_bp.o $(hdbg-src)/syms.o $(hdbg-src)/symsearch.o \ 31 | $(hdbg-src)/video.o $(hdbg-src)/xpvideo.o 32 | 33 | libudis86-objs:= $(libudis86-src)/decode.o $(libudis86-src)/input.o $(libudis86-src)/itab.o $(libudis86-src)/syn-att.o \ 34 | $(libudis86-src)/syn.o $(libudis86-src)/syn-intel.o $(libudis86-src)/udis86.o 35 | 36 | obj-m := hcore.o 37 | hcore-objs := $(core-objs) $(i386-objs) $(hyperdbg-objs) $(libudis86-objs) 38 | 39 | all: asm-offset.h 40 | make $(DBG) -C $(KDIR) M=$(PWD) modules 41 | 42 | clean: 43 | make -C $(KDIR) M=$(PWD) clean 44 | -rm -f $(core-src)/asm-offset.s $(core-src)/asm-offset.h 45 | 46 | asm-offset.h: asm-offset.s 47 | @(echo "/*"; \ 48 | echo " * DO NOT MODIFY."; \ 49 | echo " *"; \ 50 | echo " * This file was auto-generated from $<"; \ 51 | echo " *"; \ 52 | echo " */"; \ 53 | echo " "; \ 54 | echo "#ifndef __TEST_H__"; \ 55 | echo "#define __TEST_H__"; \ 56 | echo " "; \ 57 | sed -ne "/^->/{s:^->\([^ ]*\) [\$$#]*\([^ ]*\) \(.*\):#define \1 \2 /* \3 */:; s:->::; p;}"; \ 58 | echo " "; \ 59 | echo "#endif") < $(core-src)/$< >$(core-src)/$@ 60 | 61 | 62 | asm-offset.s: $(core-src)/asm-offset.c 63 | $(CC) $(DEFINE) -S -o $(core-src)/$@ $< 64 | -------------------------------------------------------------------------------- /core/network.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #include "network.h" 26 | #include "vmmstring.h" 27 | #include "debug.h" 28 | 29 | #ifdef GUEST_WINDOWS 30 | #include "winxp.h" 31 | #elif defined GUEST_LINUX 32 | #include "linux.h" 33 | #endif 34 | 35 | Bit16u vmm_ntohs(Bit16u v) { 36 | return ((v & 0xff00) >> 8) | ((v & 0xff) << 8); 37 | } 38 | 39 | Bit32u vmm_ntohl(Bit32u v) { 40 | return ( 41 | (v & 0xff000000) >> 24 | 42 | (v & 0x00ff0000) >> 8 | 43 | (v & 0x0000ff00) << 8 | 44 | (v & 0x000000ff) << 24 45 | ); 46 | } 47 | 48 | void inet_ntoa(Bit32u a, char *internal_buffer) 49 | { 50 | a = vmm_ntohl(a); 51 | 52 | vmm_snprintf(internal_buffer, 16, 53 | "%d.%d.%d.%d", 54 | (a & 0xff000000) >> 24, 55 | (a & 0x00ff0000) >> 16, 56 | (a & 0x0000ff00) >> 8, 57 | (a & 0x000000ff) 58 | ); 59 | } 60 | 61 | void inet_ntoa_v6(Bit16u *a, char *internal_buffer) 62 | { 63 | unsigned int i; 64 | 65 | for(i = 0; i < 8; i++) 66 | a[i] = vmm_ntohs(a[i]); 67 | 68 | vmm_snprintf(internal_buffer, 40, 69 | "%0x:%0x:%0x:%0x:%0x:%0x:%0x:%0x", 70 | a[0], a[1], a[2], a[3], 71 | a[4], a[5], a[6], a[7] 72 | ); 73 | } 74 | 75 | hvm_status NetworkBuildSocketList(hvm_address cr3, SOCKET *buf, Bit32u maxsize, Bit32u *psize) 76 | { 77 | hvm_status r; 78 | r = HVM_STATUS_UNSUCCESSFUL; 79 | 80 | #ifdef GUEST_WINDOWS 81 | #ifdef GUEST_WIN_7 82 | r = Windows7BuildSocketList(cr3, buf, maxsize, psize); 83 | #else 84 | r = WindowsBuildSocketList(cr3, buf, maxsize, psize); 85 | #endif 86 | #elif defined GUEST_LINUX 87 | r = LinuxBuildSocketList(cr3, buf, maxsize, psize); 88 | #endif 89 | 90 | return r; 91 | } 92 | -------------------------------------------------------------------------------- /core/i386/io-asm.S: -------------------------------------------------------------------------------- 1 | // Copyright notice 2 | // ================ 3 | // 4 | // Copyright (C) 2010 5 | // Lorenzo Martignoni 6 | // Roberto Paleari 7 | // Aristide Fattori 8 | // 9 | // This program is free software: you can redistribute it and/or modify it under 10 | // the terms of the GNU General Public License as published by the Free Software 11 | // Foundation, either version 3 of the License, or (at your option) any later 12 | // m version. 13 | // 14 | // HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 15 | // WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 16 | // A PARTICULAR PURPOSE. See the GNU General Public License for more details. 17 | // 18 | // You should have received a copy of the GNU General Public License along with 19 | // this program. If not, see . 20 | // 21 | 22 | .text 23 | .globl _IoReadPortByte, _IoReadPortWord, _IoReadPortDword, _IoWritePortByte, _IoWritePortWord, _IoWritePortDword 24 | .globl IoReadPortByte, IoReadPortWord, IoReadPortDword, IoWritePortByte, IoWritePortWord, IoWritePortDword 25 | 26 | IoReadPortByte: 27 | _IoReadPortByte: 28 | pushl %ebp 29 | movl %esp,%ebp 30 | pushl %edx 31 | movl 0x8(%ebp),%edx /* __portno */ 32 | in %dx,%al 33 | popl %edx 34 | leave 35 | ret 36 | 37 | IoReadPortWord: 38 | _IoReadPortWord: 39 | pushl %ebp 40 | movl %esp,%ebp 41 | pushl %edx 42 | movl 0x8(%ebp),%edx /* __portno */ 43 | in %dx,%ax 44 | popl %edx 45 | leave 46 | ret 47 | 48 | IoReadPortDword: 49 | _IoReadPortDword: 50 | pushl %ebp 51 | movl %esp,%ebp 52 | pushl %edx 53 | movl 0x8(%ebp),%edx /* __portno */ 54 | in %dx,%eax 55 | popl %edx 56 | leave 57 | ret 58 | 59 | IoWritePortByte: 60 | _IoWritePortByte: 61 | pushl %ebp 62 | movl %esp,%ebp 63 | pushl %edx 64 | pushl %eax 65 | movl 0x8(%ebp),%edx /* __portno */ 66 | movl 0xc(%ebp),%eax /* v */ 67 | out %al,%dx 68 | popl %eax 69 | popl %edx 70 | leave 71 | ret 72 | 73 | IoWritePortWord: 74 | _IoWritePortWord: 75 | pushl %ebp 76 | movl %esp,%ebp 77 | pushl %edx 78 | pushl %eax 79 | movl 0x8(%ebp),%edx /* __portno */ 80 | movl 0xc(%ebp),%eax /* v */ 81 | out %ax,%dx 82 | popl %eax 83 | popl %edx 84 | leave 85 | ret 86 | 87 | IoWritePortDword: 88 | _IoWritePortDword: 89 | pushl %ebp 90 | movl %esp,%ebp 91 | pushl %edx 92 | pushl %eax 93 | movl 0x8(%ebp),%edx /* __portno */ 94 | movl 0xc(%ebp),%eax /* v */ 95 | out %eax,%dx 96 | popl %eax 97 | popl %edx 98 | leave 99 | ret 100 | -------------------------------------------------------------------------------- /docs/README: -------------------------------------------------------------------------------- 1 | HyperDbg is a kernel debugger that leverages hardware-assisted 2 | virtualization. More precisely, HyperDbg is based on a minimalistic hypervisor 3 | that is installed while the system runs. Compared to traditional kernel 4 | debuggers (e.g., WinDbg, SoftIce, Rasta R0 Debugger) HyperDbg is completely 5 | transparent to the kernel and can be used to debug kernel code without the need 6 | of serial (or USB) cables. For example, HyperDbg allows to single step the 7 | execution of the kernel, even when the kernel is executing exception and 8 | interrupt handlers. Compared to traditional virtual machine based debuggers 9 | (e.g., the VMware builtin debugger), HyperDbg does not require the kernel to be 10 | run as a guest of a virtual machine, although it is as powerful. 11 | 12 | Once loaded, the debugger will sits in background and will pop up the GUI when 13 | the F12 hot-key is pressed or when a debug event occurs. 14 | 15 | The current version of HyperDbg is a prototype and will evolve drastically in 16 | the future. Currently the debugger allows to set breakpoints, to single step 17 | the execution of the kernel, to inspect the memory of the operating system and 18 | of a particular process. However, the debugger currently does not distinguish 19 | between threads, has limited support for kernel's symbols, and has does not 20 | clone shared pages before setting a breakpoint. Future version of the debugger 21 | will be based on an enhanced version of the hypervisor that guarantees complete 22 | isolation and transparency. 23 | 24 | HyperDbg currently only supports: 25 | 26 | * systems with PS/2 keyboards 27 | * systems with Intel VT-x 28 | * systems running 32-bit OSes and applications (no PAE) 29 | * Windows XP (SP2). 30 | 31 | HyperDbg renders the GUI by writing directly to the memory of the video 32 | card. Some video cards are known to give problems. The debugger does not work 33 | correctly when the accelerated drivers for the following cards are loaded: 34 | 35 | * Intel 82915g 36 | * nvidia GeForce 9800GT 37 | * nvidia GeForce GT 130 38 | 39 | If you have any of the aforementioned cards (and you are using the accelerated 40 | driver) or if the interface is not correctly rendered on the screen, you have 41 | to disable the driver in order to be able to use HyperDbg. The driver used by 42 | default by Windows XP does not give any problem. 43 | 44 | See the file INSTALL for compilation instructions. 45 | 46 | HyperDbg is developed by: 47 | 48 | * Aristide Fattori 49 | * Lorenzo Martignoni 50 | * Roberto Paleari 51 | 52 | Comments, suggestions, criticisms, and patches are very welcome and can be sent 53 | by email to the authors. 54 | 55 | -------------------------------------------------------------------------------- /core/pill_common.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | /* Inspired to Shawn Embleton's Virtual Machine Monitor */ 26 | 27 | #include "pill.h" 28 | 29 | /* ################# */ 30 | /* #### GLOBALS #### */ 31 | /* ################# */ 32 | 33 | hvm_address EntryRFlags; 34 | hvm_address EntryRAX; 35 | hvm_address EntryRCX; 36 | hvm_address EntryRDX; 37 | hvm_address EntryRBX; 38 | hvm_address EntryRSP; 39 | hvm_address EntryRBP; 40 | hvm_address EntryRSI; 41 | hvm_address EntryRDI; 42 | 43 | hvm_address GuestStack; 44 | 45 | /* ################ */ 46 | /* #### BODIES #### */ 47 | /* ################ */ 48 | 49 | hvm_status RegisterEvents(void) 50 | { 51 | EVENT_CONDITION_HYPERCALL hypercall; 52 | 53 | /* Initialize the event handler */ 54 | EventInit(); 55 | 56 | /* Register a hypercall to switch off the VM */ 57 | hypercall.hypernum = HYPERCALL_SWITCHOFF; 58 | 59 | if(!EventSubscribe(EventHypercall, &hypercall, sizeof(hypercall), HypercallSwitchOff)) { 60 | GuestLog("ERROR: Unable to register switch-off hypercall handler"); 61 | return HVM_STATUS_UNSUCCESSFUL; 62 | } 63 | 64 | return HVM_STATUS_SUCCESS; 65 | } 66 | 67 | /* Initialize the IDT of the VMM */ 68 | void InitVMMIDT(PIDT_ENTRY pidt) 69 | { 70 | int i; 71 | IDT_ENTRY idte_null; 72 | idte_null.Selector = RegGetCs(); 73 | 74 | /* Present, DPL 0, Type 0xe (INT gate) */ 75 | idte_null.Access = (1 << 15) | (0xe << 8); 76 | 77 | idte_null.LowOffset = (Bit32u) NullIDTHandler & 0xffff; 78 | idte_null.HighOffset = (Bit32u) NullIDTHandler >> 16; 79 | 80 | for (i=0; i<256; i++) { 81 | pidt[i] = idte_null; 82 | } 83 | } 84 | 85 | hvm_status FiniPlugin(void) 86 | { 87 | #ifdef ENABLE_HYPERDBG 88 | if (!HVM_SUCCESS(HyperDbgHostFini())) 89 | return HVM_STATUS_UNSUCCESSFUL; 90 | 91 | if (!HVM_SUCCESS(HyperDbgGuestFini())) 92 | return HVM_STATUS_UNSUCCESSFUL; 93 | #endif 94 | 95 | return HVM_STATUS_SUCCESS; 96 | } 97 | 98 | -------------------------------------------------------------------------------- /core/types.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _TYPES_H 26 | #define _TYPES_H 27 | 28 | #if defined(WIN32) 29 | /* Windows */ 30 | #include 31 | #include 32 | 33 | typedef unsigned char Bit8u; 34 | typedef signed char Bit8s; 35 | typedef unsigned short Bit16u; 36 | typedef signed short Bit16s; 37 | typedef unsigned int Bit32u; 38 | typedef signed int Bit32s; 39 | typedef unsigned __int64 Bit64u; 40 | typedef signed __int64 Bit64s; 41 | 42 | #else 43 | /* Linux */ 44 | #include 45 | 46 | typedef unsigned char Bit8u; 47 | typedef signed char Bit8s; 48 | typedef unsigned short int Bit16u; 49 | typedef signed short int Bit16s; 50 | typedef unsigned int Bit32u; 51 | typedef signed int Bit32s; 52 | typedef unsigned long long int Bit64u; 53 | typedef signed long long int Bit64s; 54 | 55 | #endif 56 | 57 | #define GET32L(val64) ((Bit32u)(((Bit64u)(val64)) & 0xFFFFFFFF)) 58 | #define GET32H(val64) ((Bit32u)(((Bit64u)(val64)) >> 32)) 59 | 60 | #if HVM_ARCH_BITS == 64 61 | typedef Bit64u hvm_address; 62 | #else 63 | typedef Bit32u hvm_address; 64 | #endif 65 | 66 | typedef Bit64u hvm_phy_address; 67 | 68 | #ifdef GUEST_LINUX 69 | typedef struct _PHYSICAL_ADDRESS 70 | { 71 | struct { 72 | Bit32u LowPart; 73 | Bit64s HighPart; 74 | } u; 75 | } PHYSICAL_ADDRESS; 76 | #endif 77 | 78 | typedef Bit32u hvm_bool; 79 | #define TRUE 1 80 | #define FALSE 0 81 | 82 | /* Status values */ 83 | typedef Bit32u hvm_status; 84 | #define HVM_STATUS_SUCCESS 0x00000000 85 | #define HVM_STATUS_UNSUCCESSFUL 0xC0000001 86 | #define HVM_STATUS_INVALID_PARAMETER 0xC000000D 87 | #define HVM_STATUS_END_OF_FILE 0xC0000011 88 | #define HVM_SUCCESS(x) ((x) == HVM_STATUS_SUCCESS) 89 | 90 | /* Common types */ 91 | #ifndef NULL 92 | #define NULL 0 93 | #endif 94 | 95 | #endif /* _TYPES_H */ 96 | -------------------------------------------------------------------------------- /hyperdbg/hyperdbg_common.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _HYPERDBG_COMMON_H 26 | #define _HYPERDBG_COMMON_H 27 | 28 | #include "hyperdbg.h" 29 | 30 | #define HYPERDBG_MAGIC_SCANCODE 88 /* F12 */ 31 | 32 | #define MAXSWBPS 100 33 | 34 | /* Information related to the state of the internal Linux guest */ 35 | typedef struct { 36 | /* TODO! */ 37 | hvm_address dummy; 38 | } LINUX_STATE; 39 | 40 | /* Information related to the state of the internal Windows guest */ 41 | typedef struct { 42 | hvm_address kernel_base; 43 | } WIN_STATE; 44 | 45 | typedef struct { 46 | /* This variable is set to 1 when HyperDbg has been initialized */ 47 | hvm_bool initialized; 48 | 49 | /* This variable is set to TRUE when user has requested to enter 50 | HyperDbg-mode, otherwise, it is set to FALSE */ 51 | hvm_bool enabled; 52 | 53 | /* This variable is TRUE when guest single-stepping is enabled */ 54 | hvm_bool singlestepping; 55 | 56 | /* These variable is TRUE(the first) and used when we have set a permanent breakpoint */ 57 | hvm_bool hasPermBP; 58 | hvm_address previous_codeaddr; 59 | hvm_bool isPermBPCr3Dipendent; 60 | hvm_address bp_cr3; 61 | 62 | /* These variables are needed for right alteration of EFLAGS in singlestepping */ 63 | hvm_bool TF_on; 64 | hvm_bool IF_on; 65 | 66 | /* This variable is TRUE when HyperDbg running in console mode */ 67 | hvm_bool console_mode; 68 | 69 | /* The interrupt vector that the PIC maps to the keyboard IRQ */ 70 | Bit8u keyb_vector; 71 | 72 | /* Accounting variables */ 73 | Bit32u ntraps; 74 | 75 | union { 76 | WIN_STATE win_state; 77 | LINUX_STATE linux_state; 78 | }; 79 | 80 | /* Variables for process freeze */ 81 | hvm_address target_cr3; 82 | hvm_address target_kthread; 83 | hvm_address target_pep; 84 | hvm_address unlink_bp_addr; 85 | hvm_address relink_bp_addr; 86 | unsigned int dispatcher_ready_index; 87 | Bit8u opcode_backup_unlink; 88 | Bit8u opcode_backup_relink; 89 | 90 | /* Variables for process BPs and singlestepping */ 91 | hvm_address bp_addr_target; 92 | 93 | } HYPERDBG_STATE; 94 | 95 | extern HYPERDBG_STATE hyperdbg_state; 96 | 97 | #endif /* _HYPERDBG_COMMON_H */ 98 | -------------------------------------------------------------------------------- /docs/INSTALL: -------------------------------------------------------------------------------- 1 | HyperDbg 2 | ======== 3 | 4 | To compile HyperDbg and the analysis infrastructure you need the GNU GCC 5 | compiler. The compiler is typically included in any Linux 6 | distribution. Instead, if you want to compile the Windows version of HyperDbg, 7 | then you can install the MinGW environment[1]. 8 | 9 | To compile the Windows or Linux version of HyperDbg, you only have to choose 10 | the appropriate Makefile (Makefile.windows or Makefile.linux). As an example, 11 | under Microsoft Windows you should run: 12 | 13 | Makefile -f Makefile.windows 14 | 15 | Video issues 16 | ============ 17 | 18 | If automatic video card detection does not work on you system (e.g., detection 19 | will not work if you are going to test HyperDbg on Bochs), please disable 20 | automatic video card detection *before compiling*, by uncommenting the 21 | following line in hyperdbg/video.c: 22 | 23 | #define VIDEO_ADDRESS_MANUAL 24 | 25 | and manually set the address of the video card memory by defining the 26 | DEFAULT_VIDEO_ADDRESS macro, like below: 27 | 28 | #define DEFAULT_VIDEO_ADDRESS 0xdeadbeef // where 0xdeadbeef is the address on your machine 29 | 30 | To find the appropriate value for this macro, you just need to go to 'Control 31 | Panel' and double-click on 'System'. Then, switch to the 'Hardware' tab and 32 | click on Hardware Devices'. From there, locate the entry of your video card, 33 | right-click on it and select 'Properties'. Go to the 'Resources' tab and find 34 | 'Memory Interval', the reported value is the one that you need to insert in the 35 | code. It is possible to find multiple entries labeled as 'Memory Interval'; if 36 | this is the case, select the bigger interval, it will look like something like 37 | this: 38 | 39 | Memory Interval 0xE0000000 - 0xE0FFFFFF 40 | 41 | If you have a linux installation on the same machine and feel more confident 42 | with linux tools, just run from a terminal the command: 43 | 44 | $ lspci -vvv 45 | 46 | once located the entry relative to your video card, you will find a line 47 | similar to this: 48 | 49 | Region 1: Memory at d0000000 (32-bit, prefetchable) [size=128M] 50 | 51 | d0000000 is the address you need to set in the code. 52 | 53 | HyperGui 54 | ======== 55 | 56 | In hyperdbg/tools/hypergui/ you can find an user-friendly HyperDbg loader that 57 | won't be compiled by default when building HyperDbg. To compile it, just move 58 | to the aforementioned directory and run: 59 | 60 | build /czgw 61 | 62 | after building HyperGui, you can just ship HyperGui.exe and hyperdbg.sys on the 63 | target machine and double click on HyperGui.exe. HyperGui.exe also offers a 64 | command line interface. 65 | 66 | symbol2c.py 67 | =========== 68 | 69 | In hyperdbg/tools/ you can find a Python script to automatically parse symbols 70 | for HyperDbg. You have to dowload from microsoft.com the appropriate 71 | symbol file (.pdb). Once you get hold of the file you can launch: 72 | 73 | $ python symbol2c.py file.pdb syms.c 74 | 75 | This command will generate the file syms.c. Replace the file hyperdbg/syms.c 76 | with the newly created one and recompile. 77 | 78 | Note that, to use symbol2c.py, you need to install the pdbparse library, 79 | available at: 80 | 81 | http://code.google.com/p/pdbparse/ 82 | 83 | Footnotes: 84 | [1] http://www.mingw.org/ 85 | 86 | -------------------------------------------------------------------------------- /hyperdbg/video.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _VIDEO_H 26 | #define _VIDEO_H 27 | 28 | /* Frame buffer resolutions must be defined UNLESS we are using xp automatic resolution detection */ 29 | #ifndef XPVIDEO 30 | #ifndef VIDEO_DEFAULT_RESOLUTION_X 31 | #error VIDEO_DEFAULT_RESOLUTION_X must be defined! 32 | #endif 33 | #endif 34 | 35 | #ifndef XPVIDEO 36 | #ifndef VIDEO_DEFAULT_RESOLUTION_Y 37 | #error VIDEO_DEFAULT_RESOLUTION_Y must be defined! 38 | #endif 39 | #endif 40 | 41 | #define SHELL_SIZE_X 100 42 | #define SHELL_SIZE_Y 50 43 | #define MAX_INPUT_SIZE 94 44 | #define OUT_START_X 2 45 | #define OUT_END_X 98 46 | #define OUT_START_Y 12 47 | #define OUT_END_Y 47 48 | #define OUT_SIZE_X OUT_END_X - OUT_START_X 49 | #define OUT_SIZE_Y OUT_END_Y - OUT_START_Y 50 | 51 | #define GUI_COLORIZED 52 | 53 | #ifdef GUI_COLORIZED 54 | 55 | /* Colorized GUI */ 56 | #define BLACK 0x00000000 57 | #define WHITE 0xffffffff 58 | #define VOMIT_GREEN 0x0000c618 59 | #define LIGHT_GREEN 0x0000f800 60 | #define LIGHT_BLUE 0x00009cd3 61 | #define DARK_BLUE 0x00000780 62 | #define BLUE 0x000044b0 63 | #define CYAN 0x0000ffe0 64 | #define RED 0xffff0000 65 | #define BGCOLOR BLACK 66 | 67 | #else 68 | 69 | /* Black & white GUI */ 70 | #define BLACK 0x00000000 71 | #define WHITE BLACK 72 | #define VOMIT_GREEN BLACK 73 | #define LIGHT_GREEN BLACK 74 | #define LIGHT_BLUE BLACK 75 | #define DARK_BLUE BLACK 76 | #define BLUE BLACK 77 | #define CYAN BLACK 78 | #define RED BLACK 79 | #define BGCOLOR 0xffffffff // White background 80 | 81 | #endif 82 | 83 | #include "hyperdbg.h" 84 | 85 | hvm_status VideoInit(void); 86 | hvm_status VideoFini(void); 87 | hvm_status VideoAlloc(void); 88 | hvm_status VideoDealloc(void); 89 | 90 | hvm_bool VideoEnabled(void); 91 | 92 | void VideoSetResolution(Bit32u x, Bit32u y); 93 | void VideoSave(void); 94 | void VideoRestore(void); 95 | void VideoWriteChar(Bit8u, unsigned int, unsigned int, unsigned int); 96 | void VideoWriteString(char*, unsigned int, unsigned int, unsigned int, unsigned int); 97 | void VideoClear(Bit32u color); 98 | hvm_address VideoGetAddress(void); 99 | Bit32u VideoGetFrameBufferSize(void); 100 | #endif /* _VIDEO_H */ 101 | 102 | -------------------------------------------------------------------------------- /core/pill.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _PILL_H 26 | #define _PILL_H 27 | 28 | #include "config.h" 29 | #include "debug.h" 30 | #include "mmu.h" 31 | #include "vt.h" 32 | #include "events.h" 33 | #include "x86.h" 34 | #include "msr.h" 35 | #include "idt.h" 36 | #include "comio.h" 37 | #include "common.h" 38 | #include "vmhandlers.h" 39 | 40 | #ifdef ENABLE_HYPERDBG 41 | #include "hyperdbg_guest.h" 42 | #include "hyperdbg_host.h" 43 | #endif 44 | 45 | hvm_status FiniPlugin(void); 46 | 47 | #ifdef GUEST_WINDOWS 48 | #include 49 | 50 | typedef KAFFINITY (*t_KeQueryActiveProcessors)(void); 51 | typedef VOID (*t_KeSetSystemAffinityThread)( KAFFINITY Affinity); 52 | typedef ULONG (*t_KeGetCurrentProcessorNumber)(void); /* FIXME */ 53 | 54 | NTSTATUS DDKAPI DriverEntry( PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath); 55 | VOID DDKAPI DriverUnload( PDRIVER_OBJECT DriverObject); 56 | 57 | #elif defined GUEST_LINUX 58 | #include 59 | #include 60 | #include 61 | 62 | MODULE_LICENSE("GPL"); 63 | 64 | int __init DriverEntry(void); 65 | void __exit DriverUnload(void); 66 | #endif 67 | 68 | /* ################ */ 69 | /* #### MACROS #### */ 70 | /* ################ */ 71 | 72 | #define HYPERCALL_SWITCHOFF 0xcafebabe 73 | 74 | /* #################### */ 75 | /* #### PROTOTYPES #### */ 76 | /* #################### */ 77 | void StartVT(void) asm("_StartVT"); 78 | hvm_status RegisterEvents(void); 79 | void InitVMMIDT(PIDT_ENTRY pidt); 80 | 81 | /* Assembly functions (defined in i386/vmx-asm.S) */ 82 | void DoStartVT(void); 83 | 84 | /* ################# */ 85 | /* #### GLOBALS #### */ 86 | /* ################# */ 87 | extern hvm_address EntryRFlags asm("_EntryRFlags"); 88 | extern hvm_address EntryRAX asm("_EntryRAX"); 89 | extern hvm_address EntryRCX asm("_EntryRCX"); 90 | extern hvm_address EntryRDX asm("_EntryRDX"); 91 | extern hvm_address EntryRBX asm("_EntryRBX"); 92 | extern hvm_address EntryRSP asm("_EntryRSP"); 93 | extern hvm_address EntryRBP asm("_EntryRBP"); 94 | extern hvm_address EntryRSI asm("_EntryRSI"); 95 | extern hvm_address EntryRDI asm("_EntryRDI"); 96 | 97 | extern hvm_address GuestStack asm("_GuestStack"); 98 | 99 | #endif /* _PILL_H */ 100 | -------------------------------------------------------------------------------- /core/process.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #include "process.h" 26 | #include "vmmstring.h" 27 | #include "debug.h" 28 | 29 | #ifdef GUEST_WINDOWS 30 | #include "winxp.h" 31 | #elif defined GUEST_LINUX 32 | #include 33 | #include "linux.h" 34 | #endif 35 | 36 | hvm_status ProcessGetNextProcess(hvm_address cr3, PPROCESS_DATA pprev, PPROCESS_DATA pnext) 37 | { 38 | hvm_status r; 39 | 40 | #ifdef GUEST_WINDOWS 41 | r = WindowsGetNextProcess(cr3, pprev, pnext); 42 | #elif defined GUEST_LINUX 43 | r = LinuxGetNextProcess(cr3, pprev, pnext); 44 | #endif 45 | 46 | return r; 47 | } 48 | 49 | hvm_status ProcessGetNextModule(hvm_address cr3, PMODULE_DATA pprev, PMODULE_DATA pnext) 50 | { 51 | hvm_status r; 52 | 53 | #ifdef GUEST_WINDOWS 54 | r = WindowsGetNextModule(cr3, pprev, pnext); 55 | #elif defined GUEST_LINUX 56 | /* TODO! */ 57 | r = HVM_STATUS_UNSUCCESSFUL; 58 | #endif 59 | 60 | return r; 61 | } 62 | 63 | hvm_status ProcessGetNameByPid(hvm_address cr3, hvm_address pid, char *name) 64 | { 65 | PROCESS_DATA prev, next; 66 | hvm_status r; 67 | 68 | vmm_memset(&next, 0, sizeof(next)); 69 | 70 | r = ProcessGetNextProcess(cr3, NULL, &next); 71 | while(TRUE) { 72 | if(r == HVM_STATUS_END_OF_FILE) 73 | break; 74 | 75 | if(r != HVM_STATUS_UNSUCCESSFUL && pid == next.pid) { 76 | #ifdef GUEST_WINDOWS 77 | vmm_strncpy(name, next.name, 32); 78 | #elif defined GUEST_LINUX 79 | vmm_strncpy(name, next.name, TASK_COMM_LEN); 80 | #endif 81 | return HVM_STATUS_SUCCESS; 82 | } 83 | prev = next; 84 | vmm_memset(next.name, 0, sizeof(next.name)); 85 | r = ProcessGetNextProcess(cr3, &prev, &next); 86 | } 87 | return HVM_STATUS_UNSUCCESSFUL; 88 | } 89 | 90 | hvm_status ProcessFindProcessPid(hvm_address cr3, hvm_address *pid) 91 | { 92 | hvm_status r; 93 | 94 | #ifdef GUEST_WINDOWS 95 | r = WindowsFindProcessPid(cr3, pid); 96 | #else 97 | r = LinuxFindProcessPid(cr3, pid); 98 | #endif 99 | 100 | return r; 101 | } 102 | 103 | hvm_status ProcessFindProcessTid(hvm_address cr3, hvm_address *tid) 104 | { 105 | hvm_status r; 106 | 107 | #ifdef GUEST_WINDOWS 108 | r = WindowsFindProcessTid(cr3, tid); 109 | #else 110 | r = LinuxFindProcessTid(cr3, tid); 111 | #endif 112 | 113 | return r; 114 | } 115 | -------------------------------------------------------------------------------- /core/idt.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #include "x86.h" 26 | #include "idt.h" 27 | 28 | void RegisterIDTHandler(Bit16u index, void (*handler) (void)) 29 | { 30 | IDTR tmp_idt; 31 | PIDT_ENTRY descriptors, pidt_entry; 32 | 33 | __asm__ __volatile__( 34 | "sidt %0\n" 35 | :"=m"(tmp_idt) 36 | ::"memory" 37 | ); 38 | 39 | descriptors = (PIDT_ENTRY) (tmp_idt.BaseHi << 16 | tmp_idt.BaseLo); 40 | pidt_entry = &(descriptors[index]); 41 | 42 | /* Copy a valid handler (0x2e). 43 | FIXME: Here we are assuming our handler lies in the same segment of the 44 | interrupt handler 0x2e. 45 | */ 46 | descriptors[index] = descriptors[0x2e]; 47 | 48 | pidt_entry->LowOffset = ((hvm_address) handler) & 0xffff; 49 | pidt_entry->HighOffset = ((hvm_address) handler) >> 16; 50 | } 51 | 52 | PIDT_ENTRY GetIDTEntry(Bit8u num) 53 | { 54 | Bit32u flags; 55 | PIDT_ENTRY pidt_entry; 56 | 57 | /* Be sure the IF is clear */ 58 | flags = RegGetFlags(); 59 | RegSetFlags(flags & ~FLAGS_IF_MASK); 60 | 61 | pidt_entry = &((PIDT_ENTRY) (RegGetIdtBase()))[num]; 62 | 63 | /* Restore original flags */ 64 | RegSetFlags(flags); 65 | 66 | return pidt_entry; 67 | } 68 | 69 | void HookIDT(Bit8u entryno, Bit16u selector, void (*handler)(void)) 70 | { 71 | PIDT_ENTRY pidt_entry; 72 | 73 | pidt_entry = GetIDTEntry(entryno); 74 | 75 | __asm__ __volatile__( 76 | "cli\n" 77 | "pushal\n" 78 | 79 | /* Save original CR0 */ 80 | "movl %%cr0,%%eax\n" 81 | "pushl %%eax\n" 82 | 83 | /* Disable memory protection */ 84 | "andl $0xfffeffff,%%eax\n" 85 | "movl %%eax,%%cr0\n" 86 | 87 | /* Recover original interrupt handler */ 88 | "movl %0,%%eax\n" 89 | "movw %1,%%cx\n" 90 | "movl %2,%%ebx\n" 91 | 92 | /* Set the new handler */ 93 | "movw %%ax,(%%ebx)\n" /* LowOffset */ 94 | "shr $16,%%eax\n" 95 | "movw %%ax,6(%%ebx)\n" /* HighOffset */ 96 | "movw %%cx,2(%%ebx)\n" /* Selector */ 97 | 98 | /* Restore original CR0 */ 99 | "popl %%eax\n" 100 | "movl %%eax,%%cr0\n" 101 | 102 | "popal\n" 103 | "sti\n" 104 | ::"m"(handler), "m"(selector), "m"(pidt_entry) 105 | ); 106 | } 107 | -------------------------------------------------------------------------------- /Makefile.windows: -------------------------------------------------------------------------------- 1 | #-*-makefile-*- 2 | .PHONY: all clean hyperdbg 3 | 4 | DEFINE= -DHVM_ARCH_BITS=32 -DENABLE_HYPERDBG \ 5 | -DGUEST_WINDOWS -DWINDOWS_DRIVER \ 6 | -DVIDEO_DEFAULT_RESOLUTION_X=1024 \ 7 | -DVIDEO_DEFAULT_RESOLUTION_Y=768 \ 8 | -DVIDEO_ADDRESS_MANUAL \ 9 | -DENABLE_EPT \ 10 | -DHYPERDBG_VERSION=$(shell date +%Y%m%d) -DGUEST_WIN_7 # COMMENT OUT -DGUEST_WIN_7 TO USE HDBG ON WIN XP 11 | 12 | LD_DRIVER_FLAGS=-s -shared -Wl,--subsystem,native \ 13 | -Wl,--image-base,0x10000 \ 14 | -Wl,--stack,0x40000 -Wl,--file-alignment,0x1000 \ 15 | -Wl,--section-alignment,0x1000 \ 16 | -Wl,--entry,_DriverEntry@8 -nostartfiles \ 17 | -lntoskrnl -lhal -lgcc -lkernel32 \ 18 | -nostdlib 19 | 20 | CFLAGS = -Wno-multichar 21 | 22 | SRCS_ASM = core/i386/io-asm.S \ 23 | core/i386/common-asm.S \ 24 | core/i386/reg-asm.S \ 25 | core/i386/vmx-asm.S 26 | 27 | SRCS_CORE = core/pill_common.c \ 28 | core/pill_windows.c \ 29 | core/vt.c \ 30 | core/comio.c \ 31 | core/snprintf.c \ 32 | core/idt.c \ 33 | core/x86.c \ 34 | core/mmu.c \ 35 | core/winxp.c \ 36 | core/vmmstring.c \ 37 | core/events.c \ 38 | core/common.c \ 39 | core/vmhandlers.c \ 40 | core/vmx.c \ 41 | core/process.c \ 42 | core/network.c \ 43 | core/ept.c 44 | 45 | SRCS_HYPERDBG = hyperdbg/font_256.c \ 46 | hyperdbg/gui.c \ 47 | hyperdbg/hyperdbg_cmd.c \ 48 | hyperdbg/hyperdbg_guest.c \ 49 | hyperdbg/hyperdbg_host.c \ 50 | hyperdbg/hyperdbg_print.c \ 51 | hyperdbg/keyboard.c \ 52 | hyperdbg/pci.c \ 53 | hyperdbg/scancode.c \ 54 | hyperdbg/sw_bp.c \ 55 | hyperdbg/syms.c \ 56 | hyperdbg/symsearch.c \ 57 | hyperdbg/video.c \ 58 | hyperdbg/xpvideo.c \ 59 | hyperdbg/pager.c 60 | 61 | SRCS_LIBUDIS = libudis86/decode.c \ 62 | libudis86/input.c \ 63 | libudis86/itab.c \ 64 | libudis86/syn-att.c \ 65 | libudis86/syn.c \ 66 | libudis86/syn-intel.c \ 67 | libudis86/udis86.c 68 | 69 | OBJS_CORE = $(SRCS_CORE:.c=.o) 70 | OBJS_ASM = $(SRCS_ASM:.S=.o) 71 | OBJS_HYPERDBG = $(SRCS_HYPERDBG:.c=.o) 72 | OBJS_LIBUDIS = $(SRCS_LIBUDIS:.c=.o) 73 | 74 | CC = gcc 75 | 76 | all: hyperdbg 77 | 78 | hyperdbg: hyperdbg.sys 79 | 80 | hyperdbg.sys: core/asm-offset.h $(OBJS_LIBUDIS) $(OBJS_ASM) $(OBJS_CORE) $(OBJS_HYPERDBG) 81 | $(CC) $(DEFINE) -o $@ $^ $(LD_DRIVER_FLAGS) 82 | 83 | core/asm-offset.h: core/asm-offset.s 84 | @(set -e; \ 85 | echo "/*"; \ 86 | echo " * DO NOT MODIFY."; \ 87 | echo " *"; \ 88 | echo " * This file was auto-generated from $<"; \ 89 | echo " *"; \ 90 | echo " */"; \ 91 | echo " "; \ 92 | echo "#ifndef __TEST_H__"; \ 93 | echo "#define __TEST_H__"; \ 94 | echo " "; \ 95 | sed -ne "/^->/{s:^->\([^ ]*\) [\$$#]*\([^ ]*\) \(.*\):#define \1 \2 /* \3 */:; s:->::; p;}"; \ 96 | echo " "; \ 97 | echo "#endif") <$< >$@ 98 | 99 | core/asm-offset.s: core/asm-offset.c 100 | $(CC) $(DEFINE) -S -o $@ $< 101 | 102 | core/i386/%.o: core/i386/%.S 103 | $(CC) $(DEFINE) -c -o $@ $< 104 | 105 | %.o: %.c 106 | $(CC) $(DEFINE) -c -Icore -Ihyperdbg -Ilibudis86 $(CFLAGS) -o $@ $< 107 | 108 | clean: 109 | -rm $(OBJS_LIBUDIS) 110 | -rm $(OBJS_ASM) 111 | -rm $(OBJS_CORE) 112 | -rm $(OBJS_HYPERDBG) 113 | -rm core/asm-offset.h core/asm-offset.s 114 | -------------------------------------------------------------------------------- /hyperdbg/hyperdbg_guest.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #include "hyperdbg.h" 26 | #include "hyperdbg_common.h" 27 | #include "hyperdbg_guest.h" 28 | #include "hyperdbg_host.h" 29 | 30 | #ifdef GUEST_WINDOWS 31 | #include "winxp.h" 32 | #elif defined GUEST_LINUX 33 | 34 | #endif 35 | 36 | #include "keyboard.h" 37 | #include "debug.h" 38 | #include "vt.h" 39 | #include "video.h" 40 | #include "mmu.h" 41 | 42 | /* ################# */ 43 | /* #### GLOBALS #### */ 44 | /* ################# */ 45 | 46 | /* This one is also accessed by module hyperdbg_host.c */ 47 | HYPERDBG_STATE hyperdbg_state; 48 | 49 | /* ################ */ 50 | /* #### BODIES #### */ 51 | /* ################ */ 52 | 53 | /* This function gets called when VMX is still off. */ 54 | hvm_status HyperDbgGuestInit(void) 55 | { 56 | hvm_status r; 57 | 58 | /* Initialize the video subsystem */ 59 | if(VideoInit() != HVM_STATUS_SUCCESS) { 60 | GuestLog("[HyperDbg] Video initialization error"); 61 | return HVM_STATUS_UNSUCCESSFUL; 62 | } 63 | 64 | /* Allocate video buffer */ 65 | r = VideoAlloc(); 66 | if(r != HVM_STATUS_SUCCESS) { 67 | GuestLog("[HyperDbg] Cannot initialize video!"); 68 | return HVM_STATUS_UNSUCCESSFUL; 69 | } 70 | 71 | /* Initialize global hyperdbg_state structure fields */ 72 | hyperdbg_state.initialized = TRUE; 73 | hyperdbg_state.enabled = FALSE; 74 | hyperdbg_state.singlestepping = FALSE; 75 | hyperdbg_state.TF_on = FALSE; 76 | hyperdbg_state.IF_on = FALSE; 77 | hyperdbg_state.console_mode = TRUE; 78 | hyperdbg_state.hasPermBP = FALSE; 79 | hyperdbg_state.ntraps = 0; 80 | 81 | /* Init guest-specific fields */ 82 | #ifdef GUEST_WINDOWS 83 | r = WindowsGetKernelBase(&hyperdbg_state.win_state.kernel_base); 84 | if (r != HVM_STATUS_SUCCESS) { 85 | GuestLog("[HyperDbg] Cannot initialize guest-specific variables!"); 86 | return HVM_STATUS_UNSUCCESSFUL; 87 | } 88 | #elif defined GUEST_LINUX 89 | 90 | #else 91 | #error Invalid HyperDBG guest! 92 | #endif 93 | 94 | GuestLog("[HyperDbg] Guest initialization ok!"); 95 | 96 | return HVM_STATUS_SUCCESS; 97 | } 98 | 99 | /* This function finalizes HyperDbg. Can be called both in VMX operation (e.g., 100 | when unloading the driver) and with VMX turned off (e.g., when pill 101 | installation is aborting). It is always invoked in non-root mode. */ 102 | hvm_status HyperDbgGuestFini(void) 103 | { 104 | if(!hyperdbg_state.initialized) return HVM_STATUS_SUCCESS; 105 | 106 | GuestLog("[HyperDbg] Unloading..."); 107 | 108 | /* Deallocate video buffer */ 109 | VideoDealloc(); 110 | 111 | hyperdbg_state.initialized = FALSE; 112 | 113 | return HVM_STATUS_SUCCESS; 114 | } 115 | -------------------------------------------------------------------------------- /hyperdbg/symsearch.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #include "symsearch.h" 26 | #include "syms.h" 27 | #include "debug.h" 28 | #include "vmmstring.h" 29 | 30 | #define MAX(p,q) (((p) >= (q)) ? (p) : (q)) 31 | 32 | /* ########################## */ 33 | /* #### LOCAL PROTOTYPES #### */ 34 | /* ########################## */ 35 | 36 | static hvm_bool DicotomicSymbolSearch(hvm_address addr, Bit32s start, Bit32s end, Bit32u* index); 37 | 38 | /* ################ */ 39 | /* #### BODIES #### */ 40 | /* ################ */ 41 | 42 | PSYMBOL SymbolGetFromAddress(hvm_address addr) 43 | { 44 | PSYMBOL SearchedSym; 45 | Bit32u index; 46 | if(NOS == 0) { 47 | return NULL; 48 | } 49 | 50 | if(!DicotomicSymbolSearch(addr, 0, NOS-1, &index)) { 51 | SearchedSym = NULL; 52 | } else { 53 | SearchedSym = &syms[index]; 54 | } 55 | 56 | return SearchedSym; 57 | } 58 | 59 | PSYMBOL SymbolGetNearest(hvm_address addr) 60 | { 61 | PSYMBOL SearchedSym; 62 | Bit32u index; 63 | if(NOS == 0) { 64 | return NULL; 65 | } 66 | 67 | DicotomicSymbolSearch(addr, 0, NOS-1, &index); 68 | SearchedSym = &syms[index]; 69 | 70 | return SearchedSym; 71 | } 72 | 73 | /* Unfortunately, the list is sorted on the address, so we have to use a linear 74 | search algotithm */ 75 | PSYMBOL SymbolGetFromName(Bit8u* name) 76 | { 77 | PSYMBOL SearchedSym; 78 | Bit32u index; 79 | 80 | for(index = 0; index < NOS; index++) { 81 | SearchedSym = &syms[index]; 82 | /* we use MAX because we have to check with the longer length, otherwise we 83 | could match, for example, KiFastCallEntry2 when looking for 84 | KiFastCallEntry */ 85 | if(vmm_strncmpi(SearchedSym->name, name, MAX(vmm_strlen(name), vmm_strlen(SearchedSym->name))) == 0) 86 | return SearchedSym; 87 | } 88 | return NULL; 89 | } 90 | 91 | /* Returns TRUE and sets Index to the index of the found entries if 92 | found. Otherwise, returns FALSE and Index is undefined */ 93 | static hvm_bool DicotomicSymbolSearch(hvm_address addr, Bit32s start, Bit32s end, Bit32u* index) 94 | { 95 | Bit32u mid; 96 | PSYMBOL CurrentSym; 97 | 98 | mid = (start+end)/2; 99 | CurrentSym = &syms[mid]; 100 | 101 | while(end >= start) { 102 | if(addr == (CurrentSym->addr + hyperdbg_state.win_state.kernel_base)) { 103 | *index = mid; 104 | return TRUE; 105 | } 106 | 107 | if(addr < (CurrentSym->addr + hyperdbg_state.win_state.kernel_base)) { 108 | end = mid - 1; 109 | } else { 110 | start = mid + 1; 111 | } 112 | 113 | return DicotomicSymbolSearch(addr, start, end, index); 114 | } 115 | 116 | /* Not found! */ 117 | *index = mid; 118 | return FALSE; 119 | } 120 | -------------------------------------------------------------------------------- /core/common.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #include "common.h" 26 | #include "x86.h" 27 | #include "debug.h" 28 | 29 | /* Set a single bit of a DWORD argument */ 30 | void CmSetBit32(Bit32u* dword, Bit32u bit) 31 | { 32 | Bit32u mask = ( 1 << bit ); 33 | *dword = *dword | mask; 34 | } 35 | 36 | /* Clear a single bit of a DWORD argument */ 37 | void CmClearBit32(Bit32u* dword, Bit32u bit) 38 | { 39 | Bit32u mask = 0xFFFFFFFF; 40 | Bit32u sub = (1 << bit); 41 | mask = mask - sub; 42 | *dword = *dword & mask; 43 | } 44 | 45 | /* Clear a single bit of a WORD argument */ 46 | void CmClearBit16(Bit16u* word, Bit32u bit) 47 | { 48 | Bit16u mask = 0xFFFF; 49 | Bit16u sub = (Bit16u) (1 << bit); 50 | mask = mask - sub; 51 | *word = *word & mask; 52 | } 53 | 54 | int wide2ansi(Bit8u* dst, Bit8u* src, Bit32u n) 55 | { 56 | Bit32u cnt; 57 | 58 | if (!dst || !src) 59 | return -1; 60 | 61 | for (cnt = 0; cnt < n; ++cnt) { 62 | dst[cnt] = src[2*cnt]; 63 | } 64 | 65 | return cnt; 66 | } 67 | 68 | void CmSleep(Bit32u microseconds) 69 | { 70 | // Bit32u v; 71 | 72 | Bit64u t0, t1, cycles; 73 | Bit32u freq; 74 | /* FIXME: get freq dinamically */ 75 | freq = 1000; //*1000*1000; /* 1GHz */ 76 | cycles = microseconds * (freq); 77 | RegRdtsc(&t0); 78 | do { 79 | RegRdtsc(&t1); 80 | } while (t1 < t0 + cycles); 81 | 82 | /* 83 | Int 15h AH=86h 84 | BIOS - WAIT (AT,PS) 85 | 86 | AH = 86h 87 | CX:DX = interval in microseconds 88 | Return: 89 | CF clear if successful (wait interval elapsed) 90 | CF set on error or AH=83h wait already in progress 91 | AH = status (see #00496) 92 | 93 | Note: The resolution of the wait period is 977 microseconds on 94 | many systems because many BIOSes use the 1/1024 second fast 95 | interrupt from the AT real-time clock chip which is available on INT 70; 96 | because newer BIOSes may have much more precise timers available, it is 97 | not possible to use this function accurately for very short delays unless 98 | the precise behavior of the BIOS is known (or found through testing) 99 | */ 100 | 101 | /* while (microseconds) { */ 102 | /* v = microseconds; */ 103 | 104 | /* if (v > 4000000) { */ 105 | /* v = 4000000; */ 106 | /* } */ 107 | 108 | /* __asm { */ 109 | /* push eax; */ 110 | /* push ecx; */ 111 | /* push edx; */ 112 | 113 | /* mov ah, 0x86; */ 114 | /* mov edx, microseconds; */ 115 | 116 | /* mov ecx, edx; */ 117 | /* shr ecx, 16; */ 118 | 119 | /* int 0x15; */ 120 | 121 | /* pop edx; */ 122 | /* pop ecx; */ 123 | /* pop eax; */ 124 | /* }; */ 125 | 126 | /* microseconds -= v; */ 127 | /* } */ 128 | 129 | } 130 | -------------------------------------------------------------------------------- /hyperdbg/tools/symbol2c.py: -------------------------------------------------------------------------------- 1 | """ 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | 10 | This program is free software: you can redistribute it and/or modify it under 11 | the terms of the GNU General Public License as published by the Free Software 12 | Foundation, either version 3 of the License, or (at your option) any later 13 | version. 14 | 15 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 16 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 17 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 18 | 19 | You should have received a copy of the GNU General Public License along with 20 | this program. If not, see . 21 | 22 | """ 23 | 24 | import pdbparse 25 | import sys 26 | 27 | from pdbparse.pe import Sections 28 | from pdbparse.omap import remap,OMAP_ENTRIES 29 | 30 | # add prefixes that you wish to include 31 | filter = ["Ke", "Ki", "Mm", "Zw"] 32 | 33 | class Symbol(): 34 | def __init__(self, name, offset, size): 35 | self.name = name 36 | self.offset = offset 37 | self.size = 0; 38 | 39 | def __cmp__(self, other): 40 | if self.offset < other.offset: 41 | return -1 42 | elif self.offset == other.offset: 43 | return 0 44 | else: 45 | return 1 46 | 47 | def __str__(self): 48 | return "===\nName: %s\nOff: %x" % (self.name, self.offset) 49 | 50 | if __name__ == "__main__": 51 | if len(sys.argv) < 3: 52 | print "Usage: symbol2h.py in.pdb out" 53 | sys.exit(1) 54 | 55 | # load and parse pdb file 56 | pdb = pdbparse.parse(sys.argv[1]) 57 | sects = Sections.parse(pdb.streams[10].data) 58 | gsyms = pdb.streams[pdb.streams[3].gsym_file] 59 | omap = OMAP_ENTRIES.parse(pdb.streams[12].data) 60 | # list to store Symbol objs 61 | syms = [] 62 | i = 0 63 | remapped = 0 64 | # parse symbols 65 | for sym in gsyms.globals: 66 | off = sym.offset 67 | try: 68 | # let's remove some useless stuff 69 | if('?' in sym.name): continue 70 | if('@' == sym.name[0]): continue 71 | if(sym.name.startswith("__imp__")): 72 | sym.name = sym.name[7:] 73 | elif(sym.name.startswith("_")): 74 | sym.name = sym.name[1:] 75 | else: continue 76 | 77 | # check if the symbol name starts with one of the desired prefixes 78 | for prefix in filter: 79 | if(sym.name.startswith(prefix)): 80 | virt_base = sects[sym.segment-1].VirtualAddress 81 | remapped = remap(off+virt_base, omap) 82 | if remapped != 0: 83 | syms.append(Symbol(sym.name, remapped, 0)) 84 | break 85 | 86 | except IndexError, e: # ignore this symbol 87 | print e.__str__() 88 | continue 89 | 90 | # sort symbols by offset 91 | syms.sort() 92 | 93 | # generate .c file 94 | out = open(sys.argv[2]+".c", "w") 95 | out.write("#include \"%s.h\"\n\n" % sys.argv[2]) 96 | out.write("SYMBOL syms[] = {\n") 97 | for i in range(0, len(syms)): 98 | if(i == len(syms)-1): 99 | out.write("{\"%s\", 0x%08x}\n};\n" % (syms[i].name[0:256], syms[i].offset)) 100 | else: 101 | out.write("{\"%s\", 0x%08x},\n" % (syms[i].name[0:256], syms[i].offset)) 102 | out.write("\nconst ULONG NOS = sizeof(syms) / sizeof(SYMBOL);\n"); 103 | out.close() 104 | -------------------------------------------------------------------------------- /core/vt.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _VT_H 26 | #define _VT_H 27 | 28 | #include "types.h" 29 | #include "msr.h" 30 | #include "idt.h" 31 | 32 | #define HVM_DELIVER_NO_ERROR_CODE (-1) 33 | 34 | /* CR access types */ 35 | typedef enum { 36 | VT_CR_ACCESS_WRITE, 37 | VT_CR_ACCESS_READ, 38 | VT_CR_ACCESS_CLTS, 39 | VT_CR_ACCESS_LMSW, 40 | } VtCrAccessType; 41 | 42 | typedef enum { 43 | VT_REGISTER_RAX, 44 | VT_REGISTER_RBX, 45 | VT_REGISTER_RCX, 46 | VT_REGISTER_RDX, 47 | VT_REGISTER_RSP, 48 | VT_REGISTER_RBP, 49 | VT_REGISTER_RSI, 50 | VT_REGISTER_RDI, 51 | VT_REGISTER_R8, 52 | VT_REGISTER_R9, 53 | VT_REGISTER_R10, 54 | VT_REGISTER_R11, 55 | VT_REGISTER_R12, 56 | VT_REGISTER_R13, 57 | VT_REGISTER_R14, 58 | VT_REGISTER_R15, 59 | } VtRegister; 60 | 61 | struct __attribute__((__packed__)) CPU_CONTEXT { 62 | struct __attribute__((__packed__)) { 63 | hvm_address rip; 64 | hvm_address resumerip; 65 | hvm_address rsp; 66 | hvm_address cs; 67 | hvm_address cr0; 68 | hvm_address cr3; 69 | hvm_address cr4; 70 | hvm_address rflags; 71 | 72 | hvm_address rax; 73 | hvm_address rbx; 74 | hvm_address rcx; 75 | hvm_address rdx; 76 | hvm_address rdi; 77 | hvm_address rsi; 78 | hvm_address rbp; 79 | } GuestContext; 80 | }; 81 | 82 | struct HVM_X86_OPS { 83 | /* VT-related */ 84 | hvm_bool (*vt_cpu_has_support)(void); 85 | hvm_bool (*vt_disabled_by_bios)(void); 86 | hvm_bool (*vt_enabled)(void); 87 | hvm_status (*vt_initialize)(void (*idt_initializer)(PIDT_ENTRY)); 88 | hvm_status (*vt_finalize)(void); 89 | void (*vt_launch)(void); 90 | hvm_status (*vt_hardware_enable)(void); 91 | hvm_status (*vt_hardware_disable)(void); 92 | void (*vt_hypercall)(Bit32u num) USESTACK; 93 | 94 | /* These will be removed in a near future... */ 95 | hvm_status (*vt_vmcs_initialize)(hvm_address guest_stack, hvm_address guest_return, hvm_address host_cr3); 96 | Bit32u (*vt_vmcs_read)(Bit32u encoding) USESTACK; 97 | void (*vt_vmcs_write)(Bit32u encoding, Bit32u value) USESTACK; 98 | 99 | void (*vt_set_cr0)(hvm_address cr0); 100 | void (*vt_set_cr3)(hvm_address cr3); 101 | void (*vt_set_cr4)(hvm_address cr4); 102 | 103 | void (*vt_trap_io)(hvm_bool enabled); 104 | Bit32u (*vt_get_exit_instr_len)(void); 105 | 106 | /* Memory management */ 107 | void (*mmu_tlb_flush)(void); 108 | 109 | /* HVM-related */ 110 | void (*hvm_handle_exit)(void); 111 | hvm_status (*hvm_switch_off)(void); 112 | hvm_status (*hvm_update_events)(void); 113 | void (*hvm_inject_hw_exception)(Bit32u type, Bit32u error_code); 114 | }; 115 | 116 | extern struct CPU_CONTEXT context asm("_context"); 117 | extern struct HVM_X86_OPS hvm_x86_ops; 118 | 119 | #endif /* _VT_H */ 120 | -------------------------------------------------------------------------------- /hyperdbg/hyperdbg_print.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _HYPERDBG_PRINT_H 26 | #define _HYPERDBG_PRINT_H 27 | 28 | #include "hyperdbg.h" 29 | #include "network.h" 30 | #include "process.h" 31 | #include "syms.h" 32 | #include "vt.h" /* context */ 33 | #include "hyperdbg_common.h" 34 | 35 | /* ################ */ 36 | /* #### MACROS #### */ 37 | /* ################ */ 38 | 39 | /* Error Codes */ 40 | #define ERROR_MISSING_PARAM -1 41 | #define ERROR_INVALID_SIZE -2 42 | #define ERROR_INVALID_REGISTER -3 43 | #define ERROR_INVALID_ADDR -4 44 | #define ERROR_INVALID_MEMORY -5 45 | #define ERROR_INVALID_SYMBOL -6 46 | 47 | /* Cmd Specific Errors */ 48 | #define ERROR_COMMAND_SPECIFIC -100 49 | #define ERROR_DOUBLED_BP -101 50 | #define ERROR_NOSUCH_BP -102 51 | 52 | #ifdef GUEST_WINDOWS 53 | #include "winxp.h" 54 | #endif 55 | 56 | typedef struct { 57 | hvm_address rax; 58 | hvm_address rbx; 59 | hvm_address rcx; 60 | hvm_address rdx; 61 | hvm_address rsp; 62 | hvm_address rbp; 63 | hvm_address rsi; 64 | hvm_address rdi; 65 | hvm_address rip; 66 | hvm_address resumerip; 67 | hvm_address rflags; 68 | hvm_address cr0; 69 | hvm_address cr3; 70 | hvm_address cr4; 71 | hvm_address cs; 72 | } REGISTERS, *PREGISTERS; 73 | 74 | typedef struct { 75 | hvm_address baseaddr; 76 | hvm_bool with_char_rep; 77 | Bit32u data[512]; 78 | } MEMORYDUMP, *PMEMORYDUMP; 79 | 80 | typedef struct { 81 | PSYMBOL symbol; 82 | Bit32u bp_index; 83 | hvm_address addr; 84 | Bit32s error_code; 85 | hvm_bool isPerm; 86 | hvm_bool isCr3Dipendent; 87 | } BPINFO, *PBINFO; 88 | 89 | typedef struct { 90 | hvm_address addr; 91 | char hexcode[32]; 92 | char asmcode[64]; 93 | char sym_name[64]; 94 | hvm_bool sym_exists; 95 | } INSTRUCTION_DATA, *PINSTRUCTION_DATA; 96 | 97 | typedef struct { 98 | hvm_address Addr; 99 | hvm_address cr3; 100 | hvm_bool isPerm; 101 | hvm_bool isCr3Dipendent; 102 | } BPLIST, *PBLIST; 103 | 104 | typedef struct { 105 | union { 106 | REGISTERS registers; 107 | PROCESS_DATA processes[128]; 108 | MODULE_DATA modules[128]; 109 | SOCKET sockets[128]; 110 | MEMORYDUMP memory_dump; 111 | BPINFO bpinfo; 112 | BPLIST bplist[MAXSWBPS]; 113 | INSTRUCTION_DATA instructions[128]; 114 | }; 115 | } CMD_RESULT, *PCMD_RESULT; 116 | 117 | /* #################### */ 118 | /* #### PROTOTYPES #### */ 119 | /* #################### */ 120 | 121 | void PrintHelp(void); 122 | void PrintRegisters(PCMD_RESULT buffer); 123 | void PrintProcesses(PCMD_RESULT buffer, Bit32s size); 124 | void PrintModules(PCMD_RESULT buffer, Bit32s size); 125 | void PrintSockets(PCMD_RESULT buffer, Bit32s size); 126 | void PrintMemoryDump(PCMD_RESULT buffer, Bit32s size); 127 | void PrintSwBreakpoint(PCMD_RESULT buffer); 128 | void PrintDeleteSwBreakpoint(PCMD_RESULT buffer); 129 | void PrintBPList(PCMD_RESULT buffer); 130 | void PrintDisassembled(PCMD_RESULT buffer, Bit32s size); 131 | void PrintInfo(void); 132 | void PrintUnlinkProc(Bit32s error_code); 133 | void PrintRelinkProc(Bit32s error_code); 134 | void PrintUnknown(void); 135 | 136 | #endif /* _HYPERDBG_PRINT_H */ 137 | -------------------------------------------------------------------------------- /core/events.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _EVENTS_H 26 | #define _EVENTS_H 27 | 28 | #include "types.h" 29 | #include /* Includes size_t type */ 30 | #include "vt.h" /* Includes VtRegister */ 31 | 32 | typedef enum { 33 | EventPublishNone, /* Event not accepted */ 34 | EventPublishHandled, /* The event should not be passed at the next 35 | handler or at the guest OS */ 36 | EventPublishPass, /* The event should be passed on */ 37 | } EVENT_PUBLISH_STATUS; 38 | 39 | /* This structure is the argument that is passed to event handlers */ 40 | typedef struct { 41 | union { 42 | struct { 43 | Bit8u size; 44 | hvm_bool isstring; 45 | hvm_bool isrep; 46 | } EventIO; 47 | #ifdef ENABLE_EPT 48 | struct { 49 | hvm_address guestLinearAddress; 50 | hvm_address guestPhysicalAddress; 51 | hvm_bool is_linear_valid; 52 | hvm_bool in_page_walk; 53 | Bit8u attemptType; /* rwx */ 54 | } EventEPTViolation; 55 | #endif 56 | struct { 57 | Bit8u crno; 58 | hvm_bool iswrite; 59 | VtRegister gpr; 60 | } EventCR; 61 | }; 62 | } EVENT_ARGUMENTS, *PEVENT_ARGUMENTS; 63 | 64 | /* If you add an event type, you must also modify EventCheckCondition() in events.c */ 65 | typedef enum { 66 | EventNone = 0, 67 | EventHypercall, 68 | EventException, 69 | EventIO, 70 | EventControlRegister, 71 | EventHlt, 72 | #ifdef ENABLE_EPT 73 | EventEPTViolation, 74 | #endif 75 | } HVM_EVENT_TYPE; 76 | 77 | typedef EVENT_PUBLISH_STATUS (*EVENT_CALLBACK)(PEVENT_ARGUMENTS); 78 | 79 | #ifdef ENABLE_EPT 80 | typedef struct _EVENT_CONDITION_EPT_VIOLATION { 81 | hvm_bool read; 82 | hvm_bool write; 83 | hvm_bool exec; 84 | hvm_bool is_linear_valid; 85 | hvm_bool in_page_walk; 86 | hvm_bool fill_an_entry; 87 | 88 | } EVENT_CONDITION_EPT_VIOLATION, *PEVENT_CONDITION_EPT_VIOLATION; 89 | #endif 90 | 91 | typedef struct _EVENT_CONDITION_HYPERCALL { 92 | Bit32u hypernum; 93 | } EVENT_CONDITION_HYPERCALL, *PEVENT_CONDITION_HYPERCALL; 94 | 95 | typedef struct _EVENT_CONDITION_EXCEPTION { 96 | Bit32u exceptionnum; 97 | } EVENT_CONDITION_EXCEPTION, *PEVENT_CONDITION_EXCEPTION; 98 | 99 | typedef enum { 100 | EventIODirectionBoth = 0, 101 | EventIODirectionIn, 102 | EventIODirectionOut, 103 | } EVENT_IO_DIRECTION; 104 | 105 | typedef struct _EVENT_CONDITION_IO { 106 | EVENT_IO_DIRECTION direction; 107 | Bit32u portnum; 108 | } EVENT_CONDITION_IO, *PEVENT_CONDITION_IO; 109 | 110 | typedef struct _EVENT_CONDITION_CR { 111 | Bit8u crno; 112 | hvm_bool iswrite; 113 | } EVENT_CONDITION_CR, *PEVENT_CONDITION_CR; 114 | 115 | typedef int EVENT_CONDITION_NONE; 116 | 117 | hvm_status EventInit(void); 118 | hvm_bool EventSubscribe(HVM_EVENT_TYPE type, void* pcondition, int condition_size, EVENT_CALLBACK callback); 119 | hvm_bool EventUnsubscribe(HVM_EVENT_TYPE type, void* pcondition, int condition_size); 120 | hvm_bool EventHasType(HVM_EVENT_TYPE type); 121 | EVENT_PUBLISH_STATUS EventPublish(HVM_EVENT_TYPE type, PEVENT_ARGUMENTS args, void* pcondition, int condition_size); 122 | 123 | void EventUpdateExceptionBitmap(Bit32u* pbitmap); 124 | void EventUpdateIOBitmaps(Bit8u* pIOBitmapA, Bit8u* pIOBitmapB); 125 | 126 | #endif /* _EVENTS_H */ 127 | -------------------------------------------------------------------------------- /core/mmu.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _MMU_H 26 | #define _MMU_H 27 | 28 | #include "types.h" 29 | #include "x86.h" 30 | 31 | /* Memory-management defines */ 32 | #define MMU_PAGE_SIZE 0x1000 33 | #define MMU_PAGE_ALIGN(addr) (((Bit32u) (addr)) & ~(MMU_PAGE_SIZE - 1)) 34 | 35 | #define MMU_PAGE_OFFSET(a) ((hvm_address) (a) - (hvm_address) MMU_PAGE_ALIGN(a)) 36 | 37 | /* **** PAE **** */ 38 | #ifdef ENABLE_PAE 39 | #define LARGEPAGE_SIZE 0x200000 40 | #define CR3_ALIGN(v) ((v) & 0xffffffe0) 41 | 42 | #define VA_TO_PDPTE(a) (((a) & 0xc0000000) >> 30) 43 | #define VA_TO_PDE(a) (((a) & 0x3fe00000) >> 21) 44 | #define VA_TO_PTE(a) (((a) & 0x001ff000) >> 12) 45 | 46 | #define PDE_TO_VA(a) (((a) << 21) & 0x3fe00000) 47 | #define PTE_TO_VA(a) (((a) << 12) & 0x001ff000) 48 | 49 | #define PHY_TO_FRAME(a) ((Bit64u) (((a) >> 12) & 0xfffffffffffff)) 50 | #define PHY_TO_LARGEFRAME(a) ((a) >> 21) 51 | 52 | #define FRAME_TO_PHY(a) ((a) << 12) 53 | #define LARGEFRAME_TO_PHY(a) (((a)>>9) << 21) 54 | 55 | #define PDE_TO_VALID(a) ((hvm_address) (a) & 0x1) 56 | 57 | #define LARGEPAGE_ALIGN(a) ((a) & ~((LARGEPAGE_SIZE)-1)) 58 | #define LARGEPAGE_OFFSET(a) ((hvm_address) (a) - (hvm_address) LARGEPAGE_ALIGN(a)) 59 | 60 | #define READ_PTE(a) *(Bit64u*) (a) 61 | 62 | #else 63 | /* **** Non-PAE **** */ 64 | #define LARGEPAGE_SIZE 0x400000 65 | #define CR3_ALIGN(v) ((v) & 0xfffff000) 66 | 67 | #define VA_TO_PDE(a) (((a) & 0xffc00000) >> 22) 68 | #define VA_TO_PTE(a) (((a) & 0x003ff000) >> 12) 69 | 70 | #define PDE_TO_VA(a) (((a) << 22) & 0xffc00000) 71 | #define PTE_TO_VA(a) (((a) << 12) & 0x003ff000) 72 | 73 | #define PHY_TO_FRAME(a) ((Bit32u) (((a) >> 12) & 0xfffff)) 74 | #define PHY_TO_LARGEFRAME(a) ((a) >> 22) 75 | 76 | #define FRAME_TO_PHY(a) ((a) << 12) 77 | #define LARGEFRAME_TO_PHY(a) (((a)>>10) << 22) 78 | 79 | #define PDE_TO_VALID(a) ((hvm_address) (a) & 0x1) 80 | 81 | #define LARGEPAGE_ALIGN(a) ((a) & ~((LARGEPAGE_SIZE)-1)) 82 | #define LARGEPAGE_OFFSET(a) ((hvm_address) (a) - (hvm_address) LARGEPAGE_ALIGN(a)) 83 | 84 | #define READ_PTE(a) *(Bit32u*) (a) 85 | 86 | #endif /* ENABLE_PAE */ 87 | 88 | hvm_status MmuInit(hvm_address *pcr3); 89 | hvm_status MmuFini(void); 90 | 91 | hvm_status MmuMapPhysicalPage(hvm_phy_address phy, hvm_address* pva, PPTE poriginal); 92 | hvm_status MmuUnmapPhysicalPage(hvm_address va, PTE original); 93 | 94 | hvm_status MmuReadWriteVirtualRegion(hvm_address cr3, hvm_address va, void* buffer, Bit32u size, hvm_bool isWrite); 95 | hvm_status MmuReadWritePhysicalRegion(hvm_phy_address phy, void* buffer, Bit32u size, hvm_bool isWrite); 96 | 97 | hvm_status MmuGetPhysicalAddress(hvm_address cr3, hvm_address va, hvm_phy_address* pphy); 98 | hvm_bool MmuIsAddressValid(hvm_address cr3, hvm_address va); 99 | hvm_bool MmuIsAddressWritable(hvm_address cr3, hvm_address va); 100 | 101 | void MmuVirtToPTE( hvm_address, hvm_address *); 102 | 103 | hvm_address MmuGetHostPT(void); 104 | 105 | #define MmuWriteVirtualRegion(cr3, va, buffer, size) MmuReadWriteVirtualRegion(cr3, va, buffer, size, TRUE) 106 | #define MmuReadVirtualRegion(cr3, va, buffer, size) MmuReadWriteVirtualRegion(cr3, va, buffer, size, FALSE) 107 | 108 | #define MmuWritePhysicalRegion(phy, buffer, size) MmuReadWritePhysicalRegion(phy, buffer, size, TRUE) 109 | #define MmuReadPhysicalRegion(phy, buffer, size) MmuReadWritePhysicalRegion(phy, buffer, size, FALSE) 110 | 111 | #endif /* _MMU_H */ 112 | -------------------------------------------------------------------------------- /core/comio.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | /* kudos to Invisible Things Lab */ 26 | 27 | #include "comio.h" 28 | #include "debug.h" 29 | #include "common.h" 30 | #include "vmmstring.h" 31 | #include "x86.h" 32 | 33 | #define TRANSMIT_HOLDING_REGISTER 0x00 34 | #define RECEIVER_BUFFER_REGISTER 0x00 35 | #define INTERRUPT_ENABLE_REGISTER 0x01 36 | #define INTERRUPT_IDENTIFICATION_REGISTER 0x02 37 | #define LINE_STATUS_REGISTER 0x05 38 | 39 | /* Meaning of the various bits in the LINE_STATUS_REGISTER */ 40 | #define LSR_DATA_AVAILABLE (1 << 0) 41 | #define LSR_OVERRUN_ERROR (1 << 1) 42 | #define LSR_PARITY_ERROR (1 << 2) 43 | #define LSR_FRAMING_ERROR (1 << 3) 44 | #define LSR_BREAK_SIGNAL (1 << 4) 45 | #define LSR_THR_EMPTY (1 << 5) 46 | #define LSR_THR_EMPTY_AND_IDLE (1 << 6) 47 | #define LSR_ERR_DATA (1 << 7) 48 | 49 | /* INTERRUPT_ENABLE_REGISTER bits */ 50 | #define IER_RECEIVED_DATA (1 << 0) 51 | #define IER_TRANSMITTER_EMPTY (1 << 1) 52 | #define IER_RECEIVER_CHANGED (1 << 2) 53 | #define IER_MODEM_CHANGED (1 << 3) 54 | #define IER_SLEEP_MODE (1 << 4) 55 | #define IER_LOW_POWER_MODE (1 << 5) 56 | #define IER_RESERVED1 (1 << 6) 57 | #define IER_RESERVED2 (1 << 7) 58 | 59 | //static Bit16u DebugComPort = 0; 60 | static Bit16u DebugComPort = 0; 61 | static Bit32u ComSpinLock; /* Spin lock that guards accesses to the COM port */ 62 | 63 | void ComInit() 64 | { 65 | #ifdef GUEST_LINUX 66 | /* FIXME: check if serial port has already been initialized */ 67 | /* and restore the original guest encoding (port + 3) upon an enter */ 68 | IoWritePortByte(DebugComPort + 1, 0x00); // Disable all interrupts 69 | IoWritePortByte(DebugComPort + 3, 0x80); // Enable DLAB (set baud rate divisor) 70 | IoWritePortByte(DebugComPort + 0, 0x03); // Set divisor to 3 (lo byte) 38400 baud 71 | IoWritePortByte(DebugComPort + 1, 0x00); // (hi byte) 72 | IoWritePortByte(DebugComPort + 3, 0x03); // 8 bits, no parity, one stop bit 73 | IoWritePortByte(DebugComPort + 2, 0xC7); // Enable FIFO, clear them, with 14-byte threshold 74 | IoWritePortByte(DebugComPort + 4, 0x0B); // IRQs enabled, RTS/DSR set 75 | #else 76 | #warning "Windows serial support is currently not working properly in VmWare Workstation 8" 77 | #endif 78 | 79 | CmInitSpinLock(&ComSpinLock); 80 | 81 | } 82 | 83 | void ComPrint(const char* fmt, ...) 84 | { 85 | va_list args; 86 | char str[768] = {0}; 87 | unsigned int i; 88 | 89 | CmAcquireSpinLock(&ComSpinLock); 90 | 91 | va_start(args, fmt); 92 | vmm_vsnprintf(str, sizeof(str), fmt, args); 93 | va_end(args); 94 | for (i = 0; i < vmm_strlen(str); i++) 95 | PortSendByte(str[i]); 96 | CmReleaseSpinLock(&ComSpinLock); 97 | } 98 | 99 | Bit8u ComIsInitialized() 100 | { 101 | /* Ok, we should also check if ComInit() has been invoked.. but we assume it 102 | has */ 103 | return (DebugComPort != 0); 104 | } 105 | 106 | void PortInit() 107 | { 108 | DebugComPort = COM_PORT_ADDRESS; 109 | } 110 | 111 | void PortSendByte(Bit8u b) 112 | { 113 | /* Empty input buffer */ 114 | while (!(IoReadPortByte(DebugComPort + LINE_STATUS_REGISTER) & LSR_THR_EMPTY)); 115 | 116 | IoWritePortByte(DebugComPort + TRANSMIT_HOLDING_REGISTER, b); 117 | } 118 | 119 | Bit8u PortRecvByte(void) 120 | { 121 | /* Wait until we receive something -- busy waiting!! */ 122 | while ((IoReadPortByte(DebugComPort + LINE_STATUS_REGISTER) & LSR_DATA_AVAILABLE) == 0); 123 | 124 | return IoReadPortByte(DebugComPort + RECEIVER_BUFFER_REGISTER); 125 | } 126 | -------------------------------------------------------------------------------- /core/msr.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #ifndef _PILL_MSR_H 26 | #define _PILL_MSR_H 27 | 28 | #include "common.h" 29 | 30 | #pragma pack (push, 1) 31 | 32 | /* MSRs */ 33 | #define IA32_FEATURE_CONTROL_CODE 0x03A 34 | #define IA32_SYSENTER_CS 0x174 35 | #define IA32_SYSENTER_ESP 0x175 36 | #define IA32_SYSENTER_EIP 0x176 37 | #define IA32_DEBUGCTL 0x1D9 38 | #define IA32_VMX_BASIC_MSR_CODE 0x480 39 | #define IA32_VMX_PINBASED_CTLS 0x481 40 | #define IA32_VMX_PROCBASED_CTLS 0x482 41 | #define IA32_VMX_EXIT_CTLS 0x483 42 | #define IA32_VMX_ENTRY_CTLS 0x484 43 | #define IA32_VMX_MISC 0x485 44 | #define IA32_VMX_CR0_FIXED0 0x486 45 | #define IA32_VMX_CR0_FIXED1 0x487 46 | #define IA32_VMX_CR4_FIXED0 0x488 47 | #define IA32_VMX_CR4_FIXED1 0x489 48 | #define IA32_FS_BASE 0xc0000100 49 | #define IA32_GS_BASE 0xc0000101 50 | 51 | #define MSR_IA32_MTRRCAP 0xfe 52 | #define MSR_IA32_MTRR_DEF_TYPE 0x2ff 53 | #define MSR_IA32_MTRR_PHYSBASE(n) (0x200 + 2*(n)) 54 | #define MSR_IA32_MTRR_PHYSMASK(n) (0x200 + 2*(n) + 1) 55 | #define MSR_IA32_MTRR_FIX64K_00000 0x250 56 | #define MSR_IA32_MTRR_FIX16K_80000 0x258 57 | #define MSR_IA32_MTRR_FIX16K_A0000 0x259 58 | #define MSR_IA32_MTRR_FIX4K_C0000 0x268 59 | #define MSR_IA32_MTRR_FIX4K_C8000 0x269 60 | #define MSR_IA32_MTRR_FIX4K_D0000 0x26a 61 | #define MSR_IA32_MTRR_FIX4K_D8000 0x26b 62 | #define MSR_IA32_MTRR_FIX4K_E0000 0x26c 63 | #define MSR_IA32_MTRR_FIX4K_E8000 0x26d 64 | #define MSR_IA32_MTRR_FIX4K_F0000 0x26e 65 | #define MSR_IA32_MTRR_FIX4K_F8000 0x26f 66 | 67 | /////////// 68 | // MSR // 69 | /////////// 70 | typedef struct _MSR 71 | { 72 | Bit32u Lo; 73 | Bit32u Hi; 74 | } MSR, *PMSR; 75 | 76 | ///////////////////////////// 77 | // SPECIAL MSR REGISTERS // 78 | ///////////////////////////// 79 | typedef struct _IA32_VMX_BASIC_MSR 80 | { 81 | 82 | unsigned RevId :32; // Bits 31...0 contain the VMCS revision identifier 83 | unsigned szVmxOnRegion :12; // Bits 43...32 report # of bytes for VMXON region 84 | unsigned RegionClear :1; // Bit 44 set only if bits 32-43 are clear 85 | unsigned Reserved1 :3; // Undefined 86 | unsigned PhyAddrWidth :1; // Physical address width for referencing VMXON, VMCS, etc. 87 | unsigned DualMon :1; // Reports whether the processor supports dual-monitor 88 | // treatment of SMI and SMM 89 | unsigned MemType :4; // Memory type that the processor uses to access the VMCS 90 | unsigned VmExitReport :1; // Reports weather the procesor reports info in the VM-exit 91 | // instruction information field on VM exits due to execution 92 | // of the INS and OUTS instructions 93 | unsigned Reserved2 :9; // Undefined 94 | 95 | } IA32_VMX_BASIC_MSR; 96 | 97 | 98 | typedef struct _IA32_FEATURE_CONTROL_MSR 99 | { 100 | unsigned Lock :1; // Bit 0 is the lock bit - cannot be modified once lock is set 101 | unsigned Reserved1 :1; // Undefined 102 | unsigned EnableVmxon :1; // Bit 2. If this bit is clear, VMXON causes a general protection exception 103 | unsigned Reserved2 :29; // Undefined 104 | unsigned Reserved3 :32; // Undefined 105 | 106 | } IA32_FEATURE_CONTROL_MSR; 107 | 108 | #pragma pack (pop) 109 | 110 | /* Read MSR register to LARGE_INTEGER variable */ 111 | void USESTACK ReadMSR (Bit32u reg, PMSR msr); 112 | void USESTACK WriteMSR(Bit32u reg, Bit32u highpart, Bit32u lowpart); 113 | 114 | #endif /* _PILL_MSR_H */ 115 | -------------------------------------------------------------------------------- /core/x86.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #include "types.h" 26 | #include "debug.h" 27 | #include "x86.h" 28 | #include "idt.h" 29 | #include "vmmstring.h" 30 | 31 | #ifdef GUEST_WINDOWS 32 | #include "winxp.h" 33 | #endif 34 | 35 | //////////////////////////////////// 36 | // SEGMENT DESCRIPTOR OPERATORS // 37 | //////////////////////////////////// 38 | 39 | static hvm_status InitializeSegmentSelector(PSEGMENT_SELECTOR SegmentSelector, 40 | Bit16u Selector, Bit32u GdtBase) 41 | { 42 | PSEGMENT_DESCRIPTOR2 SegDesc; 43 | 44 | if (!SegmentSelector) 45 | return HVM_STATUS_INVALID_PARAMETER; 46 | 47 | if (Selector & 0x4) { 48 | Log("InitializeSegmentSelector(): Given selector points to LDT #%.4x\n", Selector); 49 | return HVM_STATUS_INVALID_PARAMETER; 50 | } 51 | 52 | SegDesc = (PSEGMENT_DESCRIPTOR2) ((Bit8u*) GdtBase + (Selector & ~0x7)); 53 | 54 | SegmentSelector->sel = Selector; 55 | SegmentSelector->base = SegDesc->base0 | SegDesc->base1 << 16 | SegDesc->base2 << 24; 56 | SegmentSelector->limit = SegDesc->limit0 | (SegDesc->limit1attr1 & 0xf) << 16; 57 | SegmentSelector->attributes.UCHARs = SegDesc->attr0 | (SegDesc->limit1attr1 & 0xf0) << 4; 58 | 59 | if (!(SegDesc->attr0 & LA_STANDARD)) { 60 | Bit64u tmp; 61 | // this is a TSS or callgate etc, save the base high part 62 | tmp = (*(Bit64u*) ((Bit8u*) SegDesc + 8)); 63 | SegmentSelector->base = (SegmentSelector->base & 0xffffffff) | (tmp << 32); 64 | } 65 | 66 | if (SegmentSelector->attributes.fields.g) { 67 | // 4096-bit granularity is enabled for this segment, scale the limit 68 | SegmentSelector->limit = (SegmentSelector->limit << 12) + 0xfff; 69 | } 70 | 71 | return HVM_STATUS_SUCCESS; 72 | } 73 | 74 | Bit32u GetSegmentDescriptorBase(Bit32u gdt_base, Bit16u seg_selector) 75 | { 76 | Bit32u base = 0; 77 | SEGMENT_DESCRIPTOR segDescriptor = {0}; 78 | 79 | vmm_memcpy(&segDescriptor, (Bit32u *)(gdt_base + (seg_selector >> 3) * 8), 8); 80 | base = segDescriptor.BaseHi; 81 | base <<= 8; 82 | base |= segDescriptor.BaseMid; 83 | base <<= 16; 84 | base |= segDescriptor.BaseLo; 85 | 86 | return base; 87 | } 88 | 89 | Bit32u GetSegmentDescriptorDPL(Bit32u gdt_base, Bit16u seg_selector) 90 | { 91 | SEGMENT_DESCRIPTOR segDescriptor = {0}; 92 | 93 | vmm_memcpy(&segDescriptor, (Bit32u *)(gdt_base + (seg_selector >> 3) * 8), 8); 94 | 95 | return segDescriptor.DPL; 96 | } 97 | 98 | Bit32u GetSegmentDescriptorLimit(Bit32u gdt_base, Bit16u selector) 99 | { 100 | SEGMENT_SELECTOR SegmentSelector = { 0 }; 101 | 102 | InitializeSegmentSelector(&SegmentSelector, selector, gdt_base); 103 | 104 | return SegmentSelector.limit; 105 | } 106 | 107 | Bit32u GetSegmentDescriptorAR(Bit32u gdt_base, Bit16u selector) 108 | { 109 | SEGMENT_SELECTOR SegmentSelector = { 0 }; 110 | Bit32u uAccessRights; 111 | 112 | InitializeSegmentSelector(&SegmentSelector, selector, gdt_base); 113 | 114 | uAccessRights = ((Bit8u*) & SegmentSelector.attributes)[0] + (((Bit8u*) & SegmentSelector.attributes)[1] << 12); 115 | 116 | if (!selector) 117 | uAccessRights |= 0x10000; 118 | 119 | return uAccessRights; 120 | } 121 | 122 | /* This one is Windows (XP?)-dependent, because it must also take into account the 123 | possibility that we are virtualized (see the redpill) */ 124 | Bit32u RegGetIdtBase() 125 | { 126 | IDTR tmp_idt; 127 | Bit32u inmem_base, idtr_base; 128 | inmem_base = 0; 129 | /* Read IDTR */ 130 | __asm__ __volatile__ ( 131 | "sidt %0\n" 132 | :"=m"(tmp_idt) 133 | ::"memory" 134 | ); 135 | idtr_base = (tmp_idt.BaseHi << 16 | tmp_idt.BaseLo); 136 | #ifdef GUEST_WINDOWS 137 | /* Get IDT base from memory */ 138 | 139 | inmem_base = *(Bit32u*) WINDOWS_PIDT_BASE; 140 | if (idtr_base != inmem_base) { 141 | /* Virtualized! */ 142 | } 143 | #endif /* GUEST_WINDOWS */ 144 | 145 | return inmem_base; 146 | } 147 | -------------------------------------------------------------------------------- /hyperdbg/tools/hypergui/loader.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #include "loader.h" 26 | #include "common.h" 27 | 28 | static char driver_filename[MAX_PATH]; 29 | 30 | DWORD LoaderLoadDriver() 31 | { 32 | DWORD x; 33 | SC_HANDLE hSCM, hService; 34 | 35 | debug("[*] Loading driver: %s", driver_filename); 36 | 37 | hSCM = hService = NULL; 38 | x = ERROR_SUCCESS; 39 | 40 | hSCM = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); 41 | if (!hSCM) { 42 | x = GetLastError(); 43 | ShowError("Unable to open SCManager (error #%d).", (unsigned int) x); 44 | goto end; 45 | } 46 | 47 | hService = CreateService(hSCM, HYPERDBG_SERVICE_NAME, "HyperDbg", 48 | SERVICE_START | DELETE | SERVICE_STOP, SERVICE_KERNEL_DRIVER, 49 | SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, driver_filename, 50 | NULL, NULL, NULL, NULL, NULL); 51 | 52 | if (!hService) { 53 | x = GetLastError(); 54 | ShowError("Unable to create driver service (error #%d).", (unsigned int) x); 55 | goto end; 56 | } 57 | 58 | if (!StartService(hService, 0, NULL)) { 59 | SERVICE_STATUS ss; 60 | 61 | x = GetLastError(); 62 | 63 | ShowError("Unable to start driver service (error #%d).", (unsigned int) x); 64 | 65 | // Cleanup 66 | hService = OpenService(hSCM, HYPERDBG_SERVICE_NAME, SERVICE_START | DELETE | SERVICE_STOP); 67 | ControlService(hService, SERVICE_CONTROL_STOP, &ss); 68 | DeleteService(hService); 69 | goto end; 70 | } 71 | 72 | end: 73 | CloseServiceHandle(hService); 74 | CloseServiceHandle(hSCM); 75 | return x; 76 | } 77 | 78 | DWORD LoaderRemoveDriver() 79 | { 80 | DWORD x; 81 | SC_HANDLE hSCM, hService; 82 | SERVICE_STATUS ss; 83 | 84 | hSCM = hService = NULL; 85 | x = ERROR_SUCCESS; 86 | 87 | hSCM = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); 88 | if (!hSCM) { 89 | x = GetLastError(); 90 | ShowError("Unable to open SCManager (error #%d).", (unsigned int) x); 91 | goto end; 92 | } 93 | 94 | hService = OpenService(hSCM, HYPERDBG_SERVICE_NAME, SERVICE_START | DELETE | SERVICE_STOP); 95 | ControlService(hService, SERVICE_CONTROL_STOP, &ss); 96 | DeleteService(hService); 97 | 98 | end: 99 | CloseServiceHandle(hService); 100 | CloseServiceHandle(hSCM); 101 | return x; 102 | } 103 | 104 | BOOL LoaderInit() 105 | { 106 | BOOL b; 107 | 108 | /* Just in the case it was already installed.. */ 109 | LoaderRemoveDriver(); 110 | 111 | /* The 'driver_filename' global variable will contain the name of the driver 112 | (.sys file) in Windows system directory */ 113 | GetSystemDirectory(driver_filename, sizeof(driver_filename) - sizeof(HYPERDBG_DRIVER_FILENAME)); 114 | strncat(driver_filename, "\\", sizeof(driver_filename)); 115 | strncat(driver_filename, HYPERDBG_DRIVER_FILENAME, sizeof(driver_filename)); 116 | 117 | 118 | /* Copy the driver to Windows system directory (overwrite if exists) */ 119 | b = CopyFile(HYPERDBG_DRIVER_FILENAME, driver_filename, FALSE); 120 | if (!b) { 121 | GetSystemDirectory(driver_filename, sizeof(driver_filename)); 122 | ShowError("Unable to copy driver file. " 123 | "Check that '%s' exists in the current directory and that you have write access to Windows system directory " 124 | "('%s')\n", HYPERDBG_DRIVER_FILENAME, driver_filename); 125 | return FALSE; 126 | } 127 | 128 | return TRUE; 129 | } 130 | 131 | BOOL LoaderFini() 132 | { 133 | if(!driver_filename[0]) { 134 | /* 'driver_filename' was not initialized. This happens if we invoked 135 | HyperGUI with the '/r' command-line switch */ 136 | GetSystemDirectory(driver_filename, sizeof(driver_filename) - sizeof(HYPERDBG_DRIVER_FILENAME)); 137 | strncat(driver_filename, "\\", sizeof(driver_filename)); 138 | strncat(driver_filename, HYPERDBG_DRIVER_FILENAME, sizeof(driver_filename)); 139 | } 140 | 141 | DeleteFile(driver_filename); 142 | return TRUE; 143 | } 144 | -------------------------------------------------------------------------------- /libudis86/udis86.c: -------------------------------------------------------------------------------- 1 | /* ----------------------------------------------------------------------------- 2 | * udis86.c 3 | * 4 | * Copyright (c) 2004, 2005, 2006, Vivek Mohan 5 | * All rights reserved. See LICENSE 6 | * ----------------------------------------------------------------------------- 7 | */ 8 | 9 | #ifdef GUEST_WINDOWS 10 | #include 11 | #elif defined GUEST_LINUX 12 | #include 13 | #endif 14 | 15 | #include "input.h" 16 | #include "extern.h" 17 | 18 | /* ============================================================================= 19 | * ud_init() - Initializes ud_t object. 20 | * ============================================================================= 21 | */ 22 | extern void 23 | ud_init(struct ud* u) 24 | { 25 | memset((void*)u, 0, sizeof(struct ud)); 26 | ud_set_mode(u, 16); 27 | u->mnemonic = UD_Iinvalid; 28 | ud_set_pc(u, 0); 29 | /* #ifndef __UD_STANDALONE__ */ 30 | /* ud_set_input_file(u, stdin); */ 31 | /* #endif /\* __UD_STANDALONE__ *\/ */ 32 | } 33 | 34 | /* ============================================================================= 35 | * ud_disassemble() - disassembles one instruction and returns the number of 36 | * bytes disassembled. A zero means end of disassembly. 37 | * ============================================================================= 38 | */ 39 | extern unsigned int 40 | ud_disassemble(struct ud* u) 41 | { 42 | if (ud_input_end(u)) 43 | return 0; 44 | 45 | 46 | u->insn_buffer[0] = u->insn_hexcode[0] = 0; 47 | 48 | 49 | if (ud_decode(u) == 0) 50 | return 0; 51 | if (u->translator) 52 | u->translator(u); 53 | return ud_insn_len(u); 54 | } 55 | 56 | /* ============================================================================= 57 | * ud_set_mode() - Set Disassemly Mode. 58 | * ============================================================================= 59 | */ 60 | extern void 61 | ud_set_mode(struct ud* u, uint8_t m) 62 | { 63 | switch(m) { 64 | case 16: 65 | case 32: 66 | case 64: u->dis_mode = m ; return; 67 | default: u->dis_mode = 16; return; 68 | } 69 | } 70 | 71 | /* ============================================================================= 72 | * ud_set_vendor() - Set vendor. 73 | * ============================================================================= 74 | */ 75 | extern void 76 | ud_set_vendor(struct ud* u, unsigned v) 77 | { 78 | switch(v) { 79 | case UD_VENDOR_INTEL: 80 | u->vendor = (uint8_t)v; 81 | break; 82 | default: 83 | u->vendor = UD_VENDOR_AMD; 84 | } 85 | } 86 | 87 | /* ============================================================================= 88 | * ud_set_pc() - Sets code origin. 89 | * ============================================================================= 90 | */ 91 | extern void 92 | ud_set_pc(struct ud* u, uint64_t o) 93 | { 94 | u->pc = o; 95 | } 96 | 97 | /* ============================================================================= 98 | * ud_set_syntax() - Sets the output syntax. 99 | * ============================================================================= 100 | */ 101 | extern void 102 | ud_set_syntax(struct ud* u, void (*t)(struct ud*)) 103 | { 104 | u->translator = t; 105 | } 106 | 107 | /* ============================================================================= 108 | * ud_insn() - returns the disassembled instruction 109 | * ============================================================================= 110 | */ 111 | extern char* 112 | ud_insn_asm(struct ud* u) 113 | { 114 | return u->insn_buffer; 115 | } 116 | 117 | /* ============================================================================= 118 | * ud_insn_offset() - Returns the offset. 119 | * ============================================================================= 120 | */ 121 | extern uint64_t 122 | ud_insn_off(struct ud* u) 123 | { 124 | return u->insn_offset; 125 | } 126 | 127 | 128 | /* ============================================================================= 129 | * ud_insn_hex() - Returns hex form of disassembled instruction. 130 | * ============================================================================= 131 | */ 132 | extern char* 133 | ud_insn_hex(struct ud* u) 134 | { 135 | return u->insn_hexcode; 136 | } 137 | 138 | /* ============================================================================= 139 | * ud_insn_ptr() - Returns code disassembled. 140 | * ============================================================================= 141 | */ 142 | extern uint8_t* 143 | ud_insn_ptr(struct ud* u) 144 | { 145 | return u->inp_sess; 146 | } 147 | 148 | /* ============================================================================= 149 | * ud_insn_len() - Returns the count of bytes disassembled. 150 | * ============================================================================= 151 | */ 152 | extern unsigned int 153 | ud_insn_len(struct ud* u) 154 | { 155 | return u->inp_ctr; 156 | } 157 | -------------------------------------------------------------------------------- /core/i386/reg-asm.S: -------------------------------------------------------------------------------- 1 | // Copyright notice 2 | // ================ 3 | // 4 | // Copyright (C) 2010 5 | // Lorenzo Martignoni 6 | // Roberto Paleari 7 | // Aristide Fattori 8 | // 9 | // This program is free software: you can redistribute it and/or modify it under 10 | // the terms of the GNU General Public License as published by the Free Software 11 | // Foundation, either version 3 of the License, or (at your option) any later 12 | // version. 13 | // 14 | // HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 15 | // WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 16 | // A PARTICULAR PURPOSE. See the GNU General Public License for more details. 17 | // 18 | // You should have received a copy of the GNU General Public License along with 19 | // this program. If not, see . 20 | // 21 | 22 | .text 23 | .globl _RegGetFlags, _RegSetFlags, _RegGetCr0, _RegSetCr0, _RegGetCr2, _RegSetCr2, _RegGetCr3, _RegGetCr4, _RegSetCr4 24 | .globl _ReadMSR, _WriteMSR, _RegGetCs, _RegGetDs, _RegGetEs, _RegGetFs, _RegGetGs, _RegGetSs, _RegGetTr, _RegGetLdtr 25 | .globl _RegSetIdtr, _RegRdtsc 26 | 27 | .globl RegGetFlags, RegSetFlags, RegGetCr0, RegSetCr0, RegGetCr2, RegSetCr2, RegGetCr3, RegGetCr4, RegSetCr4 28 | .globl ReadMSR, WriteMSR, RegGetCs, RegGetDs, RegGetEs, RegGetFs, RegGetGs, RegGetSs, RegGetTr, RegGetLdtr 29 | .globl RegSetIdtr, RegRdtsc 30 | 31 | 32 | RegGetFlags: 33 | _RegGetFlags: 34 | pushfl 35 | popl %eax 36 | ret 37 | 38 | RegSetFlags: 39 | _RegSetFlags: 40 | pushl %ebp 41 | movl %esp,%ebp 42 | pushl %eax 43 | movl 0x8(%ebp),%eax /* _flags */ 44 | pushl %eax 45 | popfl 46 | popl %eax 47 | leave 48 | ret 49 | 50 | RegGetCr0: 51 | _RegGetCr0: 52 | movl %cr0,%eax 53 | ret 54 | 55 | RegSetCr0: 56 | _RegSetCr0: 57 | pushl %ebp 58 | movl %esp,%ebp 59 | pushl %eax 60 | movl 0x8(%ebp),%eax /* _CR0 */ 61 | movl %eax, %cr0 62 | popl %eax 63 | leave 64 | ret 65 | 66 | RegGetCr2: 67 | _RegGetCr2: 68 | movl %cr2,%eax 69 | ret 70 | 71 | RegSetCr2: 72 | _RegSetCr2: 73 | pushl %ebp 74 | movl %esp,%ebp 75 | pushl %eax 76 | movl 0x8(%ebp),%eax /* _CR2 */ 77 | movl %eax,%cr2 78 | popl %eax 79 | leave 80 | ret 81 | 82 | RegGetCr3: 83 | _RegGetCr3: 84 | movl %cr3,%eax 85 | ret 86 | 87 | RegGetCr4: 88 | _RegGetCr4: 89 | movl %cr4,%eax 90 | ret 91 | 92 | RegSetCr4: 93 | _RegSetCr4: 94 | pushl %ebp 95 | movl %esp,%ebp 96 | pushl %eax 97 | movl 0x8(%ebp),%eax /* _CR4 */ 98 | movl %eax,%cr4 99 | popl %eax 100 | leave 101 | ret 102 | 103 | 104 | // Writes the contents of registers EDX:EAX into the 64-bit model specific 105 | // register (MSR) specified in the ECX register. The contents of the EDX 106 | // register are copied to high-order 32 bits of the selected MSR and the 107 | // contents of the EAX register are copied to low-order 32 bits of the MSR. 108 | // msr.Hi <-- EDX 109 | // msr.Lo <-- EAX 110 | // 111 | // 112 | WriteMSR: 113 | _WriteMSR: 114 | pushl %ebp 115 | movl %esp,%ebp 116 | pushal 117 | movl 0x8(%ebp),%ecx /* encoding */ 118 | movl 0xc(%ebp),%edx /* _highpart */ 119 | movl 0x10(%ebp),%eax /* lowpart */ 120 | wrmsr 121 | popal 122 | leave 123 | ret 124 | 125 | RegGetCs: 126 | _RegGetCs: 127 | movw %cs,%ax 128 | ret 129 | 130 | RegGetDs: 131 | _RegGetDs: 132 | movw %ds,%ax 133 | ret 134 | 135 | RegGetEs: 136 | _RegGetEs: 137 | movw %es,%ax 138 | ret 139 | 140 | RegGetFs: 141 | _RegGetFs: 142 | movw %fs,%ax 143 | ret 144 | 145 | RegGetGs: 146 | _RegGetGs: 147 | movw %gs,%ax 148 | ret 149 | 150 | RegGetSs: 151 | _RegGetSs: 152 | movw %ss,%ax 153 | ret 154 | 155 | RegGetTr: 156 | _RegGetTr: 157 | str %ax 158 | ret 159 | 160 | RegGetLdtr: 161 | _RegGetLdtr: 162 | sldt %eax 163 | ret 164 | 165 | 166 | // Loads the contents of a 64-bit model specific register (MSR) specified 167 | // in the ECX register into registers EDX:EAX. The EDX register is loaded 168 | // with the high-order 32 bits of the MSR and the EAX register is loaded 169 | // with the low-order 32 bits. 170 | // msr.Hi --> EDX 171 | // msr.Lo --> EAX 172 | // 173 | ReadMSR: 174 | _ReadMSR: 175 | pushl %ebp 176 | movl %esp,%ebp 177 | pushal 178 | 179 | movl 0x8(%ebp),%ecx /* _reg */ 180 | rdmsr /* MSR[ecx] --> edx:eax */ 181 | movl 0xc(%ebp),%ecx /* _msr */ 182 | movl %eax,(%ecx) 183 | movl %edx,4(%ecx) 184 | 185 | popal 186 | leave 187 | ret 188 | 189 | RegSetIdtr: 190 | _RegSetIdtr: 191 | pushl %ebp 192 | movl %esp,%ebp 193 | pushl %eax 194 | pushl 0x8(%ebp) /* _base */ 195 | shll $16,0xc(%ebp) /* _limit */ 196 | pushl 0xc(%ebp) /* _limit */ 197 | /* FIXME */ 198 | lidt 0x2(%esp) /* fword ptr [esp+2] */ 199 | popl %eax 200 | popl %eax 201 | popl %eax 202 | leave 203 | ret 204 | 205 | RegRdtsc: 206 | _RegRdtsc: 207 | pushl %ebp 208 | movl %esp,%ebp 209 | pushl %eax 210 | pushl %edx 211 | rdtsc 212 | movl 0x8(%ebp),%ecx /* _out */ 213 | movl %eax,(%ecx) 214 | movl %edx,4(%ecx) 215 | popl %edx 216 | popl %eax 217 | leave 218 | ret 219 | -------------------------------------------------------------------------------- /hyperdbg/sw_bp.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #include "debug.h" 26 | #include "mmu.h" 27 | #include "sw_bp.h" 28 | 29 | #define INT3_OPCODE 0xcc 30 | 31 | typedef struct _SW_BP { 32 | hvm_address Addr; 33 | hvm_address cr3; 34 | Bit8u OldOpcode; 35 | hvm_bool isPerm; 36 | hvm_bool isCr3Dipendent; 37 | } SW_BP, *PSW_BP; 38 | 39 | /* ################# */ 40 | /* #### GLOBALS #### */ 41 | /* ################# */ 42 | 43 | static SW_BP sw_bps[MAXSWBPS]; 44 | 45 | /* ########################## */ 46 | /* #### LOCAL PROTOTYPES #### */ 47 | /* ########################## */ 48 | 49 | Bit32u GetFirstFree(void); 50 | 51 | /* ################ */ 52 | /* #### BODIES #### */ 53 | /* ################ */ 54 | 55 | /* If it returns MAXSWBPS, we have a full-error */ 56 | Bit32u SwBreakpointSet(hvm_address cr3, hvm_address address, hvm_bool isPerm, hvm_bool isCr3Dipendent) 57 | { 58 | Bit32u index; 59 | PSW_BP ptr; 60 | Bit8u op; 61 | hvm_status r; 62 | hvm_address found_cr3; 63 | hvm_bool useless; 64 | 65 | if(SwBreakpointGetBPInfo(cr3, address, &useless, &useless, &found_cr3) && cr3 == found_cr3) 66 | return -1; 67 | 68 | index = GetFirstFree(); 69 | if(index == MAXSWBPS) return MAXSWBPS; 70 | 71 | ptr = &sw_bps[index]; 72 | ptr->Addr = address; 73 | ptr->cr3 = cr3; 74 | ptr->isPerm = isPerm; 75 | ptr->isCr3Dipendent = isCr3Dipendent; 76 | 77 | r = MmuReadVirtualRegion(cr3, address, &(ptr->OldOpcode), sizeof(ptr->OldOpcode)); 78 | if (r != HVM_STATUS_SUCCESS) 79 | return MAXSWBPS; 80 | 81 | op = INT3_OPCODE; 82 | r = MmuWriteVirtualRegion(cr3, address, &op, sizeof(op)); 83 | if (r != HVM_STATUS_SUCCESS) 84 | return MAXSWBPS; 85 | 86 | return index; 87 | } 88 | 89 | hvm_bool SwBreakpointGetBPInfo(hvm_address cr3, hvm_address address, hvm_bool *isCr3Dipendent, hvm_bool *isPerm, hvm_address *ours_cr3) 90 | { 91 | Bit32u i; 92 | 93 | i = 0; 94 | while(i < MAXSWBPS && sw_bps[i].Addr != address) i++; 95 | 96 | if(i == MAXSWBPS) { 97 | /* No breakpoint at this address */ 98 | return FALSE; 99 | } 100 | 101 | *isCr3Dipendent = sw_bps[i].isCr3Dipendent; 102 | *isPerm = sw_bps[i].isPerm; 103 | *ours_cr3 = sw_bps[i].cr3; 104 | return TRUE; 105 | } 106 | 107 | hvm_bool SwBreakpointDeletePerm(hvm_address cr3, hvm_address address) 108 | { 109 | Bit32u i; 110 | PSW_BP ptr; 111 | hvm_status r; 112 | 113 | i = 0; 114 | while(i < MAXSWBPS && (sw_bps[i].Addr != address || (sw_bps[i].isCr3Dipendent && sw_bps[i].cr3 != cr3))) i++; 115 | 116 | /* Restore the old code */ 117 | ptr = &sw_bps[i]; 118 | r = MmuWriteVirtualRegion(cr3, address, &(ptr->OldOpcode), sizeof(ptr->OldOpcode)); 119 | if (r != HVM_STATUS_SUCCESS) 120 | return FALSE; 121 | 122 | return TRUE; 123 | } 124 | 125 | hvm_bool SwBreakpointDelete(hvm_address cr3, hvm_address address) 126 | { 127 | Bit32u i; 128 | PSW_BP ptr; 129 | hvm_status r; 130 | 131 | Log("[HyperDbg] Delete BP (cr3 0x%08hx, addr 0x%08hx)", cr3, address); 132 | 133 | i = 0; 134 | while(i < MAXSWBPS && (sw_bps[i].Addr != address)) i++; 135 | 136 | if(i == MAXSWBPS) { 137 | return FALSE; 138 | } 139 | 140 | /* Restore the old code */ 141 | ptr = &sw_bps[i]; 142 | r = MmuWriteVirtualRegion(cr3, address, &(ptr->OldOpcode), sizeof(ptr->OldOpcode)); 143 | if (r != HVM_STATUS_SUCCESS) 144 | return FALSE; 145 | 146 | ptr->Addr = 0; 147 | ptr->OldOpcode = 0; 148 | ptr->cr3 = 0; 149 | ptr->isCr3Dipendent = FALSE; 150 | ptr->isPerm = FALSE; 151 | 152 | return TRUE; 153 | } 154 | 155 | hvm_bool SwBreakpointDeleteById(hvm_address id) 156 | { 157 | PSW_BP ptr; 158 | hvm_status r; 159 | 160 | if(id >= MAXSWBPS) return FALSE; 161 | ptr = &sw_bps[id]; 162 | if(ptr->Addr == 0) return FALSE; 163 | 164 | r = MmuWriteVirtualRegion(ptr->cr3, ptr->Addr, &(ptr->OldOpcode), sizeof(ptr->OldOpcode)); 165 | if (r != HVM_STATUS_SUCCESS) 166 | return FALSE; 167 | 168 | ptr->Addr = 0; 169 | ptr->OldOpcode = 0; 170 | ptr->cr3 = 0; 171 | ptr->isCr3Dipendent = FALSE; 172 | ptr->isPerm = FALSE; 173 | 174 | return TRUE; 175 | } 176 | 177 | Bit32u GetFirstFree(void) 178 | { 179 | Bit32u i; 180 | i = 0; 181 | while(i < MAXSWBPS && sw_bps[i].Addr != 0) i++; 182 | return i; 183 | } 184 | 185 | void SwBreakpointGetBPList(PCMD_RESULT result) 186 | { 187 | int i; 188 | 189 | for(i = 0; i < MAXSWBPS; i++) { 190 | 191 | (*result).bplist[i].Addr = sw_bps[i].Addr; 192 | (*result).bplist[i].cr3 = sw_bps[i].cr3; 193 | (*result).bplist[i].isPerm = sw_bps[i].isPerm; 194 | (*result).bplist[i].isCr3Dipendent = sw_bps[i].isCr3Dipendent; 195 | } 196 | } 197 | -------------------------------------------------------------------------------- /libudis86/syn-att.c: -------------------------------------------------------------------------------- 1 | /* ----------------------------------------------------------------------------- 2 | * syn-att.c 3 | * 4 | * Copyright (c) 2004, 2005, 2006 Vivek Mohan 5 | * All rights reserved. See (LICENSE) 6 | * ----------------------------------------------------------------------------- 7 | */ 8 | 9 | #include "ltypes.h" 10 | #include "extern.h" 11 | #include "decode.h" 12 | #include "itab.h" 13 | #include "syn.h" 14 | 15 | /* ----------------------------------------------------------------------------- 16 | * opr_cast() - Prints an operand cast. 17 | * ----------------------------------------------------------------------------- 18 | */ 19 | static void 20 | opr_cast(struct ud* u, struct ud_operand* op) 21 | { 22 | switch(op->size) { 23 | case 16 : case 32 : 24 | mkasm(u, "*"); break; 25 | default: break; 26 | } 27 | } 28 | 29 | /* ----------------------------------------------------------------------------- 30 | * gen_operand() - Generates assembly output for each operand. 31 | * ----------------------------------------------------------------------------- 32 | */ 33 | static void 34 | gen_operand(struct ud* u, struct ud_operand* op) 35 | { 36 | switch(op->type) { 37 | case UD_OP_REG: 38 | mkasm(u, "%%%s", ud_reg_tab[op->base - UD_R_AL]); 39 | break; 40 | 41 | case UD_OP_MEM: 42 | if (u->br_far) opr_cast(u, op); 43 | if (u->pfx_seg) 44 | mkasm(u, "%%%s:", ud_reg_tab[u->pfx_seg - UD_R_AL]); 45 | if (op->offset == 8) { 46 | if (op->lval.sbyte < 0) 47 | mkasm(u, "-0x%hx", (-op->lval.sbyte) & 0xff); 48 | else mkasm(u, "0x%hx", op->lval.sbyte); 49 | } 50 | else if (op->offset == 16) 51 | mkasm(u, "0x%hx", op->lval.uword); 52 | else if (op->offset == 32) 53 | mkasm(u, "0x%hx", op->lval.udword); 54 | else if (op->offset == 64) 55 | mkasm(u, "0x" FMT64 "x", op->lval.uqword); 56 | 57 | if (op->base) 58 | mkasm(u, "(%%%s", ud_reg_tab[op->base - UD_R_AL]); 59 | if (op->index) { 60 | if (op->base) 61 | mkasm(u, ","); 62 | else mkasm(u, "("); 63 | mkasm(u, "%%%s", ud_reg_tab[op->index - UD_R_AL]); 64 | } 65 | if (op->scale) 66 | mkasm(u, ",%d", op->scale); 67 | if (op->base || op->index) 68 | mkasm(u, ")"); 69 | break; 70 | 71 | case UD_OP_IMM: 72 | switch (op->size) { 73 | case 8: mkasm(u, "$0x%hx", op->lval.ubyte); break; 74 | case 16: mkasm(u, "$0x%hx", op->lval.uword); break; 75 | case 32: mkasm(u, "$0x%hx", op->lval.udword); break; 76 | case 64: mkasm(u, "$0x" FMT64 "x", op->lval.uqword); break; 77 | default: break; 78 | } 79 | break; 80 | 81 | case UD_OP_JIMM: 82 | switch (op->size) { 83 | case 8: 84 | mkasm(u, "0x" FMT64 "x", u->pc + op->lval.sbyte); 85 | break; 86 | case 16: 87 | mkasm(u, "0x" FMT64 "x", u->pc + op->lval.sword); 88 | break; 89 | case 32: 90 | mkasm(u, "0x" FMT64 "x", u->pc + op->lval.sdword); 91 | break; 92 | default:break; 93 | } 94 | break; 95 | 96 | case UD_OP_PTR: 97 | switch (op->size) { 98 | case 32: 99 | mkasm(u, "$0x%hx, $0x%hx", op->lval.ptr.seg, 100 | op->lval.ptr.off & 0xFFFF); 101 | break; 102 | case 48: 103 | mkasm(u, "$0x%hx, $0x%hx", op->lval.ptr.seg, 104 | op->lval.ptr.off); 105 | break; 106 | } 107 | break; 108 | 109 | default: return; 110 | } 111 | } 112 | 113 | /* ============================================================================= 114 | * translates to AT&T syntax 115 | * ============================================================================= 116 | */ 117 | extern void 118 | ud_translate_att(struct ud *u) 119 | { 120 | int size = 0; 121 | 122 | /* check if P_OSO prefix is used */ 123 | if (! P_OSO(u->itab_entry->prefix) && u->pfx_opr) { 124 | switch (u->dis_mode) { 125 | case 16: 126 | mkasm(u, "o32 "); 127 | break; 128 | case 32: 129 | case 64: 130 | mkasm(u, "o16 "); 131 | break; 132 | } 133 | } 134 | 135 | /* check if P_ASO prefix was used */ 136 | if (! P_ASO(u->itab_entry->prefix) && u->pfx_adr) { 137 | switch (u->dis_mode) { 138 | case 16: 139 | mkasm(u, "a32 "); 140 | break; 141 | case 32: 142 | mkasm(u, "a16 "); 143 | break; 144 | case 64: 145 | mkasm(u, "a32 "); 146 | break; 147 | } 148 | } 149 | 150 | if (u->pfx_lock) 151 | mkasm(u, "lock "); 152 | if (u->pfx_rep) 153 | mkasm(u, "rep "); 154 | if (u->pfx_repne) 155 | mkasm(u, "repne "); 156 | 157 | /* special instructions */ 158 | switch (u->mnemonic) { 159 | case UD_Iretf: 160 | mkasm(u, "lret "); 161 | break; 162 | case UD_Idb: 163 | mkasm(u, ".byte 0x%hx", u->operand[0].lval.ubyte); 164 | return; 165 | case UD_Ijmp: 166 | case UD_Icall: 167 | if (u->br_far) mkasm(u, "l"); 168 | mkasm(u, "%s", ud_lookup_mnemonic(u->mnemonic)); 169 | break; 170 | case UD_Ibound: 171 | case UD_Ienter: 172 | if (u->operand[0].type != UD_NONE) 173 | gen_operand(u, &u->operand[0]); 174 | if (u->operand[1].type != UD_NONE) { 175 | mkasm(u, ","); 176 | gen_operand(u, &u->operand[1]); 177 | } 178 | return; 179 | default: 180 | mkasm(u, "%s", ud_lookup_mnemonic(u->mnemonic)); 181 | } 182 | 183 | if (u->c1) 184 | size = u->operand[0].size; 185 | else if (u->c2) 186 | size = u->operand[1].size; 187 | else if (u->c3) 188 | size = u->operand[2].size; 189 | 190 | if (size == 8) 191 | mkasm(u, "b"); 192 | else if (size == 16) 193 | mkasm(u, "w"); 194 | else if (size == 64) 195 | mkasm(u, "q"); 196 | 197 | mkasm(u, " "); 198 | 199 | if (u->operand[2].type != UD_NONE) { 200 | gen_operand(u, &u->operand[2]); 201 | mkasm(u, ", "); 202 | } 203 | 204 | if (u->operand[1].type != UD_NONE) { 205 | gen_operand(u, &u->operand[1]); 206 | mkasm(u, ", "); 207 | } 208 | 209 | if (u->operand[0].type != UD_NONE) 210 | gen_operand(u, &u->operand[0]); 211 | } 212 | -------------------------------------------------------------------------------- /libudis86/syn-intel.c: -------------------------------------------------------------------------------- 1 | /* ----------------------------------------------------------------------------- 2 | * syn-intel.c 3 | * 4 | * Copyright (c) 2002, 2003, 2004 Vivek Mohan 5 | * All rights reserved. See (LICENSE) 6 | * ----------------------------------------------------------------------------- 7 | */ 8 | 9 | #include "ltypes.h" 10 | #include "extern.h" 11 | #include "decode.h" 12 | #include "itab.h" 13 | #include "syn.h" 14 | 15 | /* ----------------------------------------------------------------------------- 16 | * opr_cast() - Prints an operand cast. 17 | * ----------------------------------------------------------------------------- 18 | */ 19 | static void 20 | opr_cast(struct ud* u, struct ud_operand* op) 21 | { 22 | switch(op->size) { 23 | case 8: mkasm(u, "byte " ); break; 24 | case 16: mkasm(u, "word " ); break; 25 | case 32: mkasm(u, "dword "); break; 26 | case 64: mkasm(u, "qword "); break; 27 | case 80: mkasm(u, "tword "); break; 28 | default: break; 29 | } 30 | if (u->br_far) 31 | mkasm(u, "far "); 32 | else if (u->br_near) 33 | mkasm(u, "near "); 34 | } 35 | 36 | /* ----------------------------------------------------------------------------- 37 | * gen_operand() - Generates assembly output for each operand. 38 | * ----------------------------------------------------------------------------- 39 | */ 40 | static void gen_operand(struct ud* u, struct ud_operand* op, int syn_cast) 41 | { 42 | switch(op->type) { 43 | case UD_OP_REG: 44 | mkasm(u, ud_reg_tab[op->base - UD_R_AL]); 45 | break; 46 | 47 | case UD_OP_MEM: { 48 | 49 | int op_f = 0; 50 | 51 | if (syn_cast) 52 | opr_cast(u, op); 53 | 54 | mkasm(u, "["); 55 | 56 | if (u->pfx_seg) 57 | mkasm(u, "%s:", ud_reg_tab[u->pfx_seg - UD_R_AL]); 58 | 59 | if (op->base) { 60 | mkasm(u, "%s", ud_reg_tab[op->base - UD_R_AL]); 61 | op_f = 1; 62 | } 63 | 64 | if (op->index) { 65 | if (op_f) 66 | mkasm(u, "+"); 67 | mkasm(u, "%s", ud_reg_tab[op->index - UD_R_AL]); 68 | op_f = 1; 69 | } 70 | 71 | if (op->scale) 72 | mkasm(u, "*%d", op->scale); 73 | 74 | if (op->offset == 8) { 75 | if (op->lval.sbyte < 0) 76 | mkasm(u, "-0x%x", -op->lval.sbyte); 77 | else mkasm(u, "%s0x%x", (op_f) ? "+" : "", op->lval.sbyte); 78 | } 79 | else if (op->offset == 16) 80 | mkasm(u, "%s0x%x", (op_f) ? "+" : "", op->lval.uword); 81 | else if (op->offset == 32) { 82 | if (u->adr_mode == 64) { 83 | if (op->lval.sdword < 0) 84 | mkasm(u, "-0x%x", -op->lval.sdword); 85 | else mkasm(u, "%s0x%x", (op_f) ? "+" : "", op->lval.sdword); 86 | } 87 | else mkasm(u, "%s0x%lx", (op_f) ? "+" : "", op->lval.udword); 88 | } 89 | else if (op->offset == 64) 90 | mkasm(u, "%s0x" FMT64 "x", (op_f) ? "+" : "", op->lval.uqword); 91 | 92 | mkasm(u, "]"); 93 | break; 94 | } 95 | 96 | case UD_OP_IMM: 97 | if (syn_cast) opr_cast(u, op); 98 | switch (op->size) { 99 | case 8: mkasm(u, "0x%x", op->lval.ubyte); break; 100 | case 16: mkasm(u, "0x%x", op->lval.uword); break; 101 | case 32: mkasm(u, "0x%lx", op->lval.udword); break; 102 | case 64: mkasm(u, "0x" FMT64 "x", op->lval.uqword); break; 103 | default: break; 104 | } 105 | break; 106 | 107 | case UD_OP_JIMM: 108 | if (syn_cast) opr_cast(u, op); 109 | switch (op->size) { 110 | case 8: 111 | mkasm(u, "0x" FMT64 "x", u->pc + op->lval.sbyte); 112 | break; 113 | case 16: 114 | mkasm(u, "0x" FMT64 "x", u->pc + op->lval.sword); 115 | break; 116 | case 32: 117 | mkasm(u, "0x" FMT64 "x", u->pc + op->lval.sdword); 118 | break; 119 | default:break; 120 | } 121 | break; 122 | 123 | case UD_OP_PTR: 124 | switch (op->size) { 125 | case 32: 126 | mkasm(u, "word 0x%x:0x%x", op->lval.ptr.seg, 127 | op->lval.ptr.off & 0xFFFF); 128 | break; 129 | case 48: 130 | mkasm(u, "dword 0x%x:0x%lx", op->lval.ptr.seg, 131 | op->lval.ptr.off); 132 | break; 133 | } 134 | break; 135 | 136 | case UD_OP_CONST: 137 | if (syn_cast) opr_cast(u, op); 138 | mkasm(u, "%d", op->lval.udword); 139 | break; 140 | 141 | default: return; 142 | } 143 | } 144 | 145 | /* ============================================================================= 146 | * translates to intel syntax 147 | * ============================================================================= 148 | */ 149 | extern void ud_translate_intel(struct ud* u) 150 | { 151 | /* -- prefixes -- */ 152 | 153 | /* check if P_OSO prefix is used */ 154 | if (! P_OSO(u->itab_entry->prefix) && u->pfx_opr) { 155 | switch (u->dis_mode) { 156 | case 16: 157 | mkasm(u, "o32 "); 158 | break; 159 | case 32: 160 | case 64: 161 | mkasm(u, "o16 "); 162 | break; 163 | } 164 | } 165 | 166 | /* check if P_ASO prefix was used */ 167 | if (! P_ASO(u->itab_entry->prefix) && u->pfx_adr) { 168 | switch (u->dis_mode) { 169 | case 16: 170 | mkasm(u, "a32 "); 171 | break; 172 | case 32: 173 | mkasm(u, "a16 "); 174 | break; 175 | case 64: 176 | mkasm(u, "a32 "); 177 | break; 178 | } 179 | } 180 | 181 | if (u->pfx_lock) 182 | mkasm(u, "lock "); 183 | if (u->pfx_rep) 184 | mkasm(u, "rep "); 185 | if (u->pfx_repne) 186 | mkasm(u, "repne "); 187 | if (u->implicit_addr && u->pfx_seg) 188 | mkasm(u, "%s ", ud_reg_tab[u->pfx_seg - UD_R_AL]); 189 | 190 | /* print the instruction mnemonic */ 191 | mkasm(u, "%s ", ud_lookup_mnemonic(u->mnemonic)); 192 | 193 | /* operand 1 */ 194 | if (u->operand[0].type != UD_NONE) { 195 | gen_operand(u, &u->operand[0], u->c1); 196 | } 197 | /* operand 2 */ 198 | if (u->operand[1].type != UD_NONE) { 199 | mkasm(u, ", "); 200 | gen_operand(u, &u->operand[1], u->c2); 201 | } 202 | 203 | /* operand 3 */ 204 | if (u->operand[2].type != UD_NONE) { 205 | mkasm(u, ", "); 206 | gen_operand(u, &u->operand[2], u->c3); 207 | } 208 | } 209 | -------------------------------------------------------------------------------- /libudis86/ltypes.h: -------------------------------------------------------------------------------- 1 | /* ----------------------------------------------------------------------------- 2 | * Linux version of types.h 3 | * 4 | * Copyright (c) 2006, Vivek Mohan 5 | * All rights reserved. See LICENSE 6 | * ----------------------------------------------------------------------------- 7 | */ 8 | #ifndef UD_TYPES_H 9 | #define UD_TYPES_H 10 | 11 | #ifdef GUEST_WINDOWS 12 | 13 | #include 14 | #include 15 | #include 16 | 17 | #elif defined GUEST_LINUX 18 | 19 | #include 20 | 21 | #endif 22 | 23 | #ifdef _MSC_VER 24 | # define FMT64 "%I64" 25 | typedef UCHAR uint8_t; 26 | typedef USHORT uint16_t; 27 | typedef ULONG32 uint32_t; 28 | typedef ULONG uint64_t; 29 | typedef CHAR int8_t; 30 | typedef SHORT int16_t; 31 | typedef LONG32 int32_t; 32 | typedef LONG int64_t; 33 | #else 34 | # define FMT64 "%ll" 35 | //# include 36 | #endif 37 | 38 | #include "itab.h" 39 | 40 | /* ----------------------------------------------------------------------------- 41 | * All possible "types" of objects in udis86. Order is Important! 42 | * ----------------------------------------------------------------------------- 43 | */ 44 | enum ud_type 45 | { 46 | UD_NONE, 47 | 48 | /* 8 bit GPRs */ 49 | UD_R_AL, UD_R_CL, UD_R_DL, UD_R_BL, 50 | UD_R_AH, UD_R_CH, UD_R_DH, UD_R_BH, 51 | UD_R_SPL, UD_R_BPL, UD_R_SIL, UD_R_DIL, 52 | UD_R_R8B, UD_R_R9B, UD_R_R10B, UD_R_R11B, 53 | UD_R_R12B, UD_R_R13B, UD_R_R14B, UD_R_R15B, 54 | 55 | /* 16 bit GPRs */ 56 | UD_R_AX, UD_R_CX, UD_R_DX, UD_R_BX, 57 | UD_R_SP, UD_R_BP, UD_R_SI, UD_R_DI, 58 | UD_R_R8W, UD_R_R9W, UD_R_R10W, UD_R_R11W, 59 | UD_R_R12W, UD_R_R13W, UD_R_R14W, UD_R_R15W, 60 | 61 | /* 32 bit GPRs */ 62 | UD_R_EAX, UD_R_ECX, UD_R_EDX, UD_R_EBX, 63 | UD_R_ESP, UD_R_EBP, UD_R_ESI, UD_R_EDI, 64 | UD_R_R8D, UD_R_R9D, UD_R_R10D, UD_R_R11D, 65 | UD_R_R12D, UD_R_R13D, UD_R_R14D, UD_R_R15D, 66 | 67 | /* 64 bit GPRs */ 68 | UD_R_RAX, UD_R_RCX, UD_R_RDX, UD_R_RBX, 69 | UD_R_RSP, UD_R_RBP, UD_R_RSI, UD_R_RDI, 70 | UD_R_R8, UD_R_R9, UD_R_R10, UD_R_R11, 71 | UD_R_R12, UD_R_R13, UD_R_R14, UD_R_R15, 72 | 73 | /* segment registers */ 74 | UD_R_ES, UD_R_CS, UD_R_SS, UD_R_DS, 75 | UD_R_FS, UD_R_GS, 76 | 77 | /* control registers*/ 78 | UD_R_CR0, UD_R_CR1, UD_R_CR2, UD_R_CR3, 79 | UD_R_CR4, UD_R_CR5, UD_R_CR6, UD_R_CR7, 80 | UD_R_CR8, UD_R_CR9, UD_R_CR10, UD_R_CR11, 81 | UD_R_CR12, UD_R_CR13, UD_R_CR14, UD_R_CR15, 82 | 83 | /* debug registers */ 84 | UD_R_DR0, UD_R_DR1, UD_R_DR2, UD_R_DR3, 85 | UD_R_DR4, UD_R_DR5, UD_R_DR6, UD_R_DR7, 86 | UD_R_DR8, UD_R_DR9, UD_R_DR10, UD_R_DR11, 87 | UD_R_DR12, UD_R_DR13, UD_R_DR14, UD_R_DR15, 88 | 89 | /* mmx registers */ 90 | UD_R_MM0, UD_R_MM1, UD_R_MM2, UD_R_MM3, 91 | UD_R_MM4, UD_R_MM5, UD_R_MM6, UD_R_MM7, 92 | 93 | /* x87 registers */ 94 | UD_R_ST0, UD_R_ST1, UD_R_ST2, UD_R_ST3, 95 | UD_R_ST4, UD_R_ST5, UD_R_ST6, UD_R_ST7, 96 | 97 | /* extended multimedia registers */ 98 | UD_R_XMM0, UD_R_XMM1, UD_R_XMM2, UD_R_XMM3, 99 | UD_R_XMM4, UD_R_XMM5, UD_R_XMM6, UD_R_XMM7, 100 | UD_R_XMM8, UD_R_XMM9, UD_R_XMM10, UD_R_XMM11, 101 | UD_R_XMM12, UD_R_XMM13, UD_R_XMM14, UD_R_XMM15, 102 | 103 | UD_R_RIP, 104 | 105 | /* Operand Types */ 106 | UD_OP_REG, UD_OP_MEM, UD_OP_PTR, UD_OP_IMM, 107 | UD_OP_JIMM, UD_OP_CONST 108 | }; 109 | 110 | /* ----------------------------------------------------------------------------- 111 | * struct ud_operand - Disassembled instruction Operand. 112 | * ----------------------------------------------------------------------------- 113 | */ 114 | struct ud_operand 115 | { 116 | enum ud_type type; 117 | uint8_t size; 118 | union { 119 | int8_t sbyte; 120 | uint8_t ubyte; 121 | int16_t sword; 122 | uint16_t uword; 123 | int32_t sdword; 124 | uint32_t udword; 125 | int64_t sqword; 126 | uint64_t uqword; 127 | 128 | struct { 129 | uint16_t seg; 130 | uint32_t off; 131 | } ptr; 132 | } lval; 133 | 134 | enum ud_type base; 135 | enum ud_type index; 136 | uint8_t offset; 137 | uint8_t scale; 138 | }; 139 | 140 | /* ----------------------------------------------------------------------------- 141 | * struct ud - The udis86 object. 142 | * ----------------------------------------------------------------------------- 143 | */ 144 | struct ud 145 | { 146 | int (*inp_hook) (struct ud*); 147 | uint8_t inp_curr; 148 | uint8_t inp_fill; 149 | /* FILE* inp_file; */ 150 | uint8_t inp_ctr; 151 | uint8_t* inp_buff; 152 | uint8_t* inp_buff_end; 153 | uint8_t inp_end; 154 | void (*translator)(struct ud*); 155 | uint64_t insn_offset; 156 | char insn_hexcode[32]; 157 | char insn_buffer[64]; 158 | unsigned int insn_fill; 159 | uint8_t dis_mode; 160 | uint64_t pc; 161 | uint8_t vendor; 162 | struct map_entry* mapen; 163 | enum ud_mnemonic_code mnemonic; 164 | struct ud_operand operand[3]; 165 | uint8_t error; 166 | uint8_t pfx_rex; 167 | uint8_t pfx_seg; 168 | uint8_t pfx_opr; 169 | uint8_t pfx_adr; 170 | uint8_t pfx_lock; 171 | uint8_t pfx_rep; 172 | uint8_t pfx_repe; 173 | uint8_t pfx_repne; 174 | uint8_t pfx_insn; 175 | uint8_t default64; 176 | uint8_t opr_mode; 177 | uint8_t adr_mode; 178 | uint8_t br_far; 179 | uint8_t br_near; 180 | uint8_t implicit_addr; 181 | uint8_t c1; 182 | uint8_t c2; 183 | uint8_t c3; 184 | uint8_t inp_cache[256]; 185 | uint8_t inp_sess[64]; 186 | struct ud_itab_entry * itab_entry; 187 | }; 188 | 189 | /* ----------------------------------------------------------------------------- 190 | * Type-definitions 191 | * ----------------------------------------------------------------------------- 192 | */ 193 | typedef enum ud_type ud_type_t; 194 | typedef enum ud_mnemonic_code ud_mnemonic_code_t; 195 | 196 | typedef struct ud ud_t; 197 | typedef struct ud_operand ud_operand_t; 198 | 199 | #define UD_SYN_INTEL ud_translate_intel 200 | #define UD_SYN_ATT ud_translate_att 201 | #define UD_EOI -1 202 | #define UD_INP_CACHE_SZ 32 203 | #define UD_VENDOR_AMD 0 204 | #define UD_VENDOR_INTEL 1 205 | 206 | #define bail_out(ud,error_code) longjmp( (ud)->bailout, error_code ) 207 | #define try_decode(ud) if ( setjmp( (ud)->bailout ) == 0 ) 208 | #define catch_error() else 209 | 210 | #endif 211 | -------------------------------------------------------------------------------- /core/i386/vmx-asm.S: -------------------------------------------------------------------------------- 1 | // Copyright notice 2 | // ================ 3 | // 4 | // Copyright (C) 2010 5 | // Lorenzo Martignoni 6 | // Roberto Paleari 7 | // Aristide Fattori 8 | // 9 | // This program is free software: you can redistribute it and/or modify it under 10 | // the terms of the GNU General Public License as published by the Free Software 11 | // Foundation, either version 3 of the License, or (at your option) any later 12 | // version. 13 | // 14 | // HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 15 | // WARRANTY// without even the implied warranty of MERCHANTABILITY or FITNESS FOR 16 | // A PARTICULAR PURPOSE. See the GNU General Public License for more details. 17 | // 18 | // You should have received a copy of the GNU General Public License along with 19 | // this program. If not, see . 20 | // 21 | 22 | 23 | // MACROS 24 | 25 | .macro invept 26 | .byte 0x66, 0x0F, 0x38, 0x80 27 | .endm 28 | 29 | .macro vmx_call 30 | .byte 0x0F, 0x01, 0xC1 31 | .endm 32 | 33 | .macro vmx_launch 34 | .byte 0x0F, 0x01, 0xC2 35 | .endm 36 | 37 | .macro vmx_resume 38 | .byte 0x0F, 0x01, 0xC3 39 | .endm 40 | 41 | .macro vmx_off 42 | .byte 0x0F, 0x01, 0xC4 43 | .endm 44 | 45 | .macro vmx_ptrld 46 | .byte 0x0F, 0xC7 47 | .endm 48 | 49 | .macro vmx_read 50 | .byte 0x0F, 0x78 51 | .endm 52 | 53 | .macro vmx_write 54 | .byte 0x0F, 0x79 55 | .endm 56 | 57 | .macro vmx_on 58 | .byte 0xF3, 0x0F, 0xC7 59 | .endm 60 | 61 | .macro vmx_clear 62 | .byte 0x66, 0x0F, 0xC7 63 | .endm 64 | 65 | .macro MODRM_EBX_EAX 66 | .byte 0xC3 67 | .endm 68 | 69 | .macro MODRM_EAX_MESP 70 | .byte 0x04, 0x24 71 | .endm 72 | 73 | .macro MODRM_MESP 74 | .byte 0x34, 0x24 75 | .endm 76 | 77 | // ********************************************************************** 78 | 79 | // GCC on windows requires underscores 80 | .data 81 | str: .asciz "REG: %8x\n" 82 | 83 | .text 84 | .globl _VmxLaunch, _VmxTurnOn, _VmxClear, _VmxPtrld, _VmxResume, _VmxTurnOff, _VmxRead, _VmxWrite, _VmxVmCall 85 | .globl _VmxHvmHandleExit, _VmxUpdateGuestContext, _DoStartVT, _NullIDTHandler, _EptInvept 86 | 87 | .globl VmxLaunch, VmxTurnOn, VmxClear, VmxPtrld, VmxResume, VmxTurnOff, VmxRead, VmxWrite, VmxVmCall 88 | .globl VmxHvmHandleExit, VmxUpdateGuestContext, DoStartVT, NullIDTHandler, EptInvept 89 | 90 | #include "../asm-offset.h" 91 | 92 | EptInvept: 93 | _EptInvept: 94 | pushl %ebp 95 | movl %esp,%ebp 96 | movl $0x1, %eax /* INVEPT Type */ 97 | pushl 0x8(%ebp) /* eptp_high */ 98 | pushl 0xc(%ebp) /* eptp_low */ 99 | pushl 0x10(%ebp) /* rsvd_high */ 100 | pushl 0x14(%ebp) /* rsvd_low */ 101 | invept 102 | MODRM_EAX_MESP 103 | leave 104 | ret 105 | 106 | VmxLaunch: 107 | _VmxLaunch: 108 | vmx_launch 109 | ret 110 | 111 | VmxTurnOn: 112 | _VmxTurnOn: 113 | pushl %ebp 114 | movl %esp,%ebp 115 | pushl 0x8(%ebp) /* _phyvmxonhigh */ 116 | pushl 0xc(%ebp) /* _phyvmxonlow */ 117 | vmx_on 118 | MODRM_MESP 119 | /* 120 | Save %eflags in %eax, to return to the caller the effect of vmxon on 121 | control flags 122 | */ 123 | pushfl 124 | popl %eax 125 | addl $8, %esp 126 | leave 127 | ret 128 | 129 | VmxClear: 130 | _VmxClear: 131 | pushl %ebp 132 | movl %esp,%ebp 133 | pushl 0x8(%ebp) /* _phyvmxonhigh */ 134 | pushl 0xc(%ebp) /* _phyvmxonlow */ 135 | vmx_clear 136 | MODRM_MESP 137 | /* 138 | Save %eflags in %eax, to return to the caller the effect of vmclear on 139 | control flags 140 | */ 141 | pushfl 142 | popl %eax 143 | addl $8,%esp 144 | leave 145 | ret 146 | 147 | VmxPtrld: 148 | _VmxPtrld: 149 | pushl %ebp 150 | movl %esp,%ebp 151 | pushl 0x8(%ebp) /* _phyvmxonhigh */ 152 | pushl 0xc(%ebp) /* _phyvmxonlow */ 153 | vmx_ptrld 154 | MODRM_MESP 155 | /* 156 | Save %eflags in %eax, to return to the caller the effect of vmptrld on 157 | control flags 158 | */ 159 | pushfl 160 | popl %eax 161 | addl $8, %esp 162 | leave 163 | ret 164 | 165 | VmxResume: 166 | _VmxResume: 167 | vmx_resume 168 | ret 169 | 170 | VmxTurnOff: 171 | _VmxTurnOff: 172 | vmx_off 173 | ret 174 | 175 | VmxRead: 176 | _VmxRead: 177 | pushl %ebp 178 | movl %esp,%ebp 179 | pushl %ebx 180 | movl 0x8(%ebp),%eax /* _field */ 181 | vmx_read 182 | MODRM_EBX_EAX /* Read value stored in %eax */ 183 | movl %ebx,%eax 184 | popl %ebx 185 | leave 186 | ret 187 | 188 | VmxWrite: 189 | _VmxWrite: 190 | pushl %ebp 191 | movl %esp,%ebp 192 | pushl %eax 193 | pushl 0xc(%ebp) /* _value */ 194 | movl 0x8(%ebp),%eax /* _field */ 195 | vmx_write 196 | MODRM_EAX_MESP /* Read value stored in ecx */ 197 | popl %eax 198 | popl %eax 199 | leave 200 | ret 201 | 202 | VmxVmCall: 203 | _VmxVmCall: 204 | pushl %ebp 205 | movl %esp,%ebp 206 | pushl %eax 207 | movl 0x8(%ebp),%eax /* _HypercallNumber */ 208 | vmx_call 209 | popl %eax 210 | leave 211 | ret 212 | 213 | VmxHvmHandleExit: 214 | _VmxHvmHandleExit: 215 | pushfl 216 | 217 | pushl %ebx 218 | lea (_context),%ebx 219 | movl %eax, CONTEXT_rax(%ebx) 220 | popl %ebx 221 | 222 | pushl %eax 223 | lea (_context),%eax 224 | movl %ebx, CONTEXT_rbx(%eax) 225 | movl %ecx, CONTEXT_rcx(%eax) 226 | movl %edx, CONTEXT_rdx(%eax) 227 | movl %edi, CONTEXT_rdi(%eax) 228 | movl %esi, CONTEXT_rsi(%eax) 229 | movl %ebp, CONTEXT_rbp(%eax) 230 | popl %eax 231 | 232 | movl %esp,%ebp 233 | 234 | call _VmxHvmInternalHandleExit 235 | call _VmxUpdateGuestContext 236 | popfl 237 | call _VmxResume 238 | ret 239 | 240 | // Updates CPU state with the values from the VMCS cache structure. 241 | // NOTE: we update only those registers that are not already present in the 242 | // (hardware) VMCS. 243 | // 244 | VmxUpdateGuestContext: 245 | _VmxUpdateGuestContext: 246 | pushl %ebx 247 | 248 | lea (_context), %ebx 249 | movl CONTEXT_rax(%ebx), %eax 250 | popl %ebx 251 | 252 | pushl %eax 253 | lea (_context), %eax 254 | movl CONTEXT_rbx(%eax), %ebx 255 | movl CONTEXT_rcx(%eax), %ecx 256 | movl CONTEXT_rdx(%eax), %edx 257 | movl CONTEXT_rdi(%eax), %edi 258 | movl CONTEXT_rsi(%eax), %esi 259 | movl CONTEXT_rbp(%eax), %ebp 260 | 261 | popl %eax 262 | ret 263 | 264 | DoStartVT: 265 | _DoStartVT: 266 | cli 267 | movl %esp, _GuestStack 268 | 269 | pushal 270 | popl _EntryRDI 271 | popl _EntryRSI 272 | popl _EntryRBP 273 | popl _EntryRSP 274 | popl _EntryRBX 275 | popl _EntryRDX 276 | popl _EntryRCX 277 | popl _EntryRAX 278 | pushfl 279 | popl _EntryRFlags 280 | 281 | call _StartVT 282 | 283 | pushl _EntryRFlags 284 | popfl 285 | pushl _EntryRAX 286 | pushl _EntryRCX 287 | pushl _EntryRDX 288 | pushl _EntryRBX 289 | pushl _EntryRSP 290 | pushl _EntryRBP 291 | pushl _EntryRSI 292 | pushl _EntryRDI 293 | popal 294 | 295 | sti 296 | movl _GuestStack,%esp 297 | ret 298 | 299 | NullIDTHandler: 300 | _NullIDTHandler: 301 | iret 302 | -------------------------------------------------------------------------------- /hyperdbg/pager.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #include "pager.h" 26 | #include "gui.h" 27 | #include "video.h" 28 | #include "common.h" 29 | #include "vmmstring.h" 30 | #include "keyboard.h" 31 | #include "debug.h" 32 | 33 | #define PAGES 20 34 | 35 | /* ################# */ 36 | /* #### GLOBALS #### */ 37 | /* ################# */ 38 | 39 | /* PAGES matrix to be printed in the GUI */ 40 | Bit8u pages[PAGES][OUT_SIZE_Y][OUT_SIZE_X]; 41 | Bit32u current_page = 0; 42 | Bit32u current_line = 0; 43 | Bit32u current_visible_page = 0; 44 | /* Set default color */ 45 | Bit32u c = LIGHT_GREEN; 46 | 47 | /* ########################## */ 48 | /* #### LOCAL PROTOTYPES #### */ 49 | /* ########################## */ 50 | 51 | 52 | static void PagerShowPage(Bit32u page); 53 | static void PagerEditGui(void); 54 | static void PagerRestoreGui(void); 55 | static void PagerShowInfo(hvm_bool last); 56 | static void PagerHideInfo(void); 57 | 58 | /* ################ */ 59 | /* #### BODIES #### */ 60 | /* ################ */ 61 | 62 | /* This will be called at the end of PagerLoop so that it cleans out on exit */ 63 | void PagerReset(void) 64 | { 65 | Bit32u i, ii, iii; 66 | 67 | /* Leave last shown page on the console */ 68 | for(ii = 0; ii < OUT_SIZE_Y; ii++) { 69 | vmm_strncpy(out_matrix[ii], pages[current_visible_page][ii], OUT_SIZE_X); 70 | } 71 | 72 | /* Clear pages */ 73 | for(i = 0; i < PAGES; i++) { 74 | for(ii = 0; ii < OUT_SIZE_Y; ii++) { 75 | for(iii = 0; iii < OUT_SIZE_X; iii++) 76 | /* We use spaces to reset as in gui.c */ 77 | pages[i][ii][iii] = ' '; 78 | } 79 | } 80 | current_page = current_line = current_visible_page = 0; 81 | } 82 | 83 | static void PagerShowPage(Bit32u page) 84 | { 85 | Bit32u ii; 86 | 87 | if(page >= PAGES) return; 88 | 89 | /* Copy selected page into out matrix. 90 | Note: we always copy OUT_SIZE_X to eventually overwrite preceding chars */ 91 | for(ii = 0; ii < OUT_SIZE_Y; ii++) 92 | VideoWriteString(pages[page][ii], OUT_SIZE_X, c, OUT_START_X, OUT_START_Y+ii); 93 | 94 | } 95 | 96 | static void PagerEditGui() 97 | { 98 | /* Edit GUI to indicate that we are in pager mode */ 99 | VideoWriteChar('=', WHITE, 3, SHELL_SIZE_Y-3); 100 | VideoWriteChar('[', WHITE, 4, SHELL_SIZE_Y-3); 101 | VideoWriteString("n: next; p: prev; q: quit", 25, LIGHT_BLUE, 5, SHELL_SIZE_Y-3); 102 | VideoWriteChar(']', WHITE, 30, SHELL_SIZE_Y-3); 103 | VideoWriteChar('=', WHITE, 31, SHELL_SIZE_Y-3); 104 | } 105 | 106 | static void PagerRestoreGui() 107 | { 108 | Bit32u i; 109 | 110 | for(i = 1; i < SHELL_SIZE_X-1; i++) { 111 | VideoWriteChar('-', WHITE, i, SHELL_SIZE_Y-3); 112 | } 113 | } 114 | 115 | static void PagerShowInfo(hvm_bool last) 116 | { 117 | Bit32u len; 118 | VideoWriteChar('=', WHITE, 33, SHELL_SIZE_Y-3); 119 | VideoWriteChar('[', WHITE, 34, SHELL_SIZE_Y-3); 120 | if(!last) { 121 | len = 5; 122 | VideoWriteString("START", 5, LIGHT_BLUE, 35, SHELL_SIZE_Y-3); 123 | } 124 | else { 125 | len = 3; 126 | VideoWriteString("END", 3, LIGHT_BLUE, 35, SHELL_SIZE_Y-3); 127 | } 128 | VideoWriteChar(']', WHITE, 35+len, SHELL_SIZE_Y-3); 129 | VideoWriteChar('=', WHITE, 36+len, SHELL_SIZE_Y-3); 130 | } 131 | 132 | static void PagerHideInfo() 133 | { 134 | Bit32u i; 135 | for(i = 32; i < 42; i++) { 136 | VideoWriteChar('-', WHITE, i, SHELL_SIZE_Y-3); 137 | } 138 | } 139 | 140 | void PagerLoop(Bit32u color) 141 | { 142 | Bit8u ch; 143 | hvm_bool isMouse, exitLoop = FALSE; 144 | Bit32u limit = 0; 145 | c = color; 146 | VideoResetOutMatrix(); 147 | /* If there's only one page, there's no need to start the pager */ 148 | if(current_page > 0) { 149 | PagerEditGui(); 150 | current_visible_page = 0; 151 | PagerShowPage(current_visible_page); 152 | PagerShowInfo(FALSE); 153 | 154 | while(1) { 155 | if (KeyboardReadKeystroke(&ch, FALSE, &isMouse) != HVM_STATUS_SUCCESS) { 156 | /* Sleep for some time, just to avoid full busy waiting */ 157 | CmSleep(150); 158 | continue; 159 | } 160 | if (isMouse) { 161 | /* Skip mouse events */ 162 | continue; 163 | } 164 | ch = KeyboardScancodeToKeycode(ch); 165 | 166 | switch(ch) { 167 | case 0: 168 | /* Unrecognized key -- ignore it */ 169 | break; 170 | case 'n': 171 | PagerHideInfo(); 172 | if(current_page == PAGES) limit = current_page - 1; 173 | else limit = current_page; 174 | if(current_visible_page < PAGES-1 && current_visible_page < limit) 175 | PagerShowPage(++current_visible_page); 176 | if(current_visible_page == limit) 177 | PagerShowInfo(TRUE); 178 | break; 179 | case 'p': 180 | PagerHideInfo(); 181 | if(current_visible_page > 0) 182 | PagerShowPage(--current_visible_page); 183 | if(current_visible_page == 0) 184 | PagerShowInfo(FALSE); 185 | break; 186 | case 'q': 187 | exitLoop = TRUE; 188 | break; 189 | default: 190 | break; /* Do nothing */ 191 | } 192 | if(exitLoop) break; 193 | } 194 | PagerRestoreGui(); 195 | } 196 | 197 | PagerReset(); 198 | VideoRefreshOutArea(LIGHT_GREEN); 199 | } 200 | 201 | hvm_bool PagerAddLine(Bit8u *line) 202 | { 203 | Bit32u len; 204 | 205 | /* Perform some checks */ 206 | 207 | /* No more space? */ 208 | if(current_page >= PAGES) return FALSE; 209 | 210 | /* As we take care of checking this at this very function end, if we arrive 211 | here it means something is screwed up */ 212 | if(current_line >= OUT_SIZE_Y) return FALSE; 213 | 214 | len = vmm_strlen(line); 215 | if(len >= OUT_SIZE_X) 216 | len = OUT_SIZE_X - 1; 217 | 218 | vmm_strncpy(pages[current_page][current_line], line, len); 219 | current_line++; 220 | if(current_line >= OUT_SIZE_Y) { 221 | /* Flip one page */ 222 | current_line = 0; 223 | /* The check at the beginning of the function will take care of EOPages */ 224 | current_page++; 225 | } 226 | return TRUE; 227 | } 228 | 229 | -------------------------------------------------------------------------------- /core/pill_linux.c: -------------------------------------------------------------------------------- 1 | /* Copyright notice 2 | ================ 3 | 4 | Copyright (C) 2010 - 2013 5 | Lorenzo Martignoni 6 | Roberto Paleari 7 | Aristide Fattori 8 | Mattia Pagnozzi 9 | 10 | This program is free software: you can redistribute it and/or modify it under 11 | the terms of the GNU General Public License as published by the Free Software 12 | Foundation, either version 3 of the License, or (at your option) any later 13 | version. 14 | 15 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 16 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 17 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 18 | 19 | You should have received a copy of the GNU General Public License along with 20 | this program. If not, see . 21 | 22 | */ 23 | 24 | #include "pill.h" 25 | #include 26 | #include "linux.h" 27 | #include 28 | #include 29 | module_init(DriverEntry); 30 | module_exit(DriverUnload); 31 | 32 | static hvm_bool ScrubTheLaunch = FALSE; 33 | static hvm_address GuestReturn; 34 | static hvm_address HostCR3; 35 | 36 | /* #################### */ 37 | /* #### PROTOTYPES #### */ 38 | /* #################### */ 39 | /* Plugin & guest initialization/finalization */ 40 | static hvm_status InitGuest(void); 41 | static hvm_status FiniGuest(void); 42 | static hvm_status InitPlugin(void); 43 | 44 | /* ################ */ 45 | /* #### BODIES #### */ 46 | /* ################ */ 47 | 48 | void StartVT() 49 | { 50 | // Get the Guest Return RIP. 51 | // 52 | // Hi | | 53 | // +-----------+ 54 | // | RIP | 55 | // +-----------+ <-- ESP after the CALL 56 | // Lo | | 57 | 58 | 59 | GuestReturn = (hvm_address) __builtin_return_address(0); 60 | GuestLog("Guest Return EIP: %.8x", GuestReturn); 61 | GuestLog("Enabling VT mode"); 62 | 63 | /* FIXME: set thread affinity */ 64 | /* const struct cpumask m; */ 65 | /* pid_t p= sys_gettid(); */ 66 | /* if( !sched_setaffinity(p,&m) ) */ 67 | /* goto Abort; */ 68 | 69 | /* GuestLog("Running on Processor #%d", KeGetCurrentProcessorNumber()); */ 70 | 71 | /* Enable VT support */ 72 | if (!HVM_SUCCESS(hvm_x86_ops.vt_hardware_enable())) { 73 | goto Abort; 74 | } 75 | 76 | /* ************************************************* */ 77 | /* **** The processor is now in root operation! **** */ 78 | /* **** No more APIs after this point! **** */ 79 | /* ************************************************* */ 80 | 81 | /* Initialize the VMCS */ 82 | if (!HVM_SUCCESS(hvm_x86_ops.vt_vmcs_initialize(GuestStack, GuestReturn, HostCR3))) 83 | goto Abort; 84 | 85 | /* Update the events that must be handled by the HVM */ 86 | if (!HVM_SUCCESS(hvm_x86_ops.hvm_update_events())) 87 | goto Abort; 88 | 89 | /* LAUNCH! */ 90 | hvm_x86_ops.vt_launch(); 91 | 92 | Log("VMLAUNCH Failure"); 93 | 94 | Abort: 95 | ScrubTheLaunch = TRUE; 96 | 97 | __asm__ __volatile__ ( 98 | "movl %0,%%esp\n" 99 | "jmp *%1\n" 100 | ::"m"(GuestStack),"m"(GuestReturn) 101 | ); 102 | } 103 | 104 | /* Driver unload procedure */ 105 | void __exit DriverUnload(void) 106 | { 107 | ScrubTheLaunch = FALSE; 108 | /* GuestLog("[vmm-unload] Active processor bitmap: %.8x", (ULONG) KeQueryActiveProcessors()); */ 109 | GuestLog("[vmm-unload] Disabling VT mode"); 110 | 111 | /* FIXME: set thread affinity */ 112 | /* const struct cpumask m; */ 113 | /* pid_t p= sys_gettid(); */ 114 | /* sched_setaffinity(p,&m); */ 115 | 116 | FiniPlugin(); /* Finalize plugins */ 117 | FiniGuest(); /* Finalize guest-specific structures */ 118 | 119 | if(hvm_x86_ops.vt_enabled()) { 120 | hvm_x86_ops.vt_hypercall(HYPERCALL_SWITCHOFF); 121 | } 122 | 123 | GuestLog("[vmm-unload] Freeing memory regions"); 124 | 125 | hvm_x86_ops.vt_finalize(); 126 | MmuFini(); /* Finalize the MMU (e.g., deallocate the host's PT) still not used under linux */ 127 | GuestLog("[vmm-unload] Driver unloaded"); 128 | } 129 | 130 | /* Driver entry point */ 131 | int __init DriverEntry(void) 132 | { 133 | CR4_REG cr4; 134 | 135 | /* Initialize debugging port (COM_PORT_ADDRESS, see comio.h) */ 136 | #ifdef DEBUG 137 | PortInit(); 138 | ComInit(); 139 | #endif 140 | 141 | GuestLog("Driver Routines"); 142 | GuestLog("---------------"); 143 | GuestLog(" Driver Entry: %.8x", (hvm_address) DriverEntry); 144 | GuestLog(" StartVT: %.8x", (hvm_address) StartVT); 145 | GuestLog(" VMMEntryPoint: %.8x", (hvm_address) hvm_x86_ops.hvm_handle_exit); 146 | 147 | /* Check if PAE is enabled or not */ 148 | CR4_TO_ULONG(cr4) = RegGetCr4(); 149 | 150 | 151 | if(cr4.PAE) { 152 | GuestLog("ERROR: No support for Linux PAE ATM..."); 153 | goto error; 154 | } 155 | 156 | /* Register event handlers */ 157 | if (!HVM_SUCCESS(RegisterEvents())) { 158 | GuestLog("Failed to register events"); 159 | goto error; 160 | } 161 | 162 | /* Initialize VT */ 163 | if (!HVM_SUCCESS(hvm_x86_ops.vt_initialize(InitVMMIDT))) { 164 | GuestLog("Failed to initialize VT"); 165 | goto error; 166 | } 167 | 168 | #ifdef ENABLE_HYPERDBG 169 | /* Initialize the guest module of HyperDbg */ 170 | if(HyperDbgGuestInit() != HVM_STATUS_SUCCESS) { 171 | GuestLog("ERROR: HyperDbg GUEST initialization error"); 172 | return HVM_STATUS_UNSUCCESSFUL; 173 | } 174 | #endif 175 | 176 | /* Initialize the MMU */ 177 | if (!HVM_SUCCESS(MmuInit(&HostCR3))) { 178 | GuestLog("Failed to initialize MMU"); 179 | goto error; 180 | } 181 | GuestLog("Using private CR3: %08x", HostCR3); 182 | 183 | /* Initialize guest-specific stuff */ 184 | if (!HVM_SUCCESS(InitGuest())) { 185 | GuestLog("Failed to initialize guest-specific stuff"); 186 | goto error; 187 | } 188 | 189 | /* Initialize plugins */ 190 | if (!HVM_SUCCESS(InitPlugin())) { 191 | GuestLog("Failed to initialize plugin"); 192 | goto error; 193 | } 194 | 195 | if (!HVM_SUCCESS(LinuxInitStructures())) { 196 | GuestLog("Failed to initialize data structures"); 197 | goto error; 198 | } 199 | 200 | DoStartVT(); 201 | 202 | if(ScrubTheLaunch == TRUE){ 203 | GuestLog("ERROR: Launch aborted"); 204 | goto error; 205 | } 206 | 207 | GuestLog("VM is now executing"); 208 | 209 | return STATUS_SUCCESS; 210 | 211 | error: 212 | 213 | /* Cleanup & return an error code */ 214 | FiniPlugin(); 215 | 216 | hvm_x86_ops.vt_finalize(); 217 | 218 | return STATUS_UNSUCCESSFUL; 219 | } 220 | 221 | static hvm_status InitPlugin(void) 222 | { 223 | #ifdef ENABLE_HYPERDBG 224 | /* Initialize the host module of HyperDbg */ 225 | if(HyperDbgHostInit() != HVM_STATUS_SUCCESS) { 226 | GuestLog("ERROR: HyperDbg HOST initialization error"); 227 | return HVM_STATUS_UNSUCCESSFUL; 228 | } 229 | #endif 230 | 231 | return HVM_STATUS_SUCCESS; 232 | } 233 | 234 | static hvm_status InitGuest(void) 235 | { 236 | return HVM_STATUS_SUCCESS; 237 | } 238 | 239 | static hvm_status FiniGuest(void) 240 | { 241 | return HVM_STATUS_SUCCESS; 242 | } 243 | -------------------------------------------------------------------------------- /hyperdbg/scancode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright notice 3 | ================ 4 | 5 | Copyright (C) 2010 - 2013 6 | Lorenzo Martignoni 7 | Roberto Paleari 8 | Aristide Fattori 9 | Mattia Pagnozzi 10 | 11 | This program is free software: you can redistribute it and/or modify it under 12 | the terms of the GNU General Public License as published by the Free Software 13 | Foundation, either version 3 of the License, or (at your option) any later 14 | version. 15 | 16 | HyperDbg is distributed in the hope that it will be useful, but WITHOUT ANY 17 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 18 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License along with 21 | this program. If not, see . 22 | 23 | */ 24 | 25 | #include "scancode.h" 26 | #include "vmmstring.h" 27 | 28 | #define SCANCODE_CURSORUP 72 /* Principal cursor keys */ 29 | #define SCANCODE_CURSORLEFT 75 /* (on numeric keypad) */ 30 | #define SCANCODE_CURSORRIGHT 77 31 | #define SCANCODE_CURSORDOWN 80 32 | 33 | #define SCANCODE_CURSORUPLEFT 71 /* Diagonal keypad keys */ 34 | #define SCANCODE_CURSORUPRIGHT 73 35 | #define SCANCODE_CURSORDOWNLEFT 79 36 | #define SCANCODE_CURSORDOWNRIGHT 81 37 | 38 | #define SCANCODE_CURSORBLOCKUP 103 /* Cursor key block */ 39 | #define SCANCODE_CURSORBLOCKLEFT 105 40 | #define SCANCODE_CURSORBLOCKRIGHT 106 41 | #define SCANCODE_CURSORBLOCKDOWN 108 42 | 43 | #define SCANCODE_KEYPAD0 82 44 | #define SCANCODE_KEYPAD1 79 45 | #define SCANCODE_KEYPAD2 80 46 | #define SCANCODE_KEYPAD3 81 47 | #define SCANCODE_KEYPAD4 75 48 | #define SCANCODE_KEYPAD5 76 49 | #define SCANCODE_KEYPAD6 77 50 | #define SCANCODE_KEYPAD7 71 51 | #define SCANCODE_KEYPAD8 72 52 | #define SCANCODE_KEYPAD9 73 53 | #define SCANCODE_KEYPADENTER 96 54 | #define SCANCODE_KEYPADPLUS 78 55 | #define SCANCODE_KEYPADMINUS 74 56 | 57 | #define SCANCODE_Q 16 58 | #define SCANCODE_W 17 59 | #define SCANCODE_E 18 60 | #define SCANCODE_R 19 61 | #define SCANCODE_T 20 62 | #define SCANCODE_Y 21 63 | #define SCANCODE_U 22 64 | #define SCANCODE_I 23 65 | #define SCANCODE_O 24 66 | #define SCANCODE_P 25 67 | #define SCANCODE_A 30 68 | #define SCANCODE_S 31 69 | #define SCANCODE_D 32 70 | #define SCANCODE_F 33 71 | #define SCANCODE_G 34 72 | #define SCANCODE_H 35 73 | #define SCANCODE_J 36 74 | #define SCANCODE_K 37 75 | #define SCANCODE_L 38 76 | #define SCANCODE_Z 44 77 | #define SCANCODE_X 45 78 | #define SCANCODE_C 46 79 | #define SCANCODE_V 47 80 | #define SCANCODE_B 48 81 | #define SCANCODE_N 49 82 | #define SCANCODE_M 50 83 | 84 | #define SCANCODE_FSLASH 53 85 | #define SCANCODE_BSLASH 43 86 | 87 | #define SCANCODE_ESCAPE 1 88 | #define SCANCODE_ENTER 28 89 | #define SCANCODE_RIGHTCONTROL 97 90 | #define SCANCODE_CONTROL 97 91 | #define SCANCODE_RIGHTALT 100 92 | #define SCANCODE_LEFTCONTROL 29 93 | #define SCANCODE_LEFTALT 56 94 | 95 | #define SCANCODE_SPACE 57 96 | #define SCANCODE_LEFTSHIFT 42 97 | #define SCANCODE_RIGHTSHIFT 54 98 | #define SCANCODE_TAB 15 99 | #define SCANCODE_CAPSLOCK 58 100 | #define SCANCODE_BACKSPACE 14 101 | 102 | #define SCANCODE_F1 59 103 | #define SCANCODE_F2 60 104 | #define SCANCODE_F3 61 105 | #define SCANCODE_F4 62 106 | #define SCANCODE_F5 63 107 | #define SCANCODE_F6 64 108 | #define SCANCODE_F7 65 109 | #define SCANCODE_F8 66 110 | #define SCANCODE_F9 67 111 | #define SCANCODE_F10 68 112 | #define SCANCODE_F11 87 113 | #define SCANCODE_F12 88 114 | 115 | #define SCANCODE_1 2 116 | #define SCANCODE_2 3 117 | #define SCANCODE_3 4 118 | #define SCANCODE_4 5 119 | #define SCANCODE_5 6 120 | #define SCANCODE_6 7 121 | #define SCANCODE_7 8 122 | #define SCANCODE_8 9 123 | #define SCANCODE_9 10 124 | #define SCANCODE_0 11 125 | 126 | #define SCANCODE_DASH 12 127 | #define SCANCODE_EQUAL 13 128 | 129 | #define SCANCODE_PAGEUP 104 130 | #define SCANCODE_PAGEDOWN 109 131 | #define SCANCODE_HOME 102 132 | #define SCANCODE_END 107 133 | #define SCANCODE_INSERT 110 134 | #define SCANCODE_DELETE 111 135 | 136 | #define SCANCODE_COMMA 51 137 | #define SCANCODE_POINT 52 138 | 139 | char scancodes_map[255]; 140 | 141 | void init_scancodes_map(void) 142 | { 143 | vmm_memset(scancodes_map, 0, sizeof(scancodes_map)); 144 | 145 | scancodes_map[SCANCODE_KEYPAD0] = '0'; 146 | scancodes_map[SCANCODE_KEYPAD1] = '1'; 147 | scancodes_map[SCANCODE_KEYPAD2] = '2'; 148 | scancodes_map[SCANCODE_KEYPAD3] = '3'; 149 | scancodes_map[SCANCODE_KEYPAD4] = '4'; 150 | scancodes_map[SCANCODE_KEYPAD5] = '5'; 151 | scancodes_map[SCANCODE_KEYPAD6] = '6'; 152 | scancodes_map[SCANCODE_KEYPAD7] = '7'; 153 | scancodes_map[SCANCODE_KEYPAD8] = '8'; 154 | scancodes_map[SCANCODE_KEYPAD9] = '9'; 155 | scancodes_map[SCANCODE_KEYPADPLUS] = '+'; 156 | scancodes_map[SCANCODE_KEYPADMINUS] = '-'; 157 | 158 | scancodes_map[SCANCODE_0] = '0'; 159 | scancodes_map[SCANCODE_1] = '1'; 160 | scancodes_map[SCANCODE_2] = '2'; 161 | scancodes_map[SCANCODE_3] = '3'; 162 | scancodes_map[SCANCODE_4] = '4'; 163 | scancodes_map[SCANCODE_5] = '5'; 164 | scancodes_map[SCANCODE_6] = '6'; 165 | scancodes_map[SCANCODE_7] = '7'; 166 | scancodes_map[SCANCODE_8] = '8'; 167 | scancodes_map[SCANCODE_9] = '9'; 168 | 169 | scancodes_map[SCANCODE_Q] = 'q'; 170 | scancodes_map[SCANCODE_W] = 'w'; 171 | scancodes_map[SCANCODE_E] = 'e'; 172 | scancodes_map[SCANCODE_R] = 'r'; 173 | scancodes_map[SCANCODE_T] = 't'; 174 | scancodes_map[SCANCODE_Y] = 'y'; 175 | scancodes_map[SCANCODE_U] = 'u'; 176 | scancodes_map[SCANCODE_I] = 'i'; 177 | scancodes_map[SCANCODE_O] = 'o'; 178 | scancodes_map[SCANCODE_P] = 'p'; 179 | scancodes_map[SCANCODE_A] = 'a'; 180 | scancodes_map[SCANCODE_S] = 's'; 181 | scancodes_map[SCANCODE_D] = 'd'; 182 | scancodes_map[SCANCODE_F] = 'f'; 183 | scancodes_map[SCANCODE_G] = 'g'; 184 | scancodes_map[SCANCODE_H] = 'h'; 185 | scancodes_map[SCANCODE_J] = 'j'; 186 | scancodes_map[SCANCODE_K] = 'k'; 187 | scancodes_map[SCANCODE_L] = 'l'; 188 | scancodes_map[SCANCODE_Z] = 'z'; 189 | scancodes_map[SCANCODE_X] = 'x'; 190 | scancodes_map[SCANCODE_C] = 'c'; 191 | scancodes_map[SCANCODE_V] = 'v'; 192 | scancodes_map[SCANCODE_B] = 'b'; 193 | scancodes_map[SCANCODE_N] = 'n'; 194 | scancodes_map[SCANCODE_M] = 'm'; 195 | 196 | scancodes_map[SCANCODE_SPACE] = ' '; 197 | scancodes_map[SCANCODE_TAB] = '\t'; 198 | scancodes_map[SCANCODE_ENTER] = '\n'; 199 | scancodes_map[SCANCODE_COMMA] = ','; 200 | scancodes_map[SCANCODE_POINT] = '.'; 201 | scancodes_map[SCANCODE_FSLASH] = '\\'; 202 | scancodes_map[SCANCODE_BSLASH] = '/'; 203 | scancodes_map[SCANCODE_BACKSPACE] = '\b'; 204 | scancodes_map[SCANCODE_EQUAL] = '='; 205 | 206 | scancodes_map[SCANCODE_CURSORUP] = 0x3; 207 | scancodes_map[SCANCODE_CURSORDOWN] = 0x4; 208 | } 209 | -------------------------------------------------------------------------------- /libudis86/input.c: -------------------------------------------------------------------------------- 1 | /* ----------------------------------------------------------------------------- 2 | * input.c 3 | * 4 | * Copyright (c) 2004, 2005, 2006, Vivek Mohan 5 | * All rights reserved. See LICENSE 6 | * ----------------------------------------------------------------------------- 7 | */ 8 | #include "extern.h" 9 | #include "ltypes.h" 10 | #include "input.h" 11 | 12 | /* ----------------------------------------------------------------------------- 13 | * inp_buff_hook() - Hook for buffered inputs. 14 | * ----------------------------------------------------------------------------- 15 | */ 16 | static int 17 | inp_buff_hook(struct ud* u) 18 | { 19 | if (u->inp_buff < u->inp_buff_end) 20 | return *u->inp_buff++; 21 | else return -1; 22 | } 23 | 24 | #ifndef __UD_STANDALONE__ 25 | /* ----------------------------------------------------------------------------- 26 | * inp_file_hook() - Hook for FILE inputs. 27 | * ----------------------------------------------------------------------------- 28 | */ 29 | /* static int */ 30 | /* inp_file_hook(struct ud* u) */ 31 | /* { */ 32 | /* return fgetc(u->inp_file); */ 33 | /* } */ 34 | #endif /* __UD_STANDALONE__*/ 35 | 36 | /* ============================================================================= 37 | * ud_inp_set_hook() - Sets input hook. 38 | * ============================================================================= 39 | */ 40 | extern void 41 | ud_set_input_hook(register struct ud* u, int (*hook)(struct ud*)) 42 | { 43 | u->inp_hook = hook; 44 | inp_init(u); 45 | } 46 | 47 | /* ============================================================================= 48 | * ud_inp_set_buffer() - Set buffer as input. 49 | * ============================================================================= 50 | */ 51 | extern void 52 | ud_set_input_buffer(register struct ud* u, uint8_t* buf, size_t len) 53 | { 54 | u->inp_hook = inp_buff_hook; 55 | u->inp_buff = buf; 56 | u->inp_buff_end = buf + len; 57 | inp_init(u); 58 | } 59 | 60 | /* #ifndef __UD_STANDALONE__ */ 61 | /* ============================================================================= 62 | * ud_input_set_file() - Set buffer as input. 63 | * ============================================================================= 64 | */ 65 | /* extern void */ 66 | /* ud_set_input_file(register struct ud* u, FILE* f) */ 67 | /* { */ 68 | /* u->inp_hook = inp_file_hook; */ 69 | /* u->inp_file = f; */ 70 | /* inp_init(u); */ 71 | /* } */ 72 | /* #endif /\* __UD_STANDALONE__ *\/ */ 73 | 74 | /* ============================================================================= 75 | * ud_input_skip() - Skip n input bytes. 76 | * ============================================================================= 77 | */ 78 | extern void 79 | ud_input_skip(struct ud* u, size_t n) 80 | { 81 | while (n--) { 82 | u->inp_hook(u); 83 | } 84 | } 85 | 86 | /* ============================================================================= 87 | * ud_input_end() - Test for end of input. 88 | * ============================================================================= 89 | */ 90 | extern int 91 | ud_input_end(struct ud* u) 92 | { 93 | return (u->inp_curr == u->inp_fill) && u->inp_end; 94 | } 95 | 96 | /* ----------------------------------------------------------------------------- 97 | * inp_next() - Loads and returns the next byte from input. 98 | * 99 | * inp_curr and inp_fill are pointers to the cache. The program is written based 100 | * on the property that they are 8-bits in size, and will eventually wrap around 101 | * forming a circular buffer. So, the size of the cache is 256 in size, kind of 102 | * unnecessary yet optimized. 103 | * 104 | * A buffer inp_sess stores the bytes disassembled for a single session. 105 | * ----------------------------------------------------------------------------- 106 | */ 107 | extern uint8_t inp_next(struct ud* u) 108 | { 109 | int c = -1; 110 | /* if current pointer is not upto the fill point in the 111 | * input cache. 112 | */ 113 | if ( u->inp_curr != u->inp_fill ) { 114 | c = u->inp_cache[ ++u->inp_curr ]; 115 | /* if !end-of-input, call the input hook and get a byte */ 116 | } else if ( u->inp_end || ( c = u->inp_hook( u ) ) == -1 ) { 117 | /* end-of-input, mark it as an error, since the decoder, 118 | * expected a byte more. 119 | */ 120 | u->error = 1; 121 | /* flag end of input */ 122 | u->inp_end = 1; 123 | return 0; 124 | } else { 125 | /* increment pointers, we have a new byte. */ 126 | u->inp_curr = ++u->inp_fill; 127 | /* add the byte to the cache */ 128 | u->inp_cache[ u->inp_fill ] = (uint8_t)c; 129 | } 130 | /* record bytes input per decode-session. */ 131 | u->inp_sess[ u->inp_ctr++ ] = (uint8_t)c; 132 | /* return byte */ 133 | return ( uint8_t ) c; 134 | } 135 | 136 | /* ----------------------------------------------------------------------------- 137 | * inp_back() - Move back a single byte in the stream. 138 | * ----------------------------------------------------------------------------- 139 | */ 140 | extern void 141 | inp_back(struct ud* u) 142 | { 143 | if ( u->inp_ctr > 0 ) { 144 | --u->inp_curr; 145 | --u->inp_ctr; 146 | } 147 | } 148 | 149 | /* ----------------------------------------------------------------------------- 150 | * inp_peek() - Peek into the next byte in source. 151 | * ----------------------------------------------------------------------------- 152 | */ 153 | extern uint8_t 154 | inp_peek(struct ud* u) 155 | { 156 | uint8_t r = inp_next(u); 157 | if ( !u->error ) inp_back(u); /* Don't backup if there was an error */ 158 | return r; 159 | } 160 | 161 | /* ----------------------------------------------------------------------------- 162 | * inp_move() - Move ahead n input bytes. 163 | * ----------------------------------------------------------------------------- 164 | */ 165 | extern void 166 | inp_move(struct ud* u, size_t n) 167 | { 168 | while (n--) 169 | inp_next(u); 170 | } 171 | 172 | /*------------------------------------------------------------------------------ 173 | * inp_uintN() - return uintN from source. 174 | *------------------------------------------------------------------------------ 175 | */ 176 | extern uint8_t 177 | inp_uint8(struct ud* u) 178 | { 179 | return inp_next(u); 180 | } 181 | 182 | extern uint16_t 183 | inp_uint16(struct ud* u) 184 | { 185 | uint16_t r, ret; 186 | 187 | ret = inp_next(u); 188 | r = inp_next(u); 189 | return ret | (r << 8); 190 | } 191 | 192 | extern uint32_t 193 | inp_uint32(struct ud* u) 194 | { 195 | uint32_t r, ret; 196 | 197 | ret = inp_next(u); 198 | r = inp_next(u); 199 | ret = ret | (r << 8); 200 | r = inp_next(u); 201 | ret = ret | (r << 16); 202 | r = inp_next(u); 203 | return ret | (r << 24); 204 | } 205 | 206 | /* extern uint64_t */ 207 | /* inp_uint64(struct ud* u) */ 208 | /* { */ 209 | /* uint64_t r, ret; */ 210 | 211 | /* ret = inp_next(u); */ 212 | /* r = inp_next(u); */ 213 | /* ret = ret | (r << 8); */ 214 | /* r = inp_next(u); */ 215 | /* ret = ret | (r << 16); */ 216 | /* r = inp_next(u); */ 217 | /* ret = ret | (r << 24); */ 218 | /* r = inp_next(u); */ 219 | /* ret = ret | (r << 32); */ 220 | /* r = inp_next(u); */ 221 | /* ret = ret | (r << 40); */ 222 | /* r = inp_next(u); */ 223 | /* ret = ret | (r << 48); */ 224 | /* r = inp_next(u); */ 225 | /* return ret | (r << 56); */ 226 | /* } */ 227 | --------------------------------------------------------------------------------