Skip to content

Latest commit

 

History

History
150 lines (102 loc) · 3.97 KB

.formats.md

File metadata and controls

150 lines (102 loc) · 3.97 KB
Raw
description
Description of the '.formats' command in HyperDbg.

.formats (show number formats)

Command

.formats

Syntax

.formats [Expression (string)]

Description

Evaluates an expression or register or a value in the current thread and process context and displays it in multiple numeric formats.

Parameters

[Expression (string)]

An expression, or a register, or a hex value to be evaluated.

Examples

Show 0x10 in different formats.

HyperDbg> .formats 10
Evaluate expression:
Hex :        00000000`00000010
Decimal :    16
Octal :      20
Binary :     00000000 00000000 00000000 00000000 00000000 00000000 00000000 00010000
Char :       ........
Time :       04/28/20 - 06:35AM
Float :      0.00 +8e-323 7.905050E-323
Double :     7.90505033345994471e-323

Show different formats of rcx register.

HyperDbg> .formats @rcx
Evaluate expression:
Hex :        00000000`00000024
Decimal :    36
Octal :      44
Binary :     00000000 00000000 00000000 00000000 00000000 00000000 00000000 00100100
Char :       $.......
Time :       02/07/21 - 02:29PM
Float :      0.00 +2e-322 1.778636E-322
Double :     1.77863632502848756e-322

Show different formats of rcx register added to rbx register.

HyperDbg> .formats @rax+@rbx
Evaluate expression:
Hex :        ffff2919`819251c0
Decimal :    -2121117248
Octal :      20144450700
Binary :     11111111 11111111 00101001 00011001 10000001 10010010 01010001 11000000
Char :       .Q...)..
Time :       02/07/21 - 02:29PM
Float :      -nan -nan -NAN
Double :     -nan

IOCTL

This commands works over serial by sending the serial packets to the remote computer.

First of all, you should fill the following structure, set the ScriptBufferSize and ScriptBufferPointer to the values you got from the script engine interpreter, and leave the Result and set the IsFormat to true.

After that, you should move the interpreted buffer to the end of the structure (this structure is a header for the interpreted buffer).

typedef struct _DEBUGGEE_SCRIPT_PACKET {

  UINT32 ScriptBufferSize;
  UINT32 ScriptBufferPointer;
  BOOLEAN IsFormat;
  UINT32 Result;

  //
  // The script buffer is here
  //

} DEBUGGEE_SCRIPT_PACKET, *PDEBUGGEE_SCRIPT_PACKET;

The next step is sending the above structure to the debuggee when debuggee is paused and waiting for new command on vmx-root mode.

You should send the above structure with DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_RUN_SCRIPT as RequestedAction and DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT as PacketType.

In return, the debuggee sends two packets back to the debugger. The first packet type is:

DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_FORMATS

This packet should be interpreted based on the following structure:

typedef struct _DEBUGGEE_FORMATS_PACKET {

  UINT64 Value;
  UINT32 Result;

} DEBUGGEE_FORMATS_PACKET, *PDEBUGGEE_FORMATS_PACKET;

The value should be passed to the following function to illustrate different formats.

VOID CommandFormatsShowResults(UINT64 U64Value);

If the Result is DEBUGEER_OPERATION_WAS_SUCCESSFULL, then the operation was successful. Otherwise, the returned result is an error.

After that, the debuggee sends the above structure with the following type.

DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_RUNNING_SCRIPT

In the returned structure, the Result is filled by the kernel.

If the Result is DEBUGEER_OPERATION_WAS_SUCCESSFULL, then the operation was successful. Otherwise, the returned result is an error.

The following function is responsible for sending script buffers in the debugger.

BOOLEAN KdSendScriptPacketToDebuggee(UINT64 BufferAddress, UINT32 BufferLength, UINT32 Pointer, BOOLEAN IsFormat);

Remarks

This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.

Requirements

None

Related

None