1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
|
#ifndef _NT_DEBUG_H_
#define _NT_DEBUG_H_
#include "nt_abi.h"
#include "nt_object.h"
#include "nt_exception.h"
/* debug access rights */
#define NT_DEBUG_SPECIFIC_RIGHTS (0xf)
#define NT_DEBUG_ALL_ACCESS (NT_SEC_STANDARD_RIGHTS_ALL \
| NT_DEBUG_SPECIFIC_RIGHTS)
/* debug flags */
#define NT_DEBUG_DETACH_ON_EXIT (0x0)
#define NT_DEBUG_KILL_ON_EXIT (0x1)
/* debug object information classes */
#define NT_DEBUG_OBJECT_FLAGS_INFO (0X1)
/* debug filter mask */
#define NT_DBG_FLTR_ERROR_LEVEL (0x0)
#define NT_DBG_FLTR_WARNING_LEVEL (0x1)
#define NT_DBG_FLTR_TRACE_LEVEL (0x2)
#define NT_DBG_FLTR_INFO_LEVEL (0x3)
#define NT_DBG_FLTR_MASK (0x8000000)
/* debug states */
typedef enum _nt_dbg_state {
NT_DBG_STATE_IDLE,
NT_DBG_STATE_REPLY_PENDING,
NT_DBG_STATE_CREATE_THREAD,
NT_DBG_STATE_CREATE_PROCESS,
NT_DBG_STATE_EXIT_THREAD,
NT_DBG_STATE_EXIT_PROCESS,
NT_DBG_STATE_EXCEPTION,
NT_DBG_STATE_BREAKPOINT,
NT_DBG_STATE_SINGLE_STEP,
NT_DBG_STATE_DLL_LOAD,
NT_DBG_STATE_DLL_UNLOAD,
} nt_dbg_state;
/* debug filters */
typedef enum _nt_dbg_fltr_type {
NT_DBG_FLTR_SYSTEM_ID,
NT_DBG_FLTR_SMSS_ID,
NT_DBG_FLTR_SETUP_ID,
NT_DBG_FLTR_NTFS_ID,
NT_DBG_FLTR_FSTUB_ID,
NT_DBG_FLTR_CRASHDUMP_ID,
NT_DBG_FLTR_CDAUDIO_ID,
NT_DBG_FLTR_CDROM_ID,
NT_DBG_FLTR_CLASSPNP_ID,
NT_DBG_FLTR_DISK_ID,
NT_DBG_FLTR_REDBOOK_ID,
NT_DBG_FLTR_STORPROP_ID,
NT_DBG_FLTR_SCSIPORT_ID,
NT_DBG_FLTR_SCSIMINIPORT_ID,
NT_DBG_FLTR_CONFIG_ID,
NT_DBG_FLTR_I8042PRT_ID,
NT_DBG_FLTR_SERMOUSE_ID,
NT_DBG_FLTR_LSERMOUS_ID,
NT_DBG_FLTR_KBDHID_ID,
NT_DBG_FLTR_MOUHID_ID,
NT_DBG_FLTR_KBDCLASS_ID,
NT_DBG_FLTR_MOUCLASS_ID,
NT_DBG_FLTR_TWOTRACK_ID,
NT_DBG_FLTR_WMILIB_ID,
NT_DBG_FLTR_ACPI_ID,
NT_DBG_FLTR_AMLI_ID,
NT_DBG_FLTR_HALIA64_ID,
NT_DBG_FLTR_VIDEO_ID,
NT_DBG_FLTR_SVCHOST_ID,
NT_DBG_FLTR_VIDEOPRT_ID,
NT_DBG_FLTR_TCPIP_ID,
NT_DBG_FLTR_DMSYNTH_ID,
NT_DBG_FLTR_NTOSPNP_ID,
NT_DBG_FLTR_FASTFAT_ID,
NT_DBG_FLTR_SAMSS_ID,
NT_DBG_FLTR_PNPMGR_ID,
NT_DBG_FLTR_NETAPI_ID,
NT_DBG_FLTR_SCSERVER_ID,
NT_DBG_FLTR_SCCLIENT_ID,
NT_DBG_FLTR_SERIAL_ID,
NT_DBG_FLTR_SERENUM_ID,
NT_DBG_FLTR_UHCD_ID,
NT_DBG_FLTR_RPCPROXY_ID,
NT_DBG_FLTR_AUTOCHK_ID,
NT_DBG_FLTR_DCOMSS_ID,
NT_DBG_FLTR_UNIMODEM_ID,
NT_DBG_FLTR_SIS_ID,
NT_DBG_FLTR_FLTMGR_ID,
NT_DBG_FLTR_WMICORE_ID,
NT_DBG_FLTR_BURNENG_ID,
NT_DBG_FLTR_IMAPI_ID,
NT_DBG_FLTR_SXS_ID,
NT_DBG_FLTR_FUSION_ID,
NT_DBG_FLTR_IDLETASK_ID,
NT_DBG_FLTR_SOFTPCI_ID,
NT_DBG_FLTR_TAPE_ID,
NT_DBG_FLTR_MCHGR_ID,
NT_DBG_FLTR_IDEP_ID,
NT_DBG_FLTR_PCIIDE_ID,
NT_DBG_FLTR_FLOPPY_ID,
NT_DBG_FLTR_FDC_ID,
NT_DBG_FLTR_TERMSRV_ID,
NT_DBG_FLTR_W32TIME_ID,
NT_DBG_FLTR_PREFETCHER_ID,
NT_DBG_FLTR_RSFILTER_ID,
NT_DBG_FLTR_FCPORT_ID,
NT_DBG_FLTR_PCI_ID,
NT_DBG_FLTR_DMIO_ID,
NT_DBG_FLTR_DMCONFIG_ID,
NT_DBG_FLTR_DMADMIN_ID,
NT_DBG_FLTR_WSOCKTRANSPORT_ID,
NT_DBG_FLTR_VSS_ID,
NT_DBG_FLTR_PNPMEM_ID,
NT_DBG_FLTR_PROCESSOR_ID,
NT_DBG_FLTR_DMSERVER_ID,
NT_DBG_FLTR_SR_ID,
NT_DBG_FLTR_INFINIBAND_ID,
NT_DBG_FLTR_IHVDRIVER_ID,
NT_DBG_FLTR_IHVVIDEO_ID,
NT_DBG_FLTR_IHVAUDIO_ID,
NT_DBG_FLTR_IHVNETWORK_ID,
NT_DBG_FLTR_IHVSTREAMING_ID,
NT_DBG_FLTR_IHVBUS_ID,
NT_DBG_FLTR_HPS_ID,
NT_DBG_FLTR_RTLTHREADPOOL_ID,
NT_DBG_FLTR_LDR_ID,
NT_DBG_FLTR_TCPIP6_ID,
NT_DBG_FLTR_ISAPNP_ID,
NT_DBG_FLTR_SHPC_ID,
NT_DBG_FLTR_STORPORT_ID,
NT_DBG_FLTR_STORMINIPORT_ID,
NT_DBG_FLTR_PRINTSPOOLER_ID,
NT_DBG_FLTR_VSSDYNDISK_ID,
NT_DBG_FLTR_VERIFIER_ID,
NT_DBG_FLTR_VDS_ID,
NT_DBG_FLTR_VDSBAS_ID,
NT_DBG_FLTR_VDSDYN_ID,
NT_DBG_FLTR_VDSDYNDR_ID,
NT_DBG_FLTR_VDSLDR_ID,
NT_DBG_FLTR_VDSUTIL_ID,
NT_DBG_FLTR_DFRGIFC_ID,
NT_DBG_FLTR_DEFAULT_ID,
NT_DBG_FLTR_MM_ID,
NT_DBG_FLTR_DFSC_ID,
NT_DBG_FLTR_WOW64_ID,
NT_DBG_FLTR_ALPC_ID,
NT_DBG_FLTR_WDI_ID,
NT_DBG_FLTR_PERFLIB_ID,
NT_DBG_FLTR_KTM_ID,
NT_DBG_FLTR_IOSTRESS_ID,
NT_DBG_FLTR_HEAP_ID,
NT_DBG_FLTR_WHEA_ID,
NT_DBG_FLTR_USERGDI_ID,
NT_DBG_FLTR_MMCSS_ID,
NT_DBG_FLTR_TPM_ID,
NT_DBG_FLTR_THREADORDER_ID,
NT_DBG_FLTR_ENVIRON_ID,
NT_DBG_FLTR_EMS_ID,
NT_DBG_FLTR_WDT_ID,
NT_DBG_FLTR_FVEVOL_ID,
NT_DBG_FLTR_NDIS_ID,
NT_DBG_FLTR_NVCTRACE_ID,
NT_DBG_FLTR_LUAFV_ID,
NT_DBG_FLTR_APPCOMPAT_ID,
NT_DBG_FLTR_USBSTOR_ID,
NT_DBG_FLTR_SBP2PORT_ID,
NT_DBG_FLTR_COVERAGE_ID,
NT_DBG_FLTR_CACHEMGR_ID,
NT_DBG_FLTR_MOUNTMGR_ID,
NT_DBG_FLTR_CFR_ID,
NT_DBG_FLTR_TXF_ID,
NT_DBG_FLTR_KSECDD_ID,
NT_DBG_FLTR_FLTREGRESS_ID,
NT_DBG_FLTR_MPIO_ID,
NT_DBG_FLTR_MSDSM_ID,
NT_DBG_FLTR_UDFS_ID,
NT_DBG_FLTR_PSHED_ID,
NT_DBG_FLTR_STORVSP_ID,
NT_DBG_FLTR_LSASS_ID,
NT_DBG_FLTR_SSPICLI_ID,
NT_DBG_FLTR_CNG_ID,
NT_DBG_FLTR_EXFAT_ID,
NT_DBG_FLTR_FILETRACE_ID,
NT_DBG_FLTR_XSAVE_ID,
NT_DBG_FLTR_SE_ID,
NT_DBG_FLTR_DRIVEEXTENDER_ID,
NT_DBG_FLTR_POWER_ID,
NT_DBG_FLTR_CRASHDUMPXHCI_ID,
NT_DBG_FLTR_GPIO_ID,
NT_DBG_FLTR_REFS_ID,
NT_DBG_FLTR_WER_ID,
NT_DBG_FLTR_CAPIMG_ID,
NT_DBG_FLTR_VPCI_ID,
NT_DBG_FLTR_STORAGECLASSMEMORY_ID,
NT_DBG_FLTR_ENDOFTABLE_ID,
} nt_dbg_fltr_type;
/* execution flow masks */
#define NT_DBG_FLOW_MASK_IDLE (1 << NT_DBG_STATE_IDLE)
#define NT_DBG_FLOW_MASK_REPLY_PENDING (1 << NT_DBG_STATE_REPLY_PENDING)
#define NT_DBG_FLOW_MASK_CREATE_THREAD (1 << NT_DBG_STATE_CREATE_THREAD)
#define NT_DBG_FLOW_MASK_CREATE_PROCESS (1 << NT_DBG_STATE_CREATE_PROCESS)
#define NT_DBG_FLOW_MASK_EXIT_THREAD (1 << NT_DBG_STATE_EXIT_THREAD)
#define NT_DBG_FLOW_MASK_EXIT_PROCESS (1 << NT_DBG_STATE_EXIT_PROCESS)
#define NT_DBG_FLOW_MASK_EXCEPTION (1 << NT_DBG_STATE_EXCEPTION)
#define NT_DBG_FLOW_MASK_BREAKPOINT (1 << NT_DBG_STATE_BREAKPOINT)
#define NT_DBG_FLOW_MASK_SINGLE_STEP (1 << NT_DBG_STATE_SINGLE_STEP)
#define NT_DBG_FLOW_MASK_DLL_LOAD (1 << NT_DBG_STATE_DLL_LOAD)
#define NT_DBG_FLOW_MASK_DLL_UNLOAD (1 << NT_DBG_STATE_DLL_UNLOAD)
#define NT_DBG_FLOW_MASK_EXECUTION_TREE (0x10000000)
#define NT_DBG_FLOW_MASK_DETACH_AND_CLOSE (0x20000000)
/* debug events */
typedef struct _nt_dbg_km_thread_exit {
int32_t exit_status;
} nt_dbg_km_thread_exit;
typedef struct _nt_dbg_km_process_exit {
int32_t exit_status;
} nt_dbg_km_process_exit;
typedef struct _nt_dbg_km_load_module {
void * image_handle;
void * image_base;
uint32_t dbginfo_offset;
uint32_t dbginfo_size;
} nt_dbg_km_load_module;
typedef struct _nt_dbg_km_unload_module {
void * image_base;
} nt_dbg_km_unload_module;
typedef struct _nt_dbg_km_exception {
nt_exception_record exception_record;
uint32_t exception_priority;
} nt_dbg_km_exception;
typedef struct _nt_dbg_km_thread_info {
uint32_t subsystem_key;
void * start_address;
} nt_dbg_km_thread_info;
typedef struct _nt_dbg_ui_thread_info {
void * hthread;
uint32_t subsystem_key;
void * start_address;
} nt_dbg_ui_thread_info;
typedef struct _nt_dbg_km_process_info {
uint32_t subsystem_key;
void * image_handle;
void * image_base;
uint32_t dbginfo_offset;
uint32_t dbginfo_size;
nt_dbg_km_thread_info thread_info;
} nt_dbg_km_process_info;
typedef struct _nt_dbg_ui_process_info {
void * hprocess;
void * hthread;
uint32_t subsystem_key;
void * image_handle;
void * image_base;
uint32_t dbginfo_offset;
uint32_t dbginfo_size;
nt_dbg_km_thread_info thread_info;
} nt_dbg_ui_process_info;
typedef struct _nt_dbg_wait_state_change {
nt_dbg_state state;
nt_cid cid;
union {
nt_dbg_km_thread_exit thread_exit;
nt_dbg_km_process_exit process_exit;
nt_dbg_km_load_module load_module;
nt_dbg_km_unload_module unload_module;
nt_dbg_km_exception exception_info;
nt_dbg_ui_thread_info thread_info;
nt_dbg_ui_process_info process_info;
} _u;
} nt_dbg_wait_state_change;
/* debug interfaces */
typedef int32_t __stdcall ntapi_zw_create_debug_object(
__out void ** hdbobj,
__in uint32_t access_mask,
__in nt_oa * oa,
__in uint32_t flags);
typedef int32_t __stdcall ntapi_zw_debug_active_process(
__in void * hprocess,
__in void * hdbgobj);
typedef int32_t __stdcall ntapi_zw_remove_process_debug(
__in void * hprocess,
__in void * hdbgobj);
typedef int32_t __stdcall ntapi_zw_wait_for_debug_event(
__in void * hdbgobj,
__in int32_t alertable,
__in nt_timeout * timeout,
__out nt_dbg_wait_state_change * state);
typedef int32_t __stdcall ntapi_zw_debug_continue(
__in void * hdbgobj,
__in nt_cid * cid,
__in int32_t status);
typedef int32_t __stdcall ntapi_zw_set_information_debug_object(
__in void * hdbgobj,
__in int32_t dbg_info_class,
__in void * dbg_info,
__in size_t dbg_info_length,
__out uint32_t * dbg_return_length);
typedef int32_t __stdcall ntapi_zw_query_debug_filter_state(
__in int32_t dbg_component_id,
__in uint32_t dbg_level);
typedef int32_t __stdcall ntapi_zw_set_debug_filter_state(
__in int32_t dbg_component_id,
__in uint32_t dbg_level,
__in int32_t dbg_state);
/* extension interfaces */
typedef int32_t __stdcall ntapi_tt_debug_create_object(
__out void ** hdbobj,
__in uint32_t flags);
typedef int32_t __stdcall ntapi_tt_debug_create_attach_object(
__out void ** hdbgobj,
__in void * hprocess,
__in uint32_t flags);
typedef int32_t __stdcall ntapi_tt_debug_execution_flow(
__in void * hdbgobj,
__in void * hprocess,
__in void * hserver,
__in void * hlogfile,
__in uint32_t evtmask,
__in uint64_t * nevents);
typedef int32_t __stdcall ntapi_tt_debug_break_process(
__in void * hprocess,
__out void ** hthread,
__out nt_cid * cid);
#endif
|