IOCTL requests for events
How to programmatically activate an event using IOCTLs?
In order to send an IOCTL and enable an event programmatically, you should fill the following structure. This structure is used for tracing works in user mode and sending it to the kernel-mode. Keep in mind that this structure is not what we save for events in kernel-mode.
After sending this structure to the kernel, if it's valid, then the kernel creates a disabled event and is waiting for an action to be received then it activates the event.
1
/**
2
* @brief Each command is like the following struct, it also used for
3
* tracing works in user mode and sending it to the kernl mode
4
* @details THIS IS NOT WHAT HYPERDBG SAVES FOR EVENTS IN KERNEL MODE
5
*/
6
typedef struct _DEBUGGER_GENERAL_EVENT_DETAIL {
7
8
LIST_ENTRY
9
CommandsEventList; // Linked-list of commands list (used for tracing purpose
10
// in user mode)
11
12
time_t CreationTime; // Date of creating this event
13
14
UINT32 CoreId; // determines the core index to apply this event to, if it's
15
// 0xffffffff means that we have to apply it to all cores
16
17
UINT32 ProcessId; // determines the process id to apply this to
18
// only that 0xffffffff means that we have to
19
// apply it to all processes
20
21
BOOLEAN IsEnabled;
22
23
BOOLEAN HasCustomOutput; // Shows whether this event has a custom output
24
// source or not
25
26
UINT64
27
OutputSourceTags
28
[DebuggerOutputSourceMaximumRemoteSourceForSingleEvent]; // tags of
29
// multiple
30
// sources which
31
// can be used to
32
// send the event
33
// results of
34
// scripts to
35
// remote sources
36
37
UINT32 CountOfActions;
38
39
UINT64 Tag; // is same as operation code
40
DEBUGGER_EVENT_TYPE_ENUM EventType;
41
42
UINT64 OptionalParam1;
43
UINT64 OptionalParam2;
44
UINT64 OptionalParam3;
45
UINT64 OptionalParam4;
46
47
PVOID CommandStringBuffer;
48
49
UINT32 ConditionBufferSize;
50
51
} DEBUGGER_GENERAL_EVENT_DETAIL, *PDEBUGGER_GENERAL_EVENT_DETAIL;
Copied!
Based on your request, you can select one of the following actions fromDEBUGGER_EVENT_TYPE_ENUM enum. This enum will be updated in future versions, but if you want to simulate a special command, check the command's manual to see what's the command's type.
1
typedef enum _DEBUGGER_EVENT_TYPE_ENUM {
2
3
HIDDEN_HOOK_READ_AND_WRITE,
4
HIDDEN_HOOK_READ,
5
HIDDEN_HOOK_WRITE,
6
7
HIDDEN_HOOK_EXEC_DETOURS,
8
HIDDEN_HOOK_EXEC_CC,
9
10
SYSCALL_HOOK_EFER_SYSCALL,
11
SYSCALL_HOOK_EFER_SYSRET,
12
13
CPUID_INSTRUCTION_EXECUTION,
14
15
RDMSR_INSTRUCTION_EXECUTION,
16
WRMSR_INSTRUCTION_EXECUTION,
17
18
IN_INSTRUCTION_EXECUTION,
19
OUT_INSTRUCTION_EXECUTION,
20
21
EXCEPTION_OCCURRED,
22
EXTERNAL_INTERRUPT_OCCURRED,
23
24
DEBUG_REGISTERS_ACCESSED,
25
26
TSC_INSTRUCTION_EXECUTION,
27
PMC_INSTRUCTION_EXECUTION,
28
29
VMCALL_INSTRUCTION_EXECUTION,
30
31
} DEBUGGER_EVENT_TYPE_ENUM;
Copied!
If you want to use the debugger features, you should connect the CommandsEventList to the list of user-mode commands.
OptionalParamX is different in the case of each command. For example, in !epthook2, you should send the address of where you want to hook to the kernel as OptionalParam1. You have to check each command's manual to see what are its specific OptionalParam(s).
Tag is an ID that you can use later in action.
IsEnabled has a user-mode usage to trace whether the event is enabled or not.
CommandStringBuffer is the string of the command. You can ignore it.
If your event contains a condition buffer (ConditionBufferSize != 0), you can use set the size if ConditionBufferSize and append the buffer to the end of the above structure, and when you send the buffer to the kernel, you should send the sizeof(DEBUGGER_GENERAL_EVENT_DETAIL)+ ConditionBufferSize (if any).
Finally, you can send it to the kernel by using the following function.
1
/**
2
* @brief Register the event to the kernel
3
*/
4
BOOLEAN
5
SendEventToKernel(PDEBUGGER_GENERAL_EVENT_DETAIL Event,
6
UINT32 EventBufferLength);
Copied!
If you want to send it directly using IOCTL, you can use the following IOCTL :
1
#define IOCTL_DEBUGGER_REGISTER_EVENT \
2
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x806, METHOD_BUFFERED, FILE_ANY_ACCESS)
Copied!
After sending the above event to the kernel, you should chain an action or multiple actions to the event.
You should fill the following structure to send a "Break", "Script", and "Custom Code" to the kernel. For example, you can append the custom code buffer after this structure and send them together to the kernel.
Also, EventTag is the unique ID that we sent previously in the event.
1
//
2
// Each event can have mulitple actions
3
// THIS STRUCTURE IS ONLY USED IN USER MODE
4
// WE USE SEPARATE STRUCTURE FOR ACTIONS IN
5
// KERNEL MODE
6
//
7
typedef struct _DEBUGGER_GENERAL_ACTION {
8
UINT64 EventTag;
9
DEBUGGER_EVENT_ACTION_TYPE_ENUM ActionType;
10
UINT32 PreAllocatedBuffer;
11
UINT32 CustomCodeBufferSize;
12
13
} DEBUGGER_GENERAL_ACTION, *PDEBUGGER_GENERAL_ACTION;
Copied!
You can send the action to the kernel using the following function. Make sure to send the sizeof(DEBUGGER_GENERAL_ACTION)+ Size of Custom code (if any) to the following function.
1
/**
2
* @brief Register the action to the event
3
*/
4
BOOLEAN
5
RegisterActionToEvent(PDEBUGGER_GENERAL_ACTION Action,
6
UINT32 ActionsBufferLength);
Copied!
If you want to register the action to the event directly using DeviceIoControl, you can use the following IOCTL.
1
#define IOCTL_DEBUGGER_ADD_ACTION_TO_EVENT \
2
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x807, METHOD_BUFFERED, FILE_ANY_ACCESS)
Copied!
Copy link
Edit on GitHub