events (show and modify active/disabled events)
Description of the 'event' command in HyperDbg.
events
eventsevents [e|d|c all|EventNumber (hex)]
Shows a list of active/disabled events and commands or disables or clears the event(s).
[e|d|c all|EventNumber (hex)] (optional)
Type of action can be one of the
e, d, or c.e : enables the target event
d : disables the target event
c : clears and removes the target event
Specifies the target event (you can see the list of events and their unique event numbers by running the 'events' command), you can specify
all to apply your action to all active/disabled events.If you don't specify any parameters to the 'events' command, it shows a list of events and their unique event numbers.
The following command shows the list of active/disabled events.
HyperDbg> events
0 (enabled) !syscall 80
1 (disabled) !sysret 80
2 (enabled) !msrwrite 80 code {90}
3 (enabled) !cpuid
The following command disables an event with event number
1 and then we see the list of all events.HyperDbg> event d 1
HyperDbg> events
0 (enabled) !syscall 80
1 (disabled) !sysret 80
2 (enabled) !msrwrite 80 code {90}
3 (enabled) !cpuid
The following command enables all of the events and commands.
HyperDbg> event e all
HyperDbg> events
0 (enabled) !syscall 80
1 (enabled) !sysret 80
2 (enabled) !msrwrite 80 code {90}
3 (enabled) !cpuid
The following command clears an event with event number
1.HyperDbg> event c 1
HyperDbg> events
0 (enabled) !syscall 80
2 (enabled) !msrwrite 80 code {90}
3 (enabled) !cpuid
The following command clears and turns off every enabled and disabled event and commands.
0: kHyperDbg> event c all
This function works by calling DeviceIoControl with
IOCTL = IOCTL_DEBUGGER_MODIFY_EVENTS, you have to send it in the following structure.typedef struct _DEBUGGER_MODIFY_EVENTS {
UINT64 Tag; // Tag of the target event that we want to modify
UINT64 KernelStatus; // Kerenl put the status in this field
DEBUGGER_MODIFY_EVENTS_TYPE
TypeOfAction; // Determines what's the action (enable | disable | clear)
} DEBUGGER_MODIFY_EVENTS, *PDEBUGGER_MODIFY_EVENTS;
Where
Tag is the tag of the event that you want to modify, you should leave KernelStatus as it will be filled by the kernel and shows whether the request was successful or not.Keep in mind,
Tag is not the same as event number, tags start from DebuggerEventTagStartSeed (by default 0x1000000); thus, you can add this value to form a Tag from event number.TypeOfAction shows what type of action you want the kernel to perform (enable, disable, or clear). It can be one of the following values.typedef enum _DEBUGGER_MODIFY_EVENTS_TYPE {
DEBUGGER_MODIFY_EVENTS_ENABLE,
DEBUGGER_MODIFY_EVENTS_DISABLE,
DEBUGGER_MODIFY_EVENTS_CLEAR
} DEBUGGER_MODIFY_EVENTS_TYPE;
If you want to apply the action to all the events/commands, then you should fill the
Tag with the following constant.#define DEBUGGER_MODIFY_EVENTS_APPLY_TO_ALL_TAG 0xffffffffffffffff
When the request is finished, the kernel fills the user-mode buffer with one of the following values, which indicates whether the request was successful or there was an error.
In the case of success :
#define DEBUGEER_OPERATION_WAS_SUCCESSFULL 0xFFFFFFFF
In the case of error :
#define DEBUGGER_ERROR_DEBUGGER_MODIFY_EVENTS_INVALID_TAG 0xc000000e
#define DEBUGGER_ERROR_DEBUGGER_MODIFY_EVENTS_INVALID_TYPE_OF_ACTION 0xc000000f
Important note
If you are operating in Debugger Mode, you can enable or disable events while the debuggee is in a halt state. However, if you want to clear an event or all events then you lose the context as the debuggee is continued for some time to process the clear operation.
None
None
Last modified 1yr ago