events (show and modify active/disabled events)
Description of the 'event' command in HyperDbg.
Last updated
Description of the 'event' command in HyperDbg.
Last updated
events
events
events [e|d|c all|EventNumber (hex)]
events [sc State (on|off)]
Shows a list of active/disabled events and commands or disables or clears the event(s). This command is also able to change the '' state of the corresponding execution of the event.
[e|d|c all|EventNumber (hex)] (optional)
Type of action can be one of the e, d, or c.
e : enables the target event
d : disables the target event
c : clears and removes the target event
Specifies the target event (you can see the list of events and their unique event numbers by running the 'events' command), you can specify all to apply your action to all active/disabled events.
If you don't specify any parameters to the 'events' command, it shows a list of events and their unique event numbers.
The following command shows the list of active/disabled events.
The following command disables an event with event number 1 and then we see the list of all events.
The following command enables all of the events and commands.
The following command clears an event with event number 1.
The following command clears and turns off every enabled and disabled event and commands.
The following function short-circuits the corresponding execution of the event. It only applies to the current execution of the event and will reset to the default short-circuiting state in the next execution of the event.
This function works by calling DeviceIoControl with IOCTL = IOCTL_DEBUGGER_MODIFY_EVENTS, you have to send it in the following structure.
Where Tag is the tag of the event that you want to modify, you should leave KernelStatus as it will be filled by the kernel and shows whether the request was successful or not.
Keep in mind, Tag is not the same as event number, tags start from DebuggerEventTagStartSeed (by default 0x1000000); thus, you can add this value to form a Tag from event number.
TypeOfAction shows what type of action you want the kernel to perform (enable, disable, or clear). It can be one of the following values.
If you want to apply the action to all the events/commands, then you should fill the Tag with the following constant.
When the request is finished, the kernel fills the user-mode buffer with one of the following values, which indicates whether the request was successful or there was an error.
In the case of success :
In the case of error :
For event short-circuiting, you should send the following structure to the kernel.
The above structure should be sent to the debugger by the following RequestedAction,
DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_SET_SHORT_CIRCUITING_STATE.
Important note
None
If you are operating in , you can enable, disable, clear events or change short-circuiting state while the debuggee is in a halt state and the context (memory and registers) remains untouched. However, once you clear an event or all events, HyperDbg just disables the event(s). Immediately after you continue the debuggee, HyperDbg tries to process the clear operation and removes the effect of the event in the system.