prealloc (reserve pre-allocated pools)

Description of the 'prealloc' command in HyperDbg.

Previousflush (remove pending kernel buffers and messages)Nextpreactivate (pre-activate special functionalities)

Last updated 1 year ago

prealloc (reserve pre-allocated pools)

Description of the 'prealloc' command in HyperDbg.

Command

prealloc

Syntax

prealloc [Type (string)] [Count (hex)]

Description

Reserves a specified number of pre-allocated pools. This command is mainly used to assist in the pre-allocation of pools for .

In some cases, you need to reserve multiple pools to be used in vmx-root mode. This command will allocate these pools in PASSIVE_LEVEL.

HyperDbg tries to minimize the request for this command by allocating pools whenever your system is in PASSIVE_LEVEL.

Parameters

[Type (string)]

The type of pool(s) to be reserved.

Type

thread-interception

Used for storing details of processes with thousands of threads

monitor

!monitor command's extra pages

epthook

!ephook command's extra pages

epthook2

!ephook2 command's extra pages

regular-event

big-event

regular-safe-buffer

big-safe-buffer

[Count (hex)]

Number of pool(s) to be allocated and reserved.

Examples

0: kHyperDbg> prealloc regular-event 10
the requested pools are allocated and reserved

0: kHyperDbg> prealloc monitor 10
the requested pools are allocated and reserved

0: kHyperDbg> prealloc regular-event 10
the requested pools are allocated and reserved

0: kHyperDbg> prealloc epthook 10
the requested pools are allocated and reserved

0: kHyperDbg> prealloc regular-safe-buffer 1
the requested pools are allocated and reserved

IOCTL

This function works by calling DeviceIoControl with IOCTL = IOCTL_RESERVE_PRE_ALLOCATED_POOLS, you have to send it in the following structure.

typedef struct _DEBUGGER_PREALLOC_COMMAND
{
    DEBUGGER_PREALLOC_COMMAND_TYPE Type;
    UINT64                         Count;
    UINT32                         KernelStatus;

} DEBUGGER_PREALLOC_COMMAND, *PDEBUGGER_PREALLOC_COMMAND;

You should only fill the Type and Count of the above structure when the IOCTL returns from the kernel, other parts of this structure are filled with appropriate KernelStatus.

The Type can be from the following enum:

typedef enum _DEBUGGER_PREALLOC_COMMAND_TYPE
{
    DEBUGGER_PREALLOC_COMMAND_TYPE_MONITOR,
    DEBUGGER_PREALLOC_COMMAND_TYPE_THREAD_INTERCEPTION,
} DEBUGGER_PREALLOC_COMMAND_TYPE;

Remarks

This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.

Requirements

None

Previousflush (remove pending kernel buffers and messages)Nextpreactivate (pre-activate special functionalities)

Last updated 1 year ago

Command

prealloc

Syntax

prealloc [Type (string)] [Count (hex)]

Description

Reserves a specified number of pre-allocated pools. This command is mainly used to assist in the pre-allocation of pools for .

In some cases, you need to reserve multiple pools to be used in vmx-root mode. This command will allocate these pools in PASSIVE_LEVEL.

HyperDbg tries to minimize the request for this command by allocating pools whenever your system is in PASSIVE_LEVEL.

Parameters

[Type (string)]

The type of pool(s) to be reserved.

Type

thread-interception

Used for storing details of processes with thousands of threads

monitor

!monitor command's extra pages

epthook

!ephook command's extra pages

epthook2

!ephook2 command's extra pages

regular-event

Regular

big-event

Big

regular-safe-buffer

Regular event safe buffers () for

big-safe-buffer

Big event safe buffers () for

[Count (hex)]

Number of pool(s) to be allocated and reserved.

Examples

Imagine we want to pre-allocate and reserve 0x10 number of pools for the '' command. If we're operating in the , first we need to reserve and allocate pools for a , then we need to allocate the same amount of pools for the memory monitor EPT hooks.

0: kHyperDbg> prealloc regular-event 10
the requested pools are allocated and reserved

0: kHyperDbg> prealloc monitor 10
the requested pools are allocated and reserved

Again if we want to pre-allocate and reserve 0x10 number of pools for the '' command. If we're operating in the , first we need to reserve and allocate pools for a , then we need to allocate the same amount of pools for the memory epthook EPT hooks.

0: kHyperDbg> prealloc regular-event 10
the requested pools are allocated and reserved

0: kHyperDbg> prealloc epthook 10
the requested pools are allocated and reserved

Assume we need to pre-allocate and for an event in the . We can use the following command.

0: kHyperDbg> prealloc regular-safe-buffer 1
the requested pools are allocated and reserved

IOCTL

This function works by calling DeviceIoControl with IOCTL = IOCTL_RESERVE_PRE_ALLOCATED_POOLS, you have to send it in the following structure.

typedef struct _DEBUGGER_PREALLOC_COMMAND
{
    DEBUGGER_PREALLOC_COMMAND_TYPE Type;
    UINT64                         Count;
    UINT32                         KernelStatus;

} DEBUGGER_PREALLOC_COMMAND, *PDEBUGGER_PREALLOC_COMMAND;

You should only fill the Type and Count of the above structure when the IOCTL returns from the kernel, other parts of this structure are filled with appropriate KernelStatus.

The Type can be from the following enum:

typedef enum _DEBUGGER_PREALLOC_COMMAND_TYPE
{
    DEBUGGER_PREALLOC_COMMAND_TYPE_MONITOR,
    DEBUGGER_PREALLOC_COMMAND_TYPE_THREAD_INTERCEPTION,
} DEBUGGER_PREALLOC_COMMAND_TYPE;

Remarks

This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.

Requirements

None

Command

Syntax

Description

Parameters

Examples

IOCTL

Remarks

Requirements

Related

Command

Syntax

Description

Parameters

Examples

IOCTL

Remarks

Requirements

Related