!sysret, !sysret2 (hook SYSRET instruction execution)
Description of '!sysret, !sysret2' commands in HyperDbg.
Command
!sysret
!sysret2
Syntax
!sysret [pid ProcessId (hex)] [core CoreId (hex)] [imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]
!sysret2 [pid ProcessId (hex)] [core CoreId (hex)] [imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]
Description
Triggers when the debugging machine executes a sysret instruction or, in other words, when Windows tries to return to user-mode from a previous syscall.
The difference between !sysret and !sysret2 is that we safely check the memory in the first command to see if the instruction that caused #UD is really an SYSRET or a SYSCALL. So, we access the memory in this command. However, we realized that older systems have problems with this way of memory access. In the second command, we just check for the RIP to see if it's a kernel address or a user address. Usually, this method works without error for several hours, but if one application generates a #UD, then a BSOD will happen. The second method is generally faster in speed, but we encourage you to use the first command and if your computer doesn't support the first command, then use the second command.
Parameters
[pid ProcessId (hex)] (optional)
Optional value to trigger the event in just a specific process. Add pid xx
to your command; thus, the command will be executed if the process id is equal to xx
. If you don't specify this option, then by default, you receive events on all processes.
Still, in the case of user-mode debugging, HyperDbg will apply it only to the current active debugging process (not all the processes). In that case, you can specify pid all
to intercept events from the entire system.
[core CoreId (hex)] (optional)
Optional value to trigger the event in just a specific core. Add core xx
to your command thus command will be executed if core id is equal to xx
. If you don't specify this option, then by default, you receive events on all cores.
[imm IsImmediate (yesno)] (optional)
Optional value in which yes
means the results (printed texts in scripts) should be delivered immediately to the debugger. no
means that the results can be accumulated and delivered as a couple of messages when the buffer is full; thus, it's substantially faster, but it's not real-time. By default, this value is set to yes
.
[sc EnableShortCircuiting (onoff)] (optional)
[stage CallingStage (prepostall)] (optional)
[buffer PreAllocatedBuffer (hex)] (optional)
[script { Script (string) }] (optional)
[asm condition { Condition (assembly/hex) }] (optional)
[asm code { Code (assembly/hex) }] (optional)
[output {OutputName (string)}] (optional)
Context
As the Context ($context
pseudo-register in the event's script, r8
in custom code, and rdx
in condition code register) to the event trigger, HyperDbg sends the rip
register of where executes the sysret instruction. Generally, it should be the same in value in Windows (just one sysret instruction is in Windows).
Short-circuiting
Calling Stages
Debugger
This event supports three debugging mechanisms.
Break
Script
Custom Code
Break
Imagine we want to break on all sysret executions of a process id 0x490.
Script
The above command when messages don't need to be delivered immediately.
Script (From File)
If you saved your script into a file, then you can add file:
instead of a script and append the file path to it. For example, the following examples show how you can run a script from file:c:\users\sina\desktop\script.txt
.
Custom Code
Run Custom Code (Unconditional)
Or if you want to use assembly codes directly, you can add an asm
before the code
.
Run Custom Code (Conditional)
Or if you want to use assembly codes directly, you can add an asm
before the condition
and also before the code
.
Keep in mind that a conditional event can be used in Breaking to Debugger and Running Script too.
IOCTL
As EventType use SYSCALL_HOOK_EFER_SYSRET
in DEBUGGER_GENERAL_EVENT_DETAIL
.
Design
Remarks
This command is not PatchGurad compatible, which means that PatchGuard detects this command and will cause BSOD; thus, make sure to turn it off (e.g., attaching a kernel-mode WinDbg debugger at the start of the Windows) before using this command. Disabling Driver Signature Enforcement alone won't turn off the PatchGuard.
This command makes your computer substantially slower.
Requirements
Post-Nehalem Processor (EPT)
Related
Last updated