HyperDbg Debugger
Loading...
Searching...
No Matches
Functions.c File Reference

Script engine functions implementations. More...

#include "pch.h"

Functions

UINT64 GetValue (PGUEST_REGS GuestRegs, PACTION_BUFFER ActionBuffer, PSCRIPT_ENGINE_GENERAL_REGISTERS ScriptGeneralRegisters, PSYMBOL Symbol, BOOLEAN ReturnReference)
 Get the Value (reg, peseudo-reg, etc.).
BOOLEAN ScriptEngineFunctionEq (UINT64 Address, QWORD Value, BOOL *HasError)
 Implementation of eq function.
BOOLEAN ScriptEngineFunctionEd (UINT64 Address, DWORD Value, BOOL *HasError)
 Implementation of ed function.
BOOLEAN ScriptEngineFunctionEb (UINT64 Address, BYTE Value, BOOL *HasError)
 Implementation of eb function.
BOOLEAN ScriptEngineFunctionEqPa (UINT64 Address, QWORD Value, BOOL *HasError)
 Implementation of eq function (Physical Memory).
BOOLEAN ScriptEngineFunctionEdPa (UINT64 Address, DWORD Value, BOOL *HasError)
 Implementation of ed function (Physical Memory).
BOOLEAN ScriptEngineFunctionEbPa (UINT64 Address, BYTE Value, BOOL *HasError)
 Implementation of eb function (Physical Memory).
BOOLEAN ScriptEngineFunctionCheckAddress (UINT64 Address, UINT32 Length)
 Check whether the address is valid or not.
VOID ScriptEngineFunctionMemcpy (UINT64 Destination, UINT64 Source, UINT32 Num, BOOL *HasError)
 A VMX-compatible equivalent of memcpy function in C.
VOID ScriptEngineFunctionMemcpyPa (UINT64 Destination, UINT64 Source, UINT32 Num, BOOL *HasError)
 A VMX-compatible equivalent of memcpy function in C for physical memory.
UINT64 ScriptEngineFunctionVirtualToPhysical (UINT64 Address)
UINT64 ScriptEngineFunctionPhysicalToVirtual (UINT64 Address)
 Convert physical address to virtual address.
VOID ScriptEngineFunctionPrint (UINT64 Tag, BOOLEAN ImmediateMessagePassing, UINT64 Value)
 Implementation of print function.
VOID ScriptEngineFunctionTestStatement (UINT64 Tag, BOOLEAN ImmediateMessagePassing, UINT64 Value)
 Implementation of test_statement function.
VOID ScriptEngineFunctionSpinlockLock (volatile LONG *Lock, BOOL *HasError)
 Implementation of spinlock_lock function.
VOID ScriptEngineFunctionSpinlockUnlock (volatile LONG *Lock, BOOL *HasError)
 Implementation of spinlock_unlock function.
VOID ScriptEngineFunctionSpinlockLockCustomWait (volatile long *Lock, unsigned MaxWait, BOOL *HasError)
 Implementation of spinlock_lock_custom_wait function.
UINT64 ScriptEngineFunctionStrlen (const char *Address)
 Implementation of strlen function.
UINT64 ScriptEngineFunctionDisassembleLen (PVOID Address, BOOLEAN Is32Bit)
 Implementation of disassemble_len function.
UINT64 ScriptEngineFunctionWcslen (const wchar_t *Address)
 Implementation of wcslen function.
VOID ScriptEngineFunctionMicroSleep (UINT64 Us)
 Implementation of microsleep function.
UINT64 ScriptEngineFunctionRdtsc ()
 Implementation of rdtsc function.
UINT64 ScriptEngineFunctionRdtscp ()
 Implementation of rdtscp function.
long long ScriptEngineFunctionInterlockedExchange (long long volatile *Target, long long Value, BOOL *HasError)
 Implementation of interlocked_exchange function.
long long ScriptEngineFunctionInterlockedExchangeAdd (long long volatile *Addend, long long Value, BOOL *HasError)
 Implementation of interlocked_exchange_add function.
long long ScriptEngineFunctionInterlockedIncrement (long long volatile *Addend, BOOL *HasError)
 Implementation of interlocked_exchange_increment function.
long long ScriptEngineFunctionInterlockedDecrement (long long volatile *Addend, BOOL *HasError)
 Implementation of interlocked_exchange_decrement function.
long long ScriptEngineFunctionInterlockedCompareExchange (long long volatile *Destination, long long ExChange, long long Comperand, BOOL *HasError)
 Implementation of interlocked_compare_exchange function.
VOID ScriptEngineFunctionEventEnable (UINT64 EventId)
 Implementation of event_enable function.
VOID ScriptEngineFunctionEventDisable (UINT64 EventId)
 Implementation of event_disable function.
VOID ScriptEngineFunctionEventClear (UINT64 EventId)
 Implementation of event_clear function.
VOID ScriptEngineFunctionPause (ACTION_BUFFER *ActionDetail, PGUEST_REGS GuestRegs)
 Implementation of pause function.
VOID ScriptEngineFunctionFlush ()
 Implementation of flush function.
VOID ScriptEngineFunctionShortCircuitingEvent (UINT64 State, ACTION_BUFFER *ActionDetail)
 Implementation of event_ignore function.
VOID ScriptEngineFunctionFormats (UINT64 Tag, BOOLEAN ImmediateMessagePassing, UINT64 Value)
 Implementation of formats function.
UINT32 CustomStrlen (UINT64 StrAddr, BOOLEAN IsWstring)
 Custom VMX-root compatible strlen.
BOOLEAN CheckIfStringIsSafe (UINT64 StrAddr, BOOLEAN IsWstring)
 Check if string is safe to be accessed or not (in vmx-root mode).
VOID ApplyFormatSpecifier (const CHAR *CurrentSpecifier, CHAR *FinalBuffer, PUINT32 CurrentProcessedPositionFromStartOfFormat, PUINT32 CurrentPositionInFinalBuffer, UINT64 Val, UINT32 SizeOfFinalBuffer)
 Apply format specifiers (d, x, llx, etc.).
size_t WcharToChar (const wchar_t *src, char *dest, size_t dest_len)
 Convert WCHAR* to CHAR*.
BOOLEAN ApplyStringFormatSpecifier (const CHAR *CurrentSpecifier, CHAR *FinalBuffer, PUINT32 CurrentProcessedPositionFromStartOfFormat, PUINT32 CurrentPositionInFinalBuffer, UINT64 Val, BOOLEAN IsWstring, UINT32 SizeOfFinalBuffer)
 Apply string format specifiers (s, ws, etc.).
VOID ScriptEngineFunctionPrintf (PGUEST_REGS GuestRegs, ACTION_BUFFER *ActionDetail, SCRIPT_ENGINE_GENERAL_REGISTERS *ScriptGeneralRegisters, UINT64 Tag, BOOLEAN ImmediateMessagePassing, char *Format, UINT64 ArgCount, PSYMBOL FirstArg, BOOLEAN *HasError)
 Implementation of printf function.
VOID ScriptEngineFunctionEventInject (UINT32 InterruptionType, UINT32 Vector, BOOL *HasError)
 Implementation of event_inject function.
VOID ScriptEngineFunctionEventInjectErrorCode (UINT32 InterruptionType, UINT32 Vector, UINT32 ErrorCode, BOOL *HasError)
 Implementation of event_inject_error_code function.
UINT64 ScriptEngineFunctionStrcmp (const char *Address1, const char *Address2)
 Implementation of strcmp function.
UINT64 ScriptEngineFunctionStrncmp (const char *Address1, const char *Address2, size_t Num)
 Implementation of strcmp function.
UINT64 ScriptEngineFunctionWcscmp (const wchar_t *Address1, const wchar_t *Address2)
 Implementation of wcscmp function.
UINT64 ScriptEngineFunctionWcsncmp (const wchar_t *Address1, const wchar_t *Address2, size_t Num)
 Implementation of wcsncmp function.
UINT64 ScriptEngineFunctionMemcmp (const char *Address1, const char *Address2, size_t Count)
 Implementation of memcmp function.
VOID ScriptEngineFunctionEventTraceInstrumentationStep ()
 Implementation of event_trace_instrumentation_step function.
VOID ScriptEngineFunctionEventTraceStepIn ()
 Implementation of event_trace_step_in function.
BOOLEAN ScriptEngineFunctionLbrSave ()
 Implementation of lbr_save function.
BOOLEAN ScriptEngineFunctionLbrPrint ()
 Implementation of lbr_print function.
BOOLEAN ScriptEngineFunctionLbrCheck ()
 Implementation of lbr_check function.
BOOLEAN ScriptEngineFunctionLbrRestore ()
 Implementation of lbr_restore function.
BOOLEAN ScriptEngineFunctionLbrRestoreByFilter (UINT64 FilterOptions)
 Implementation of lbr_restore_by_filter function.

Detailed Description

Script engine functions implementations.

Author
M.H. Gholamrezaei (mh@hy.nosp@m.perd.nosp@m.bg.or.nosp@m.g)
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.2
Date
2022-06-29

Function Documentation

◆ ApplyFormatSpecifier()

VOID ApplyFormatSpecifier ( const CHAR * CurrentSpecifier,
CHAR * FinalBuffer,
PUINT32 CurrentProcessedPositionFromStartOfFormat,
PUINT32 CurrentPositionInFinalBuffer,
UINT64 Val,
UINT32 SizeOfFinalBuffer )

Apply format specifiers (d, x, llx, etc.).

Parameters
CurrentSpecifier
FinalBuffer
CurrentProcessedPositionFromStartOfFormat
CurrentPositionInFinalBuffer
Val
SizeOfFinalBuffer
Returns
VOID
1333{
1334 UINT32 TempBufferLen = 0;
1335 CHAR TempBuffer[50 + 1] = {
1336 0}; // Maximum uint64_t is 18446744073709551615 + 1 thus its 20 character
1337 // for maximum buffer + 1 end char null but we alloc 50 to be sure
1338
1339 *CurrentProcessedPositionFromStartOfFormat =
1340 *CurrentProcessedPositionFromStartOfFormat + (UINT32)strlen(CurrentSpecifier);
1341 PlatformSprintf(TempBuffer, sizeof(TempBuffer), CurrentSpecifier, Val);
1342 TempBufferLen = (UINT32)strlen(TempBuffer);
1343
1344 //
1345 // Check final buffer capacity
1346 //
1347 if (*CurrentPositionInFinalBuffer + TempBufferLen > SizeOfFinalBuffer)
1348 {
1349 //
1350 // Over passed buffer
1351 //
1352 return;
1353 }
1354
1355 memcpy(&FinalBuffer[*CurrentPositionInFinalBuffer], TempBuffer, TempBufferLen);
1356
1357 *CurrentPositionInFinalBuffer = *CurrentPositionInFinalBuffer + TempBufferLen;
1358}
INT PlatformSprintf(char *Buffer, SIZE_T BufferSize, const char *Format,...)
Platform independent wrapper for sprintf_s / snprintf.
Definition PlatformMem.c:29
unsigned int UINT32
Definition BasicTypes.h:54
char CHAR
Definition BasicTypes.h:33

◆ ApplyStringFormatSpecifier()

BOOLEAN ApplyStringFormatSpecifier ( const CHAR * CurrentSpecifier,
CHAR * FinalBuffer,
PUINT32 CurrentProcessedPositionFromStartOfFormat,
PUINT32 CurrentPositionInFinalBuffer,
UINT64 Val,
BOOLEAN IsWstring,
UINT32 SizeOfFinalBuffer )

Apply string format specifiers (s, ws, etc.).

Parameters
CurrentSpecifier
FinalBuffer
CurrentProcessedPositionFromStartOfFormat
CurrentPositionInFinalBuffer
Val
IsWstring
SizeOfFinalBuffer
Returns
BOOLEAN
1412{
1413 UINT32 StringSize;
1414 wchar_t WstrBuffer[50];
1415 CHAR AsciiBuffer[sizeof(WstrBuffer) / 2];
1416 UINT32 StringSizeInByte; /* because of wide-char */
1417 UINT32 CountOfBlocks;
1418 UINT32 CopiedBlockLen;
1419
1420 //
1421 // First we have to check if string is valid or not
1422 //
1423 if (!CheckIfStringIsSafe(Val, IsWstring))
1424 {
1425 return FALSE;
1426 }
1427
1428 //
1429 // get the length of the string (format) identifier
1430 //
1431 *CurrentProcessedPositionFromStartOfFormat += (UINT32)strlen(CurrentSpecifier);
1432
1433 //
1434 // Get string len
1435 //
1436 StringSize = CustomStrlen(Val, IsWstring);
1437
1438 //
1439 // Check final buffer capacity
1440 //
1441 if (*CurrentPositionInFinalBuffer + StringSize > SizeOfFinalBuffer)
1442 {
1443 //
1444 // Over passed buffer
1445 //
1446 return TRUE;
1447 }
1448
1449 //
1450 // Move the buffer string into the target buffer
1451 //
1452 if (IsWstring)
1453 {
1454 //
1455 // Parse wstring
1456 //
1457 StringSizeInByte = StringSize * 2; /* because of wide-char */
1458
1459 //
1460 // compute the ceiling
1461 //
1462 if (StringSizeInByte % sizeof(WstrBuffer) == 0)
1463 {
1464 CountOfBlocks = StringSizeInByte / sizeof(WstrBuffer);
1465 }
1466 else
1467 {
1468 CountOfBlocks = (StringSizeInByte / sizeof(WstrBuffer)) + 1;
1469 }
1470
1471 for (size_t i = 0; i < CountOfBlocks; i++)
1472 {
1473 //
1474 // Zero the buffers
1475 //
1476 PlatformZeroMemory(WstrBuffer, sizeof(WstrBuffer));
1477 PlatformZeroMemory(AsciiBuffer, sizeof(AsciiBuffer));
1478
1479 //
1480 // Check for the last block
1481 //
1482 if (i == CountOfBlocks - 1)
1483 {
1484 //
1485 // A portion of block
1486 //
1487
1488#ifdef SCRIPT_ENGINE_USER_MODE
1489 memcpy(WstrBuffer, (void *)(Val + (i * sizeof(WstrBuffer))), StringSizeInByte % sizeof(WstrBuffer));
1490#endif // SCRIPT_ENGINE_USER_MODE
1491
1492#ifdef SCRIPT_ENGINE_KERNEL_MODE
1494 (UINT64)(Val + (i * sizeof(WstrBuffer))),
1495 WstrBuffer,
1496 StringSizeInByte % sizeof(WstrBuffer));
1497#endif // SCRIPT_ENGINE_KERNEL_MODE
1498 }
1499 else
1500 {
1501 //
1502 // A complete block
1503 //
1504
1505#ifdef SCRIPT_ENGINE_USER_MODE
1506 memcpy(WstrBuffer, (void *)(Val + (i * sizeof(WstrBuffer))), sizeof(WstrBuffer));
1507#endif // SCRIPT_ENGINE_USER_MODE
1508
1509#ifdef SCRIPT_ENGINE_KERNEL_MODE
1511 (UINT64)(Val + (i * sizeof(WstrBuffer))),
1512 WstrBuffer,
1513 sizeof(WstrBuffer));
1514#endif // SCRIPT_ENGINE_KERNEL_MODE
1515 }
1516
1517 //
1518 // Here we have the filled WstrBuffer
1519 // We should convert WstrBuffer to AsciiBuffer
1520 //
1521 CopiedBlockLen =
1522 (UINT32)WcharToChar(WstrBuffer, AsciiBuffer, sizeof(AsciiBuffer) + 1);
1523
1524 //
1525 // Now we should move the AsciiBuffer to the target buffer
1526 // (when we filled AsciiBuffer the memory here is safe so we
1527 // can use memcpy in both user-mode and vmx-root mode)
1528 //
1529 memcpy(&FinalBuffer[*CurrentPositionInFinalBuffer], (void *)AsciiBuffer, CopiedBlockLen + 1);
1530
1531 *CurrentPositionInFinalBuffer += CopiedBlockLen + 1;
1532 }
1533 }
1534 else
1535 {
1536 //
1537 // Parse string
1538 //
1539#ifdef SCRIPT_ENGINE_USER_MODE
1540 memcpy(&FinalBuffer[*CurrentPositionInFinalBuffer], (void *)Val, StringSize);
1541#endif // SCRIPT_ENGINE_USER_MODE
1542
1543#ifdef SCRIPT_ENGINE_KERNEL_MODE
1545 Val,
1546 &FinalBuffer[*CurrentPositionInFinalBuffer],
1547 StringSize);
1548#endif // SCRIPT_ENGINE_KERNEL_MODE
1549
1550 *CurrentPositionInFinalBuffer += StringSize;
1551 }
1552
1553 return TRUE;
1554}
BOOLEAN CheckIfStringIsSafe(UINT64 StrAddr, BOOLEAN IsWstring)
Check if string is safe to be accessed or not (in vmx-root mode).
Definition Functions.c:1298
UINT32 CustomStrlen(UINT64 StrAddr, BOOLEAN IsWstring)
Custom VMX-root compatible strlen.
Definition Functions.c:1264
size_t WcharToChar(const wchar_t *src, char *dest, size_t dest_len)
Convert WCHAR* to CHAR*.
Definition Functions.c:1369
VOID PlatformZeroMemory(PVOID Destination, SIZE_T Size)
Zeros a memory block.
Definition PlatformMem.c:155
#define TRUE
Definition BasicTypes.h:114
#define FALSE
Definition BasicTypes.h:113
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperReadMemorySafeOnTargetProcess(_In_ UINT64 VaAddressToRead, _Inout_ PVOID BufferToSaveMemory, _In_ SIZE_T SizeToRead)

◆ CheckIfStringIsSafe()

BOOLEAN CheckIfStringIsSafe ( UINT64 StrAddr,
BOOLEAN IsWstring )

Check if string is safe to be accessed or not (in vmx-root mode).

Parameters
StrAddr
IsWstring
Returns
BOOLEAN
1299{
1300#ifdef SCRIPT_ENGINE_USER_MODE
1301 return TRUE;
1302#endif // SCRIPT_ENGINE_USER_MODE
1303
1304#ifdef SCRIPT_ENGINE_KERNEL_MODE
1305
1306 //
1307 // At least two chars (wchar_t is 4 byte)
1308 //
1309 if (CheckAccessValidityAndSafety(StrAddr, IsWstring ? 4 : 2))
1310 {
1311 return TRUE;
1312 }
1313 else
1314 {
1315 return FALSE;
1316 }
1317#endif // SCRIPT_ENGINE_KERNEL_MODE
1318}
IMPORT_EXPORT_VMM BOOLEAN CheckAccessValidityAndSafety(UINT64 TargetAddress, UINT32 Size)
Check the safety to access the memory.
Definition AddressCheck.c:318

◆ CustomStrlen()

UINT32 CustomStrlen ( UINT64 StrAddr,
BOOLEAN IsWstring )

Custom VMX-root compatible strlen.

Parameters
StrAddr
IsWstring
Returns
UINT32
1265{
1266#ifdef SCRIPT_ENGINE_USER_MODE
1267
1268 if (IsWstring)
1269 {
1270 return (UINT32)wcslen((const wchar_t *)StrAddr);
1271 }
1272 else
1273 {
1274 return (UINT32)strlen((const char *)StrAddr);
1275 }
1276#endif // SCRIPT_ENGINE_USER_MODE
1277
1278#ifdef SCRIPT_ENGINE_KERNEL_MODE
1279 if (IsWstring)
1280 {
1281 return VmFuncVmxCompatibleWcslen((const wchar_t *)StrAddr);
1282 }
1283 else
1284 {
1285 return VmFuncVmxCompatibleStrlen((const CHAR *)StrAddr);
1286 }
1287#endif // SCRIPT_ENGINE_KERNEL_MODE
1288}
IMPORT_EXPORT_VMM UINT32 VmFuncVmxCompatibleWcslen(const WCHAR *s)
VMX-root compatible strlen.
Definition Export.c:873
IMPORT_EXPORT_VMM UINT32 VmFuncVmxCompatibleStrlen(const CHAR *s)
VMX-root compatible strlen.
Definition Export.c:861

◆ GetValue()

UINT64 GetValue ( PGUEST_REGS GuestRegs,
PACTION_BUFFER ActionBuffer,
PSCRIPT_ENGINE_GENERAL_REGISTERS ScriptGeneralRegisters,
PSYMBOL Symbol,
BOOLEAN ReturnReference )

Get the Value (reg, peseudo-reg, etc.).

Parameters
GuestRegs
ActionBuffer
ScriptGeneralRegisters
Symbol
ReturnReference
Returns
UINT64
97{
98 switch (Symbol->Type)
99 {
101
102 if (ReturnReference)
103 return ((UINT64)(&ScriptGeneralRegisters->GlobalVariablesList[Symbol->Value]));
104 else
105 return ScriptGeneralRegisters->GlobalVariablesList[Symbol->Value];
106
107 case SYMBOL_NUM_TYPE:
108
109 if (ReturnReference)
110 return ((UINT64)&Symbol->Value);
111 else
112 return Symbol->Value;
113
115
116 if (ReturnReference)
117 return (UINT64)NULL; // Not reasonable, you should not dereference a register!
118 else
119 return GetRegValue(GuestRegs, (REGS_ENUM)Symbol->Value);
120
122
123 if (ReturnReference)
124 return (UINT64)NULL; // Not reasonable, you should not dereference a pseudo-register!
125 else
126 return GetPseudoRegValue(Symbol, ActionBuffer);
127
129 if (ReturnReference)
130 return (UINT64)&ScriptGeneralRegisters->StackIndx;
131 else
132 return ScriptGeneralRegisters->StackIndx;
133
135 if (ReturnReference)
136 return (UINT64)&ScriptGeneralRegisters->StackBaseIndx;
137 else
138 return ScriptGeneralRegisters->StackBaseIndx;
139
141 if (ReturnReference)
142 return (UINT64)&ScriptGeneralRegisters->ReturnValue;
143 else
144 return ScriptGeneralRegisters->ReturnValue;
145
146 case SYMBOL_TEMP_TYPE:
147
148 if (ReturnReference)
149 return (UINT64)&ScriptGeneralRegisters->StackBuffer[ScriptGeneralRegisters->StackBaseIndx + Symbol->Value];
150 else
151 return ScriptGeneralRegisters->StackBuffer[ScriptGeneralRegisters->StackBaseIndx + Symbol->Value];
152
154
155 return (UINT64)&ScriptGeneralRegisters->StackBuffer[ScriptGeneralRegisters->StackBaseIndx + Symbol->Value];
156
158
159 return *(UINT64 *)ScriptGeneralRegisters->StackBuffer[ScriptGeneralRegisters->StackBaseIndx + Symbol->Value];
160
162
163 if (ReturnReference)
164 return (UINT64)&ScriptGeneralRegisters->StackBuffer[ScriptGeneralRegisters->StackBaseIndx - 3 - Symbol->Value];
165 else
166 return ScriptGeneralRegisters->StackBuffer[ScriptGeneralRegisters->StackBaseIndx - 3 - Symbol->Value];
167 }
168
169 //
170 // Shouldn't reach here
171 //
172 return NULL64_ZERO;
173}
UINT64 GetRegValue(PGUEST_REGS GuestRegs, REGS_ENUM RegId)
Get the register value.
Definition Regs.c:40
UINT64 GetPseudoRegValue(PSYMBOL Symbol, PACTION_BUFFER ActionBuffer)
Get the Pseudo reg value.
Definition ScriptEngineEval.c:24
#define NULL64_ZERO
Definition BasicTypes.h:111
#define SYMBOL_STACK_INDEX_TYPE
Definition ScriptEngineCommonDefinitions.h:58
#define SYMBOL_REGISTER_TYPE
Definition ScriptEngineCommonDefinitions.h:47
REGS_ENUM
Definition ScriptEngineCommonDefinitions.h:315
#define SYMBOL_TEMP_TYPE
Definition ScriptEngineCommonDefinitions.h:50
#define SYMBOL_GLOBAL_ID_TYPE
Definition ScriptEngineCommonDefinitions.h:44
#define SYMBOL_FUNCTION_PARAMETER_ID_TYPE
Definition ScriptEngineCommonDefinitions.h:55
#define SYMBOL_REFERENCE_TEMP_TYPE
Definition ScriptEngineCommonDefinitions.h:62
#define SYMBOL_STACK_BASE_INDEX_TYPE
Definition ScriptEngineCommonDefinitions.h:59
#define SYMBOL_DEREFERENCE_TEMP_TYPE
Definition ScriptEngineCommonDefinitions.h:64
#define SYMBOL_PSEUDO_REG_TYPE
Definition ScriptEngineCommonDefinitions.h:48
#define SYMBOL_RETURN_VALUE_TYPE
Definition ScriptEngineCommonDefinitions.h:60
#define SYMBOL_NUM_TYPE
Definition ScriptEngineCommonDefinitions.h:46
NULL()
Definition test-case-generator.py:530
UINT64 * GlobalVariablesList
Definition BasicTypes.h:225
UINT64 StackIndx
Definition BasicTypes.h:226
UINT64 * StackBuffer
Definition BasicTypes.h:224
UINT64 StackBaseIndx
Definition BasicTypes.h:227
UINT64 ReturnValue
Definition BasicTypes.h:228
long long unsigned Value
Definition ScriptEngineCommonDefinitions.h:9
long long unsigned Type
Definition ScriptEngineCommonDefinitions.h:7

◆ ScriptEngineFunctionCheckAddress()

BOOLEAN ScriptEngineFunctionCheckAddress ( UINT64 Address,
UINT32 Length )

Check whether the address is valid or not.

Parameters
Address
Length
Returns
BOOLEAN
291{
292#ifdef SCRIPT_ENGINE_USER_MODE
293
294 if (CheckAccessValidityAndSafety(Address, Length))
295 {
296 return TRUE;
297 }
298
299#endif // SCRIPT_ENGINE_USER_MODE
300
301#ifdef SCRIPT_ENGINE_KERNEL_MODE
302
303 if (CheckAccessValidityAndSafety(Address, Length))
304 {
305 return TRUE;
306 }
307
308#endif // SCRIPT_ENGINE_KERNEL_MODE
309
310 return FALSE;
311}

◆ ScriptEngineFunctionDisassembleLen()

UINT64 ScriptEngineFunctionDisassembleLen ( PVOID Address,
BOOLEAN Is32Bit )

Implementation of disassemble_len function.

Parameters
Address
Is32Bit
Returns
UINT64
760{
761 UINT64 Result = 0;
762#ifdef SCRIPT_ENGINE_USER_MODE
763 Result = HyperDbgLengthDisassemblerEngine((unsigned char *)Address, MAXIMUM_INSTR_SIZE, Is32Bit ? FALSE : TRUE);
764#endif // SCRIPT_ENGINE_USER_MODE
765
766#ifdef SCRIPT_ENGINE_KERNEL_MODE
768#endif // SCRIPT_ENGINE_KERNEL_MODE
769
770 return Result;
771}
#define MAXIMUM_INSTR_SIZE
maximum instruction size in Intel
Definition Constants.h:470
IMPORT_EXPORT_VMM UINT32 DisassemblerLengthDisassembleEngineInVmxRootOnTargetProcess(PVOID Address, BOOLEAN Is32Bit)
Disassembler length disassembler engine.
Definition Disassembler.c:297
UINT32 HyperDbgLengthDisassemblerEngine(UCHAR *BufferToDisassemble, UINT64 BuffLength, BOOLEAN Isx86_64)
Length Disassembler engine based on Zydis.
Definition disassembler.cpp:856

◆ ScriptEngineFunctionEb()

BOOLEAN ScriptEngineFunctionEb ( UINT64 Address,
BYTE Value,
BOOL * HasError )

Implementation of eb function.

Parameters
Address
Value
HasError
Returns
BOOLEAN
127{
128 UNREFERENCED_PARAMETER(HasError);
129
130#ifdef SCRIPT_ENGINE_KERNEL_MODE
131
132 if (!CheckAccessValidityAndSafety(Address, sizeof(BYTE)))
133 {
134 //
135 // Instead of indicating an error, just return false
136 // to assign it as a return result to a variable
137 //
138 // *HasError = TRUE;
139
140 return FALSE;
141 }
142
143#endif // SCRIPT_ENGINE_KERNEL_MODE
144
145#ifdef SCRIPT_ENGINE_USER_MODE
146 *(BYTE *)Address = Value;
147#endif // SCRIPT_ENGINE_USER_MODE
148
149#ifdef SCRIPT_ENGINE_KERNEL_MODE
151#endif // SCRIPT_ENGINE_KERNEL_MODE
152
153 return TRUE;
154}
unsigned char BYTE
Definition BasicTypes.h:40
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperWriteMemorySafeOnTargetProcess(_Inout_ UINT64 Destination, _In_ PVOID Source, _In_ SIZE_T Size)
RequestedActionOfThePacket Value(0x1) 00000000

◆ ScriptEngineFunctionEbPa()

BOOLEAN ScriptEngineFunctionEbPa ( UINT64 Address,
BYTE Value,
BOOL * HasError )

Implementation of eb function (Physical Memory).

Parameters
Address
Value
HasError
Returns
BOOLEAN
250{
251 UNREFERENCED_PARAMETER(HasError);
252
253#ifdef SCRIPT_ENGINE_KERNEL_MODE
254
255 if (!CheckAddressPhysical(Address))
256 {
257 //
258 // Instead of indicating an error, just return false
259 // to assign it as a return result to a variable
260 //
261 // *HasError = TRUE;
262
263 return FALSE;
264 }
265
266#endif // SCRIPT_ENGINE_KERNEL_MODE
267
268#ifdef SCRIPT_ENGINE_USER_MODE
269
270 ShowMessages("err, using physical address functions (eb_pa) is not possible in user-mode\n");
271 return FALSE;
272
273#endif // SCRIPT_ENGINE_USER_MODE
274
275#ifdef SCRIPT_ENGINE_KERNEL_MODE
276 MemoryMapperWriteMemorySafeByPhysicalAddress(Address, (UINT64)&Value, sizeof(BYTE));
277#endif // SCRIPT_ENGINE_KERNEL_MODE
278
279 return TRUE;
280}
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperWriteMemorySafeByPhysicalAddress(_Inout_ UINT64 DestinationPa, _In_ UINT64 Source, _In_ SIZE_T SizeToWrite)
IMPORT_EXPORT_VMM BOOLEAN CheckAddressPhysical(UINT64 PAddr)
Checks if the physical address is correct or not based on physical address width.
Definition AddressCheck.c:120

◆ ScriptEngineFunctionEd()

BOOLEAN ScriptEngineFunctionEd ( UINT64 Address,
DWORD Value,
BOOL * HasError )

Implementation of ed function.

Parameters
Address
Value
HasError
Returns
BOOLEAN
88{
89 UNREFERENCED_PARAMETER(HasError);
90
91#ifdef SCRIPT_ENGINE_KERNEL_MODE
92
93 if (!CheckAccessValidityAndSafety(Address, sizeof(DWORD)))
94 {
95 //
96 // Instead of indicating an error, just return false
97 // to assign it as a return result to a variable
98 //
99 // *HasError = TRUE;
100
101 return FALSE;
102 }
103
104#endif // SCRIPT_ENGINE_KERNEL_MODE
105
106#ifdef SCRIPT_ENGINE_USER_MODE
107 *(DWORD *)Address = Value;
108#endif // SCRIPT_ENGINE_USER_MODE
109
110#ifdef SCRIPT_ENGINE_KERNEL_MODE
112#endif // SCRIPT_ENGINE_KERNEL_MODE
113
114 return TRUE;
115}
unsigned long DWORD
Definition BasicTypes.h:38

◆ ScriptEngineFunctionEdPa()

BOOLEAN ScriptEngineFunctionEdPa ( UINT64 Address,
DWORD Value,
BOOL * HasError )

Implementation of ed function (Physical Memory).

Parameters
Address
Value
HasError
Returns
BOOLEAN
208{
209 UNREFERENCED_PARAMETER(HasError);
210
211#ifdef SCRIPT_ENGINE_KERNEL_MODE
212
213 if (!CheckAddressPhysical(Address))
214 {
215 //
216 // Instead of indicating an error, just return false
217 // to assign it as a return result to a variable
218 //
219 // *HasError = TRUE;
220
221 return FALSE;
222 }
223
224#endif // SCRIPT_ENGINE_KERNEL_MODE
225
226#ifdef SCRIPT_ENGINE_USER_MODE
227
228 ShowMessages("err, using physical address functions (ed_pa) is not possible in user-mode\n");
229 return FALSE;
230
231#endif // SCRIPT_ENGINE_USER_MODE
232
233#ifdef SCRIPT_ENGINE_KERNEL_MODE
234 MemoryMapperWriteMemorySafeByPhysicalAddress(Address, (UINT64)&Value, sizeof(DWORD));
235#endif // SCRIPT_ENGINE_KERNEL_MODE
236
237 return TRUE;
238}

◆ ScriptEngineFunctionEq()

BOOLEAN ScriptEngineFunctionEq ( UINT64 Address,
QWORD Value,
BOOL * HasError )

Implementation of eq function.

Parameters
Address
Value
HasError
Returns
BOOLEAN
49{
50 UNREFERENCED_PARAMETER(HasError);
51
52#ifdef SCRIPT_ENGINE_KERNEL_MODE
53
54 if (!CheckAccessValidityAndSafety(Address, sizeof(QWORD)))
55 {
56 //
57 // Instead of indicating an error, just return false
58 // to assign it as a return result to a variable
59 //
60 // *HasError = TRUE;
61
62 return FALSE;
63 }
64
65#endif // SCRIPT_ENGINE_KERNEL_MODE
66
67#ifdef SCRIPT_ENGINE_USER_MODE
68 *(UINT64 *)Address = Value;
69#endif // SCRIPT_ENGINE_USER_MODE
70
71#ifdef SCRIPT_ENGINE_KERNEL_MODE
73#endif // SCRIPT_ENGINE_KERNEL_MODE
74
75 return TRUE;
76}
unsigned long long QWORD
Definition BasicTypes.h:24

◆ ScriptEngineFunctionEqPa()

BOOLEAN ScriptEngineFunctionEqPa ( UINT64 Address,
QWORD Value,
BOOL * HasError )

Implementation of eq function (Physical Memory).

Parameters
Address
Value
HasError
Returns
BOOLEAN
166{
167 UNREFERENCED_PARAMETER(HasError);
168
169#ifdef SCRIPT_ENGINE_KERNEL_MODE
170
171 if (!CheckAddressPhysical(Address))
172 {
173 //
174 // Instead of indicating an error, just return false
175 // to assign it as a return result to a variable
176 //
177 // *HasError = TRUE;
178
179 return FALSE;
180 }
181
182#endif // SCRIPT_ENGINE_KERNEL_MODE
183
184#ifdef SCRIPT_ENGINE_USER_MODE
185
186 ShowMessages("err, using physical address functions (eq_pa) is not possible in user-mode\n");
187 return FALSE;
188
189#endif // SCRIPT_ENGINE_USER_MODE
190
191#ifdef SCRIPT_ENGINE_KERNEL_MODE
192 MemoryMapperWriteMemorySafeByPhysicalAddress(Address, (UINT64)&Value, sizeof(QWORD));
193#endif // SCRIPT_ENGINE_KERNEL_MODE
194
195 return TRUE;
196}

◆ ScriptEngineFunctionEventClear()

VOID ScriptEngineFunctionEventClear ( UINT64 EventId)

Implementation of event_clear function.

Parameters
EventId
Returns
VOID
1059{
1060#ifdef SCRIPT_ENGINE_USER_MODE
1061 ShowMessages("err, disabling events is not possible in user-mode\n");
1062#endif // SCRIPT_ENGINE_USER_MODE
1063
1064#ifdef SCRIPT_ENGINE_KERNEL_MODE
1065
1066 BOOLEAN PoolManagerAllocatedMemory = FALSE;
1067
1069 {
1070 PoolManagerAllocatedMemory = TRUE;
1071 }
1072
1073 if (!DebuggerClearEvent(EventId + DebuggerEventTagStartSeed, VmFuncVmxGetCurrentExecutionMode(), PoolManagerAllocatedMemory))
1074 {
1075 LogInfo("Invalid tag id (%x)", EventId);
1076 }
1077#endif // SCRIPT_ENGINE_KERNEL_MODE
1078}
#define EnableInstantEventMechanism
Enable or disable the instant event mechanism.
Definition Configuration.h:70
BOOLEAN DebuggerClearEvent(UINT64 Tag, BOOLEAN InputFromVmxRoot, BOOLEAN PoolManagerAllocatedMemory)
Clear an event by tag.
Definition Debugger.c:2434
UCHAR BOOLEAN
Definition BasicTypes.h:35
#define DebuggerEventTagStartSeed
The seeds that user-mode codes use as the starter of their events' tag.
Definition Constants.h:230
#define LogInfo(format,...)
Define log variables.
Definition HyperDbgHyperLogIntrinsics.h:71
IMPORT_EXPORT_VMM BOOLEAN VmFuncVmxGetCurrentExecutionMode()
Get the current VMX operation state.
Definition Export.c:802
BOOLEAN g_KernelDebuggerState
shows whether the kernel debugger is enabled or disabled
Definition Global.h:151

◆ ScriptEngineFunctionEventDisable()

VOID ScriptEngineFunctionEventDisable ( UINT64 EventId)

Implementation of event_disable function.

Parameters
EventId
Returns
VOID
1037{
1038#ifdef SCRIPT_ENGINE_USER_MODE
1039 ShowMessages("err, disabling events is not possible in user-mode\n");
1040#endif // SCRIPT_ENGINE_USER_MODE
1041
1042#ifdef SCRIPT_ENGINE_KERNEL_MODE
1044 {
1045 LogInfo("Invalid tag id (%x)", EventId);
1046 }
1047#endif // SCRIPT_ENGINE_KERNEL_MODE
1048}
BOOLEAN DebuggerDisableEvent(UINT64 Tag)
Disable an event by tag.
Definition Debugger.c:2397

◆ ScriptEngineFunctionEventEnable()

VOID ScriptEngineFunctionEventEnable ( UINT64 EventId)

Implementation of event_enable function.

Parameters
EventId
Returns
VOID
1015{
1016#ifdef SCRIPT_ENGINE_USER_MODE
1017 ShowMessages("err, enabling events is not possible in user-mode\n");
1018#endif // SCRIPT_ENGINE_USER_MODE
1019
1020#ifdef SCRIPT_ENGINE_KERNEL_MODE
1022 {
1023 LogInfo("Invalid tag id (%x)", EventId);
1024 }
1025#endif // SCRIPT_ENGINE_KERNEL_MODE
1026}
BOOLEAN DebuggerEnableEvent(UINT64 Tag)
Enable an event by tag.
Definition Debugger.c:2336

◆ ScriptEngineFunctionEventInject()

VOID ScriptEngineFunctionEventInject ( UINT32 InterruptionType,
UINT32 Vector,
BOOL * HasError )

Implementation of event_inject function.

Parameters
InterruptionType
Vector
HasError
Returns
VOID
1799{
1800 UNREFERENCED_PARAMETER(HasError);
1801
1802#ifdef SCRIPT_ENGINE_USER_MODE
1803
1804 ShowMessages("err, event_inject is not supported in user-mode\n");
1805
1806#endif // SCRIPT_ENGINE_USER_MODE
1807
1808#ifdef SCRIPT_ENGINE_KERNEL_MODE
1809
1810 //
1811 // Validate the arguments
1812 //
1813 if (Vector >= 256 || InterruptionType >= 8)
1814 {
1815 LogInfo("Err, invalid event vector or interruption type is specified");
1816 return;
1817 }
1818 else
1819 {
1820 VmFuncEventInjectInterruption(InterruptionType, Vector, FALSE, 0);
1821 }
1822
1823#endif // SCRIPT_ENGINE_KERNEL_MODE
1824}
IMPORT_EXPORT_VMM VOID VmFuncEventInjectInterruption(UINT32 InterruptionType, UINT32 Vector, BOOLEAN DeliverErrorCode, UINT32 ErrorCode)
Inject interrupt/faults/exceptions.
Definition Export.c:936

◆ ScriptEngineFunctionEventInjectErrorCode()

VOID ScriptEngineFunctionEventInjectErrorCode ( UINT32 InterruptionType,
UINT32 Vector,
UINT32 ErrorCode,
BOOL * HasError )

Implementation of event_inject_error_code function.

Parameters
InterruptionType
Vector
ErrorCode
HasError
Returns
VOID
1837{
1838 UNREFERENCED_PARAMETER(HasError);
1839
1840#ifdef SCRIPT_ENGINE_USER_MODE
1841
1842 ShowMessages("err, event_inject is not supported in user-mode\n");
1843
1844#endif // SCRIPT_ENGINE_USER_MODE
1845
1846#ifdef SCRIPT_ENGINE_KERNEL_MODE
1847
1848 //
1849 // Validate the arguments
1850 //
1851 if (Vector >= 256 || InterruptionType >= 8)
1852 {
1853 LogInfo("Err, invalid event vector or interruption type is specified");
1854 return;
1855 }
1856 else
1857 {
1858 VmFuncEventInjectInterruption(InterruptionType, Vector, TRUE, ErrorCode);
1859 }
1860
1861#endif // SCRIPT_ENGINE_KERNEL_MODE
1862}

◆ ScriptEngineFunctionEventTraceInstrumentationStep()

VOID ScriptEngineFunctionEventTraceInstrumentationStep ( )

Implementation of event_trace_instrumentation_step function.

Returns
VOID
1988{
1989#ifdef SCRIPT_ENGINE_USER_MODE
1990 ShowMessages("err, it's not possible to call event_trace_instrumentation_step function in the user-mode\n");
1991#endif // SCRIPT_ENGINE_USER_MODE
1992
1993#ifdef SCRIPT_ENGINE_KERNEL_MODE
1994
1995 ULONG CurrentCore = KeGetCurrentProcessorNumberEx(NULL);
1996
1997 //
1998 // Call instrumentation step in
1999 //
2001
2002#endif // SCRIPT_ENGINE_KERNEL_MODE
2003}
VOID TracingPerformInstrumentationStepIn(PROCESSOR_DEBUGGING_STATE *DbgState)
Perform tracing of instructions (instrumentation step-in).
Definition Tracing.c:22
unsigned long ULONG
Definition BasicTypes.h:31
PROCESSOR_DEBUGGING_STATE * g_DbgState
Save the state and variables related to debugging on each to logical core.
Definition Global.h:17

◆ ScriptEngineFunctionEventTraceStepIn()

VOID ScriptEngineFunctionEventTraceStepIn ( )

Implementation of event_trace_step_in function.

Returns
VOID
2012{
2013#ifdef SCRIPT_ENGINE_USER_MODE
2014 ShowMessages("err, it's not possible to call event_trace_instrumentation_step function in the user-mode\n");
2015#endif // SCRIPT_ENGINE_USER_MODE
2016
2017#ifdef SCRIPT_ENGINE_KERNEL_MODE
2018
2019 //
2020 // Call instrumentation step in
2021 //
2023
2024#endif // SCRIPT_ENGINE_KERNEL_MODE
2025}
VOID TracingPerformRegularStepInInstruction()
Regular step-in, step one instruction to the debuggee.
Definition Tracing.c:135

◆ ScriptEngineFunctionFlush()

VOID ScriptEngineFunctionFlush ( )

Implementation of flush function.

Returns
VOID
1164{
1165#ifdef SCRIPT_ENGINE_USER_MODE
1166 ShowMessages("err, it's not possible to flush buffers in user-mode\n");
1167#endif // SCRIPT_ENGINE_USER_MODE
1168
1169#ifdef SCRIPT_ENGINE_KERNEL_MODE
1170
1171 //
1172 // Mark all buffers as read
1173 //
1176
1177#endif // SCRIPT_ENGINE_KERNEL_MODE
1178}
IMPORT_EXPORT_HYPERLOG UINT32 LogMarkAllAsRead(BOOLEAN IsVmxRoot)
Mark all buffers as read.
Definition Logging.c:569

◆ ScriptEngineFunctionFormats()

VOID ScriptEngineFunctionFormats ( UINT64 Tag,
BOOLEAN ImmediateMessagePassing,
UINT64 Value )

Implementation of formats function.

Parameters
Tag
ImmediateMessagePassing
Value
Returns
VOID
1227{
1228#ifdef SCRIPT_ENGINE_USER_MODE
1229
1230 ScriptEngineFunctionTestStatement(Tag, ImmediateMessagePassing, Value);
1231
1232#endif // SCRIPT_ENGINE_USER_MODE
1233
1234#ifdef SCRIPT_ENGINE_KERNEL_MODE
1236 {
1238 }
1239 else if (g_UserDebuggerState)
1240 {
1242 }
1243 else
1244 {
1245 //
1246 // Prepare a buffer to bypass allocating a huge stack space for logging
1247 //
1248 char TempBuffer[20] = {0};
1249 UINT32 TempBufferLen = sprintf(TempBuffer, "%llx\n", Value);
1250
1251 LogSimpleWithTag((UINT32)Tag, ImmediateMessagePassing, TempBuffer, TempBufferLen + 1);
1252 }
1253#endif // SCRIPT_ENGINE_KERNEL_MODE
1254}
VOID ScriptEngineFunctionTestStatement(UINT64 Tag, BOOLEAN ImmediateMessagePassing, UINT64 Value)
Implementation of test_statement function.
Definition Functions.c:627
POOL_TYPE SIZE_T ULONG Tag
Definition Hooks.h:89
VOID KdSendFormatsFunctionResult(UINT64 Value)
Send the result of formats command to the kernel debugger.
Definition Kd.c:863
VOID UdSendFormatsFunctionResult(UINT64 Value)
Send the result of formats command to the user debugger.
Definition Ud.c:195
#define LogSimpleWithTag(tag, isimmdte, buffer, len)
Log without any prefix and bypass the stack problem (getting two temporary stacks in preparing phase)...
Definition HyperDbgHyperLogIntrinsics.h:142
BOOLEAN g_UserDebuggerState
shows whether the user debugger is enabled or disabled
Definition Global.h:157

◆ ScriptEngineFunctionInterlockedCompareExchange()

long long ScriptEngineFunctionInterlockedCompareExchange ( long long volatile * Destination,
long long ExChange,
long long Comperand,
BOOL * HasError )

Implementation of interlocked_compare_exchange function.

Parameters
Destination
ExChange
Comperand
HasError
Returns
long long
988{
989 long long Result = 0;
990
991#ifdef SCRIPT_ENGINE_KERNEL_MODE
992
993 if (!CheckAccessValidityAndSafety((UINT64)Destination, sizeof(long long)))
994 {
995 *HasError = TRUE;
996 return (long long)NULL;
997 }
998
999#endif // SCRIPT_ENGINE_KERNEL_MODE
1000
1001 Result = CpuInterlockedCompareExchange64(Destination, ExChange, Comperand);
1002
1003 return Result;
1004}
INT64 CpuInterlockedCompareExchange64(INT64 volatile *Destination, INT64 ExChange, INT64 Comparand)
Atomic 64-bit compare-exchange.
Definition PlatformIntrinsics.c:396

◆ ScriptEngineFunctionInterlockedDecrement()

long long ScriptEngineFunctionInterlockedDecrement ( long long volatile * Addend,
BOOL * HasError )

Implementation of interlocked_exchange_decrement function.

Parameters
Addend
HasError
Returns
long long
955{
956 long long Result = 0;
957
958#ifdef SCRIPT_ENGINE_KERNEL_MODE
959
960 if (!CheckAccessValidityAndSafety((UINT64)Addend, sizeof(long long)))
961 {
962 *HasError = TRUE;
963 return (long long)NULL;
964 }
965
966#endif // SCRIPT_ENGINE_KERNEL_MODE
967
968 Result = CpuInterlockedDecrement64(Addend);
969
970 return Result;
971}
INT64 CpuInterlockedDecrement64(INT64 volatile *Addend)
Atomic 64-bit decrement.
Definition PlatformIntrinsics.c:381

◆ ScriptEngineFunctionInterlockedExchange()

long long ScriptEngineFunctionInterlockedExchange ( long long volatile * Target,
long long Value,
BOOL * HasError )

Implementation of interlocked_exchange function.

Parameters
Target
Value
HasError
Returns
long long
869{
870 long long Result = 0;
871
872#ifdef SCRIPT_ENGINE_KERNEL_MODE
873
874 if (!CheckAccessValidityAndSafety((UINT64)Target, sizeof(long long)))
875 {
876 *HasError = TRUE;
877 return (long long)NULL;
878 }
879
880#endif // SCRIPT_ENGINE_KERNEL_MODE
881
882 Result = CpuInterlockedExchange64(Target, Value);
883
884 return Result;
885}
INT64 CpuInterlockedExchange64(INT64 volatile *Target, INT64 Value)
Atomic 64-bit exchange.
Definition PlatformIntrinsics.c:336

◆ ScriptEngineFunctionInterlockedExchangeAdd()

long long ScriptEngineFunctionInterlockedExchangeAdd ( long long volatile * Addend,
long long Value,
BOOL * HasError )

Implementation of interlocked_exchange_add function.

Parameters
Addend
Value
HasError
Returns
long long
899{
900 long long Result = 0;
901
902#ifdef SCRIPT_ENGINE_KERNEL_MODE
903
904 if (!CheckAccessValidityAndSafety((UINT64)Addend, sizeof(long long)))
905 {
906 *HasError = TRUE;
907 return (long long)NULL;
908 }
909
910#endif // SCRIPT_ENGINE_KERNEL_MODE
911
912 Result = CpuInterlockedExchangeAdd64(Addend, Value);
913
914 return Result;
915}
INT64 CpuInterlockedExchangeAdd64(INT64 volatile *Addend, INT64 Value)
Atomic 64-bit exchange-add.
Definition PlatformIntrinsics.c:351

◆ ScriptEngineFunctionInterlockedIncrement()

long long ScriptEngineFunctionInterlockedIncrement ( long long volatile * Addend,
BOOL * HasError )

Implementation of interlocked_exchange_increment function.

Parameters
Addend
HasError
Returns
long long
927{
928 long long Result = 0;
929
930#ifdef SCRIPT_ENGINE_KERNEL_MODE
931
932 if (!CheckAccessValidityAndSafety((UINT64)Addend, sizeof(long long)))
933 {
934 *HasError = TRUE;
935 return (long long)NULL;
936 }
937
938#endif // SCRIPT_ENGINE_KERNEL_MODE
939
940 Result = CpuInterlockedIncrement64(Addend);
941
942 return Result;
943}
INT64 CpuInterlockedIncrement64(INT64 volatile *Addend)
Atomic 64-bit increment.
Definition PlatformIntrinsics.c:366

◆ ScriptEngineFunctionLbrCheck()

BOOLEAN ScriptEngineFunctionLbrCheck ( )

Implementation of lbr_check function.

Returns
BOOLEAN
2080{
2081#ifdef SCRIPT_ENGINE_USER_MODE
2082 ShowMessages("err, it's not possible to call lbr_check function in the user-mode\n");
2083 return FALSE;
2084#endif // SCRIPT_ENGINE_USER_MODE
2085
2086#ifdef SCRIPT_ENGINE_KERNEL_MODE
2087
2088 return HyperTraceLbrCheck();
2089
2090#endif // SCRIPT_ENGINE_KERNEL_MODE
2091}
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrCheck()
Check if LBR is supported and enabled on the current core.
Definition LbrApi.c:104

◆ ScriptEngineFunctionLbrPrint()

BOOLEAN ScriptEngineFunctionLbrPrint ( )

Implementation of lbr_print function.

Returns
BOOLEAN
2057{
2058#ifdef SCRIPT_ENGINE_USER_MODE
2059 ShowMessages("err, it's not possible to call lbr_print function in the user-mode\n");
2060 return FALSE;
2061#endif // SCRIPT_ENGINE_USER_MODE
2062
2063#ifdef SCRIPT_ENGINE_KERNEL_MODE
2064
2065 //
2066 // Depending if we are in VMX-root then a VMCALL is issued by default instead, otherwise the VMCALL is ignored
2067 //
2068 return HyperTraceLbrPrint(NULL);
2069
2070#endif // SCRIPT_ENGINE_KERNEL_MODE
2071}
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrPrint(HYPERTRACE_LBR_OPERATION_PACKETS *HyperTraceOperationRequest)
Print LBR tracing for HyperTrace.
Definition LbrApi.c:386

◆ ScriptEngineFunctionLbrRestore()

BOOLEAN ScriptEngineFunctionLbrRestore ( )

Implementation of lbr_restore function.

Returns
BOOLEAN
2100{
2101#ifdef SCRIPT_ENGINE_USER_MODE
2102 ShowMessages("err, it's not possible to call lbr_restore function in the user-mode\n");
2103 return FALSE;
2104#endif // SCRIPT_ENGINE_USER_MODE
2105
2106#ifdef SCRIPT_ENGINE_KERNEL_MODE
2107
2108 return HyperTraceLbrRestore();
2109
2110#endif // SCRIPT_ENGINE_KERNEL_MODE
2111}
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrRestore()
Restore (re-enable) LBR collection on the current core with previous filter options.
Definition LbrApi.c:143

◆ ScriptEngineFunctionLbrRestoreByFilter()

BOOLEAN ScriptEngineFunctionLbrRestoreByFilter ( UINT64 FilterOptions)

Implementation of lbr_restore_by_filter function.

Returns
BOOLEAN
2120{
2121#ifdef SCRIPT_ENGINE_USER_MODE
2122 ShowMessages("err, it's not possible to call lbr_restore_by_filter function in the user-mode\n");
2123 return FALSE;
2124#endif // SCRIPT_ENGINE_USER_MODE
2125
2126#ifdef SCRIPT_ENGINE_KERNEL_MODE
2127
2128 return HyperTraceLbrRestoreByFilter(FilterOptions);
2129
2130#endif // SCRIPT_ENGINE_KERNEL_MODE
2131}
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrRestoreByFilter(UINT64 FilterOptions)
Restore (re-enable) LBR collection on the current core with the specified filter options.
Definition LbrApi.c:124

◆ ScriptEngineFunctionLbrSave()

BOOLEAN ScriptEngineFunctionLbrSave ( )

Implementation of lbr_save function.

Returns
BOOLEAN
2034{
2035#ifdef SCRIPT_ENGINE_USER_MODE
2036 ShowMessages("err, it's not possible to call lbr_save function in the user-mode\n");
2037 return FALSE;
2038#endif // SCRIPT_ENGINE_USER_MODE
2039
2040#ifdef SCRIPT_ENGINE_KERNEL_MODE
2041
2042 //
2043 // Depending if we are in VMX-root then a VMCALL is issued by default instead, otherwise the VMCALL is ignored
2044 //
2045 return HyperTraceLbrSave(NULL);
2046
2047#endif // SCRIPT_ENGINE_KERNEL_MODE
2048}
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrSave(HYPERTRACE_LBR_OPERATION_PACKETS *HyperTraceOperationRequest)
Save LBR tracing for HyperTrace.
Definition LbrApi.c:352

◆ ScriptEngineFunctionMemcmp()

UINT64 ScriptEngineFunctionMemcmp ( const char * Address1,
const char * Address2,
size_t Count )

Implementation of memcmp function.

Parameters
Address1
Address2
Count
Returns
UINT64
1968{
1969 UINT64 Result = 0;
1970#ifdef SCRIPT_ENGINE_USER_MODE
1971 Result = memcmp(Address1, Address2, Count);
1972#endif // SCRIPT_ENGINE_USER_MODE
1973
1974#ifdef SCRIPT_ENGINE_KERNEL_MODE
1975 Result = VmFuncVmxCompatibleMemcmp(Address1, Address2, Count);
1976#endif // SCRIPT_ENGINE_KERNEL_MODE
1977
1978 return Result;
1979}
IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleMemcmp(const CHAR *Address1, const CHAR *Address2, SIZE_T Count)
VMX-root compatible memcmp.
Definition Export.c:1061

◆ ScriptEngineFunctionMemcpy()

VOID ScriptEngineFunctionMemcpy ( UINT64 Destination,
UINT64 Source,
UINT32 Num,
BOOL * HasError )

A VMX-compatible equivalent of memcpy function in C.

Parameters
Destination
Source
Num
HasError
Returns
VOID
324{
325 UINT64 PrevReadLen = 0;
327
328 //
329 // Reject zero-length copies: a Num of 0 would pass address-range
330 // validation vacuously (checking 0 bytes at any mapped page succeeds),
331 // which could be abused as a kernel address-mapping oracle.
332 //
333 if (Num == 0)
334 {
335 *HasError = TRUE;
336 return;
337 }
338
339#ifdef SCRIPT_ENGINE_USER_MODE
340
341 //
342 // Check the destination address
343 //
344 if (!CheckAccessValidityAndSafety(Destination, Num))
345 {
346 *HasError = TRUE;
347 return;
348 }
349
350 //
351 // Check the source address
352 //
353 if (!CheckAccessValidityAndSafety(Source, Num))
354 {
355 *HasError = TRUE;
356 return;
357 }
358
359 //
360 // Address is valid, perform the memcpy in user-mode
361 //
362 memcpy((void *)Destination, (void *)Source, Num);
363
364#endif // SCRIPT_ENGINE_USER_MODE
365
366#ifdef SCRIPT_ENGINE_KERNEL_MODE
367
368 //
369 // Check the destination address
370 //
371 if (!CheckAccessValidityAndSafety(Destination, Num))
372 {
373 *HasError = TRUE;
374 return;
375 }
376
377 //
378 // Check the source address
379 //
380 if (!CheckAccessValidityAndSafety(Source, Num))
381 {
382 *HasError = TRUE;
383 return;
384 }
385
386 //
387 // Address is valid, perform the memcpy in kernel-mode (VMX-root mode)
388 //
389 while (Num > 0)
390 {
391 //
392 // Check the target buffer size
393 //
395 {
396 //
397 // *** The size of read buffer is greater to maximum the moving buffer size ***
398 //
399
400 //
401 // Read memory into the buffer
402 //
404
405 //
406 // Write the moving buffer into the target buffer
407 //
409
410 //
411 // Computing the bytes that we read
412 //
415 }
416 else
417 {
418 //
419 // *** The size of read buffer is lower than or equal to the moving buffer size ***
420 //
421
422 //
423 // Read memory into the buffer
424 //
425 MemoryMapperReadMemorySafeOnTargetProcess(Source + PrevReadLen, MovingBuffer, Num);
426
427 //
428 // Write the moving buffer into the target buffer
429 //
430 MemoryMapperWriteMemorySafeOnTargetProcess(Destination + PrevReadLen, MovingBuffer, Num);
431
432 //
433 // Computing the bytes that we gonna read
434 //
435 PrevReadLen += Num;
436 Num = 0; // or Num -= Num;
437 }
438 }
439
440#endif // SCRIPT_ENGINE_KERNEL_MODE
441}
#define DebuggerScriptEngineMemcpyMovingBufferSize
The size of each chunk of memory used in the 'memcpy' function of the script engine for transferring ...
Definition Constants.h:258
@ Num
Definition commands.h:167

◆ ScriptEngineFunctionMemcpyPa()

VOID ScriptEngineFunctionMemcpyPa ( UINT64 Destination,
UINT64 Source,
UINT32 Num,
BOOL * HasError )

A VMX-compatible equivalent of memcpy function in C for physical memory.

Parameters
Destination
Source
Num
HasError
Returns
VOID
454{
455 UINT64 PrevReadLen = 0;
457
458#ifdef SCRIPT_ENGINE_USER_MODE
459
460 //
461 // Show an error message in user-mode
462 //
463 ShowMessages("err, using physical address functions (memcpy_pa) is not possible in user-mode\n");
464 return;
465
466#endif // SCRIPT_ENGINE_USER_MODE
467
468#ifdef SCRIPT_ENGINE_KERNEL_MODE
469
470 //
471 // Check the destination address (physical)
472 //
473 if (!CheckAddressPhysical(Destination))
474 {
475 *HasError = TRUE;
476 return;
477 }
478
479 //
480 // Check the source address (physical)
481 //
482 if (!CheckAddressPhysical(Source))
483 {
484 *HasError = TRUE;
485 return;
486 }
487
488 //
489 // Address is valid, perform the memcpy in kernel-mode (VMX-root mode)
490 //
491 while (Num > 0)
492 {
493 //
494 // Check the target buffer size
495 //
497 {
498 //
499 // *** The size of read buffer is greater to maximum the moving buffer size ***
500 //
501
502 //
503 // Read memory into the buffer
504 //
506
507 //
508 // Write the moving buffer into the target buffer
509 //
511
512 //
513 // Computing the bytes that we read
514 //
517 }
518 else
519 {
520 //
521 // *** The size of read buffer is lower than or equal to the moving buffer size ***
522 //
523
524 //
525 // Read memory into the buffer
526 //
527 MemoryMapperReadMemorySafeByPhysicalAddress(Source + PrevReadLen, (UINT64)MovingBuffer, Num);
528
529 //
530 // Write the moving buffer into the target buffer
531 //
532 MemoryMapperWriteMemorySafeByPhysicalAddress(Destination + PrevReadLen, (UINT64)MovingBuffer, Num);
533
534 //
535 // Computing the bytes that we gonna read
536 //
537 PrevReadLen += Num;
538 Num = 0; // or Num -= Num;
539 }
540 }
541
542#endif // SCRIPT_ENGINE_KERNEL_MODE
543}
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperReadMemorySafeByPhysicalAddress(_In_ UINT64 PaAddressToRead, _Inout_ UINT64 BufferToSaveMemory, _In_ SIZE_T SizeToRead)

◆ ScriptEngineFunctionMicroSleep()

VOID ScriptEngineFunctionMicroSleep ( UINT64 Us)

Implementation of microsleep function.

Parameters
Usdelay in micro second
826{
827#ifdef SCRIPT_ENGINE_USER_MODE
828 UserModeMicroSleep(Us);
829#endif
830
831#ifdef SCRIPT_ENGINE_KERNEL_MODE
833#endif
834}
IMPORT_EXPORT_VMM VOID VmFuncVmxCompatibleMicroSleep(UINT64 us)
VMX-root compatible micro sleep.
Definition Export.c:885

◆ ScriptEngineFunctionPause()

VOID ScriptEngineFunctionPause ( ACTION_BUFFER * ActionDetail,
PGUEST_REGS GuestRegs )

Implementation of pause function.

Parameters
ActionDetail
GuestRegs
Returns
VOID
1092{
1093#ifdef SCRIPT_ENGINE_USER_MODE
1094 ShowMessages("err, breaking is not possible in user-mode\n");
1095#endif // SCRIPT_ENGINE_USER_MODE
1096
1097#ifdef SCRIPT_ENGINE_KERNEL_MODE
1098
1099 //
1100 // pause(); function is only working when kernel debugger is working
1101 // it's not designed to work on vmi-mode (local debugging)
1102 //
1104 {
1105 DEBUGGER_TRIGGERED_EVENT_DETAILS TriggeredEventDetail = {0};
1106 ULONG CurrentCore = KeGetCurrentProcessorNumberEx(NULL);
1107
1108 //
1109 // Make the details of context
1110 //
1111 TriggeredEventDetail.Tag = ActionDetail->Tag;
1112 TriggeredEventDetail.Context = (PVOID)ActionDetail->Context;
1113
1114 if (ActionDetail->CallingStage == 1)
1115 {
1116 TriggeredEventDetail.Stage = VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION;
1117 }
1118 else
1119 {
1120 TriggeredEventDetail.Stage = VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION;
1121 }
1122
1124 {
1125 //
1126 // The guest is already in vmx-root mode
1127 // Halt other cores
1128 //
1129
1131 CurrentCore,
1133 &TriggeredEventDetail);
1134 }
1135 else
1136 {
1137 //
1138 // The guest is on vmx non-root mode, the first parameter
1139 // is context and the second parameter is tag
1140 //
1142 (UINT64)&TriggeredEventDetail,
1143 (UINT64)GuestRegs,
1144 (UINT64)NULL);
1145 }
1146 }
1147 else
1148 {
1149 LogInfo("The 'pause();' function is either called from the vmi-mode or is "
1150 "evaluated by the '?' command. It's not allowed to use it on vmi-mode "
1151 "(local debugging) or by the '?' command");
1152 }
1153
1154#endif // SCRIPT_ENGINE_KERNEL_MODE
1155}
#define DEBUGGER_VMCALL_VM_EXIT_HALT_SYSTEM_AS_A_RESULT_OF_TRIGGERING_EVENT
VMCALL to cause vm-exit and halt the system because of triggering an event.
Definition DebuggerVmcalls.h:29
_Use_decl_annotations_ VOID KdHandleBreakpointAndDebugBreakpointsCallback(UINT32 CoreId, DEBUGGEE_PAUSING_REASON Reason, PDEBUGGER_TRIGGERED_EVENT_DETAILS EventDetails)
Handle DBs and BPs for kernel debugger.
Definition Kd.c:1087
void * PVOID
Definition BasicTypes.h:56
@ DEBUGGEE_PAUSING_REASON_DEBUGGEE_EVENT_TRIGGERED
Definition Connection.h:35
@ DEBUGGEE_PAUSING_REASON_NOT_PAUSED
Definition Connection.h:24
struct _DEBUGGER_TRIGGERED_EVENT_DETAILS DEBUGGER_TRIGGERED_EVENT_DETAILS
The structure of detail of a triggered event in HyperDbg.
@ VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION
Definition DataTypes.h:126
@ VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION
Definition DataTypes.h:127
IMPORT_EXPORT_VMM NTSTATUS VmFuncVmxVmcall(UINT64 VmcallNumber, UINT64 OptionalParam1, UINT64 OptionalParam2, UINT64 OptionalParam3)
Export for running VMX VMCALLs.
Definition Export.c:957
DEBUGGEE_PAUSING_REASON g_DebuggeeHaltReason
Reason that the debuggee is halted.
Definition Global.h:175
UINT64 Tag
Definition DataTypes.h:226
PVOID Context
Definition DataTypes.h:227
long long unsigned Context
Definition ScriptEngineCommonDefinitions.h:39
long long unsigned Tag
Definition ScriptEngineCommonDefinitions.h:36
char CallingStage
Definition ScriptEngineCommonDefinitions.h:40

◆ ScriptEngineFunctionPhysicalToVirtual()

UINT64 ScriptEngineFunctionPhysicalToVirtual ( UINT64 Address)

Convert physical address to virtual address.

Parameters
Address
Returns
UINT64
574{
575#ifdef SCRIPT_ENGINE_USER_MODE
576
577 //
578 // There is no conversion in user-mode
579 //
580 return NULL;
581#endif // SCRIPT_ENGINE_USER_MODE
582
583#ifdef SCRIPT_ENGINE_KERNEL_MODE
584
586
587#endif // SCRIPT_ENGINE_KERNEL_MODE
588}
IMPORT_EXPORT_VMM UINT64 PhysicalAddressToVirtualAddressOnTargetProcess(_In_ PVOID PhysicalAddress)

◆ ScriptEngineFunctionPrint()

VOID ScriptEngineFunctionPrint ( UINT64 Tag,
BOOLEAN ImmediateMessagePassing,
UINT64 Value )

Implementation of print function.

Parameters
Tag
ImmediateMessagePassing
Value
Returns
VOID
600{
601#ifdef SCRIPT_ENGINE_USER_MODE
602 ShowMessages("%llx\n", Value);
603#endif // SCRIPT_ENGINE_USER_MODE
604
605#ifdef SCRIPT_ENGINE_KERNEL_MODE
606
607 //
608 // Prepare a buffer to bypass allocating a huge stack space for logging
609 //
610 char TempBuffer[20] = {0};
611 UINT32 TempBufferLen = sprintf(TempBuffer, "%llx\n", Value);
612
613 LogSimpleWithTag((UINT32)Tag, ImmediateMessagePassing, TempBuffer, TempBufferLen + 1);
614
615#endif // SCRIPT_ENGINE_KERNEL_MODE
616}

◆ ScriptEngineFunctionPrintf()

VOID ScriptEngineFunctionPrintf ( PGUEST_REGS GuestRegs,
ACTION_BUFFER * ActionDetail,
SCRIPT_ENGINE_GENERAL_REGISTERS * ScriptGeneralRegisters,
UINT64 Tag,
BOOLEAN ImmediateMessagePassing,
char * Format,
UINT64 ArgCount,
PSYMBOL FirstArg,
BOOLEAN * HasError )

Implementation of printf function.

Parameters
GuestRegs
ActionDetail
ScriptGeneralRegisters
Tag
ImmediateMessagePassing
Format
ArgCount
FirstArg
HasError
Returns
VOID
1580{
1581 //
1582 // *** The printf function ***
1583 //
1584
1585 char FinalBuffer[PacketChunkSize] = {0};
1586 UINT32 CurrentPositionInFinalBuffer = 0;
1587 UINT32 CurrentProcessedPositionFromStartOfFormat = 0;
1588 BOOLEAN WithoutAnyFormatSpecifier = TRUE;
1589
1590 UINT64 Val;
1591 UINT32 Position;
1592 UINT32 LenOfFormats = (UINT32)strlen(Format) + 1;
1593 PSYMBOL Symbol;
1594
1595 *HasError = FALSE;
1596
1597 for (int i = 0; i < ArgCount; i++)
1598 {
1599 WithoutAnyFormatSpecifier = FALSE;
1600 Symbol = FirstArg + i;
1601
1602 //
1603 // Address is either wstring (%ws) or string (%s)
1604 //
1605
1606 Position = (Symbol->Type >> 32) + 1;
1607
1608 SYMBOL TempSymbol = {0};
1609 memcpy(&TempSymbol, Symbol, sizeof(SYMBOL));
1610 TempSymbol.Type &= 0x7fffffff;
1611
1612 Val = GetValue(GuestRegs, ActionDetail, ScriptGeneralRegisters, &TempSymbol, FALSE);
1613
1614 CHAR PercentageChar = Format[Position];
1615
1616 // printf("position = %d is %c%c \n", Position, PercentageChar, IndicatorChar1);
1617
1618 if (CurrentProcessedPositionFromStartOfFormat != Position)
1619 {
1620 //
1621 // There is some strings before this format specifier
1622 // we should move it to the buffer
1623 //
1624 UINT32 StringLen = Position - CurrentProcessedPositionFromStartOfFormat;
1625
1626 //
1627 // Check final buffer capacity
1628 //
1629 if (CurrentPositionInFinalBuffer + StringLen < sizeof(FinalBuffer))
1630 {
1631 memcpy(&FinalBuffer[CurrentPositionInFinalBuffer],
1632 &Format[CurrentProcessedPositionFromStartOfFormat],
1633 StringLen);
1634
1635 CurrentProcessedPositionFromStartOfFormat += StringLen;
1636 CurrentPositionInFinalBuffer += StringLen;
1637 }
1638 }
1639
1640 //
1641 // Double check and apply
1642 //
1643 if (PercentageChar == '%')
1644 {
1645 //
1646 // Set first character of specifier
1647 //
1648 CHAR FormatSpecifier[5] = {0};
1649 FormatSpecifier[0] = '%';
1650
1651 //
1652 // Read second char
1653 //
1654 CHAR IndicatorChar2 = Format[Position + 1];
1655
1656 //
1657 // Check if IndicatorChar2 is 2 character long or more
1658 //
1659 if (IndicatorChar2 == 'l' || IndicatorChar2 == 'w' ||
1660 IndicatorChar2 == 'h')
1661 {
1662 //
1663 // Set second char in format specifier
1664 //
1665 FormatSpecifier[1] = IndicatorChar2;
1666
1667 if (IndicatorChar2 == 'l' && Format[Position + 2] == 'l')
1668 {
1669 //
1670 // Set third character in format specifier "ll"
1671 //
1672 FormatSpecifier[2] = 'l';
1673
1674 //
1675 // Set last character
1676 //
1677 FormatSpecifier[3] = Format[Position + 3];
1678 }
1679 else
1680 {
1681 //
1682 // Set last character
1683 //
1684 FormatSpecifier[2] = Format[Position + 2];
1685 }
1686 }
1687 else
1688 {
1689 //
1690 // It's a one char specifier (Set last character)
1691 //
1692 FormatSpecifier[1] = IndicatorChar2;
1693 }
1694
1695 //
1696 // Apply the specifier
1697 //
1698 if (!strncmp(FormatSpecifier, "%s", 2))
1699 {
1700 //
1701 // for string
1702 //
1704 "%s",
1705 FinalBuffer,
1706 &CurrentProcessedPositionFromStartOfFormat,
1707 &CurrentPositionInFinalBuffer,
1708 Val,
1709 FALSE,
1710 sizeof(FinalBuffer)))
1711 {
1712 *HasError = TRUE;
1713 return;
1714 }
1715 }
1716 else if (!strncmp(FormatSpecifier, "%ls", 3) ||
1717 !strncmp(FormatSpecifier, "%ws", 3))
1718 {
1719 //
1720 // for wide string (not important if %ls or %ws , only the length is
1721 // important)
1722 //
1724 "%ws",
1725 FinalBuffer,
1726 &CurrentProcessedPositionFromStartOfFormat,
1727 &CurrentPositionInFinalBuffer,
1728 Val,
1729 TRUE,
1730 sizeof(FinalBuffer)))
1731 {
1732 *HasError = TRUE;
1733 return;
1734 }
1735 }
1736 else
1737 {
1738 ApplyFormatSpecifier(FormatSpecifier, FinalBuffer, &CurrentProcessedPositionFromStartOfFormat, &CurrentPositionInFinalBuffer, Val, sizeof(FinalBuffer));
1739 }
1740 }
1741 }
1742
1743 if (WithoutAnyFormatSpecifier)
1744 {
1745 //
1746 // Means that it's just a simple print without any format specifier
1747 //
1748 if (LenOfFormats < sizeof(FinalBuffer))
1749 {
1750 memcpy(FinalBuffer, Format, LenOfFormats);
1751 }
1752 }
1753 else
1754 {
1755 //
1756 // Check if there is anything after the last format specifier
1757 //
1758 if (LenOfFormats > CurrentProcessedPositionFromStartOfFormat)
1759 {
1760 UINT32 RemainedLen =
1761 LenOfFormats - CurrentProcessedPositionFromStartOfFormat;
1762
1763 if (CurrentPositionInFinalBuffer + RemainedLen < sizeof(FinalBuffer))
1764 {
1765 memcpy(&FinalBuffer[CurrentPositionInFinalBuffer],
1766 &Format[CurrentProcessedPositionFromStartOfFormat],
1767 RemainedLen);
1768 }
1769 }
1770 }
1771
1772//
1773// Print final result
1774//
1775#ifdef SCRIPT_ENGINE_USER_MODE
1776 printf("%s", FinalBuffer);
1777#endif // SCRIPT_ENGINE_USER_MODE
1778
1779#ifdef SCRIPT_ENGINE_KERNEL_MODE
1780
1781 //
1782 // Prepare a buffer to bypass allocating a huge stack space for logging
1783 //
1784 LogSimpleWithTag((UINT32)Tag, ImmediateMessagePassing, FinalBuffer, (UINT32)strlen(FinalBuffer) + 1);
1785
1786#endif // SCRIPT_ENGINE_KERNEL_MODE
1787}
BOOLEAN ApplyStringFormatSpecifier(const CHAR *CurrentSpecifier, CHAR *FinalBuffer, PUINT32 CurrentProcessedPositionFromStartOfFormat, PUINT32 CurrentPositionInFinalBuffer, UINT64 Val, BOOLEAN IsWstring, UINT32 SizeOfFinalBuffer)
Apply string format specifiers (s, ws, etc.).
Definition Functions.c:1411
UINT64 GetValue(PGUEST_REGS GuestRegs, PACTION_BUFFER ActionBuffer, PSCRIPT_ENGINE_GENERAL_REGISTERS ScriptGeneralRegisters, PSYMBOL Symbol, BOOLEAN ReturnReference)
Get the Value (reg, peseudo-reg, etc.).
Definition ScriptEngineEval.c:92
VOID ApplyFormatSpecifier(const CHAR *CurrentSpecifier, CHAR *FinalBuffer, PUINT32 CurrentProcessedPositionFromStartOfFormat, PUINT32 CurrentPositionInFinalBuffer, UINT64 Val, UINT32 SizeOfFinalBuffer)
Apply format specifiers (d, x, llx, etc.).
Definition Functions.c:1332
#define PacketChunkSize
Size of each packet.
Definition Constants.h:187
struct SYMBOL * PSYMBOL
printf("ho")
Definition ScriptEngineCommonDefinitions.h:6

◆ ScriptEngineFunctionRdtsc()

UINT64 ScriptEngineFunctionRdtsc ( )

Implementation of rdtsc function.

842{
843 return CpuReadTsc();
844}
UINT64 CpuReadTsc(VOID)
Read Time-Stamp Counter.
Definition PlatformIntrinsics.c:295

◆ ScriptEngineFunctionRdtscp()

UINT64 ScriptEngineFunctionRdtscp ( )

Implementation of rdtscp function.

852{
853 UINT32 Aux;
854 return CpuReadTscp(&Aux);
855}
UINT64 CpuReadTscp(UINT32 *Aux)
Read Time-Stamp Counter and Processor ID.
Definition PlatformIntrinsics.c:315

◆ ScriptEngineFunctionShortCircuitingEvent()

VOID ScriptEngineFunctionShortCircuitingEvent ( UINT64 State,
ACTION_BUFFER * ActionDetail )

Implementation of event_ignore function.

Parameters
State
ActionDetail
Returns
VOID
1189{
1190#ifdef SCRIPT_ENGINE_USER_MODE
1191 ShowMessages("err, it's not possible to short-circuit events in user-mode\n");
1192#endif // SCRIPT_ENGINE_USER_MODE
1193
1194#ifdef SCRIPT_ENGINE_KERNEL_MODE
1195
1196 if (ActionDetail->CallingStage == 1)
1197 {
1198 LogWarning("Warning, calling the 'event_sc' function in the 'post' calling stage doesn't make sense as the emulation is already performed!\n"
1199 "You can use this function in the 'pre' calling stage");
1200 return;
1201 }
1202
1203 ULONG CurrentCore = KeGetCurrentProcessorNumberEx(NULL);
1204
1205 if (State != 0)
1206 {
1207 g_DbgState[CurrentCore].ShortCircuitingEvent = TRUE;
1208 }
1209 else
1210 {
1211 g_DbgState[CurrentCore].ShortCircuitingEvent = FALSE;
1212 }
1213
1214#endif // SCRIPT_ENGINE_KERNEL_MODE
1215}
#define LogWarning(format,...)
Log in the case of warning.
Definition HyperDbgHyperLogIntrinsics.h:99

◆ ScriptEngineFunctionSpinlockLock()

VOID ScriptEngineFunctionSpinlockLock ( volatile LONG * Lock,
BOOL * HasError )

Implementation of spinlock_lock function.

Parameters
Lock
HasError
Returns
VOID
650{
651#ifdef SCRIPT_ENGINE_USER_MODE
652
653 SpinlockLock(Lock);
654
655#endif // SCRIPT_ENGINE_USER_MODE
656
657#ifdef SCRIPT_ENGINE_KERNEL_MODE
658
659 if (!CheckAccessValidityAndSafety((UINT64)Lock, sizeof(LONG)))
660 {
661 *HasError = TRUE;
662 return;
663 }
664
665 SpinlockLock(Lock);
666
667#endif // SCRIPT_ENGINE_KERNEL_MODE
668}
VOID SpinlockLock(volatile LONG *Lock)
Tries to get the lock and won't return until successfully get the lock.
Definition Spinlock.c:53
long LONG
Definition BasicTypes.h:28

◆ ScriptEngineFunctionSpinlockLockCustomWait()

VOID ScriptEngineFunctionSpinlockLockCustomWait ( volatile long * Lock,
unsigned MaxWait,
BOOL * HasError )

Implementation of spinlock_lock_custom_wait function.

Parameters
Lock
MaxWait
HasError
Returns
VOID
709{
710#ifdef SCRIPT_ENGINE_USER_MODE
711
712 SpinlockLockWithCustomWait(Lock, MaxWait);
713
714#endif // SCRIPT_ENGINE_USER_MODE
715
716#ifdef SCRIPT_ENGINE_KERNEL_MODE
717
718 if (!CheckAccessValidityAndSafety((UINT64)Lock, sizeof(LONG)))
719 {
720 *HasError = TRUE;
721 return;
722 }
723
724 SpinlockLockWithCustomWait(Lock, MaxWait);
725
726#endif // SCRIPT_ENGINE_KERNEL_MODE
727}
VOID SpinlockLockWithCustomWait(volatile LONG *Lock, UINT32 MaximumWait)
Tries to get the lock and won't return until successfully get the lock.
Definition Spinlock.c:128

◆ ScriptEngineFunctionSpinlockUnlock()

VOID ScriptEngineFunctionSpinlockUnlock ( volatile LONG * Lock,
BOOL * HasError )

Implementation of spinlock_unlock function.

Parameters
Lock
HasError
Returns
VOID
679{
680#ifdef SCRIPT_ENGINE_USER_MODE
681
682 SpinlockUnlock(Lock);
683
684#endif // SCRIPT_ENGINE_USER_MODE
685
686#ifdef SCRIPT_ENGINE_KERNEL_MODE
687
688 if (!CheckAccessValidityAndSafety((UINT64)Lock, sizeof(LONG)))
689 {
690 *HasError = TRUE;
691 return;
692 }
693
694 SpinlockUnlock(Lock);
695
696#endif // SCRIPT_ENGINE_KERNEL_MODE
697}
VOID SpinlockUnlock(volatile LONG *Lock)
Release the lock.
Definition Spinlock.c:162

◆ ScriptEngineFunctionStrcmp()

UINT64 ScriptEngineFunctionStrcmp ( const char * Address1,
const char * Address2 )

Implementation of strcmp function.

Parameters
Address1
Address2
Returns
UINT64
1874{
1875 UINT64 Result = 0;
1876#ifdef SCRIPT_ENGINE_USER_MODE
1877 Result = strcmp(Address1, Address2);
1878#endif // SCRIPT_ENGINE_USER_MODE
1879
1880#ifdef SCRIPT_ENGINE_KERNEL_MODE
1881 Result = VmFuncVmxCompatibleStrcmp(Address1, Address2);
1882#endif // SCRIPT_ENGINE_KERNEL_MODE
1883
1884 return Result;
1885}
IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleStrcmp(const CHAR *Address1, const CHAR *Address2)
VMX-root compatible strcmp.
Definition Export.c:1006

◆ ScriptEngineFunctionStrlen()

UINT64 ScriptEngineFunctionStrlen ( const char * Address)

Implementation of strlen function.

Parameters
Address
Returns
UINT64
737{
738 UINT64 Result = 0;
739#ifdef SCRIPT_ENGINE_USER_MODE
740 Result = strlen(Address);
741#endif // SCRIPT_ENGINE_USER_MODE
742
743#ifdef SCRIPT_ENGINE_KERNEL_MODE
744 Result = VmFuncVmxCompatibleStrlen(Address);
745#endif // SCRIPT_ENGINE_KERNEL_MODE
746
747 return Result;
748}

◆ ScriptEngineFunctionStrncmp()

UINT64 ScriptEngineFunctionStrncmp ( const char * Address1,
const char * Address2,
size_t Num )

Implementation of strcmp function.

Parameters
Address1
Address2
Num
Returns
UINT64
1898{
1899 UINT64 Result = 0;
1900#ifdef SCRIPT_ENGINE_USER_MODE
1901 Result = strncmp(Address1, Address2, Num);
1902#endif // SCRIPT_ENGINE_USER_MODE
1903
1904#ifdef SCRIPT_ENGINE_KERNEL_MODE
1905 Result = VmFuncVmxCompatibleStrncmp(Address1, Address2, Num);
1906#endif // SCRIPT_ENGINE_KERNEL_MODE
1907
1908 return Result;
1909}
IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleStrncmp(const CHAR *Address1, const CHAR *Address2, SIZE_T Num)
VMX-root compatible strncmp.
Definition Export.c:1020

◆ ScriptEngineFunctionTestStatement()

VOID ScriptEngineFunctionTestStatement ( UINT64 Tag,
BOOLEAN ImmediateMessagePassing,
UINT64 Value )

Implementation of test_statement function.

Parameters
Tag
ImmediateMessagePassing
Value
Returns
VOID
628{
629 UNREFERENCED_PARAMETER(Tag);
630 UNREFERENCED_PARAMETER(ImmediateMessagePassing);
631 UNREFERENCED_PARAMETER(Value);
632
633#ifdef SCRIPT_ENGINE_USER_MODE
634
637
638#endif // SCRIPT_ENGINE_USER_MODE
639}
BOOLEAN g_CurrentExprEvalResultHasError
global variable to detect if there was an error in the result of script-engine statement tests
Definition globals.h:681
UINT64 g_CurrentExprEvalResult
global variable to save the result of script-engine statement tests
Definition globals.h:674

◆ ScriptEngineFunctionVirtualToPhysical()

UINT64 ScriptEngineFunctionVirtualToPhysical ( UINT64 Address)
550{
551#ifdef SCRIPT_ENGINE_USER_MODE
552
553 //
554 // There is no conversion in user-mode
555 //
556 return NULL;
557#endif // SCRIPT_ENGINE_USER_MODE
558
559#ifdef SCRIPT_ENGINE_KERNEL_MODE
560
562
563#endif // SCRIPT_ENGINE_KERNEL_MODE
564}
IMPORT_EXPORT_VMM UINT64 VirtualAddressToPhysicalAddressOnTargetProcess(_In_ PVOID VirtualAddress)

◆ ScriptEngineFunctionWcscmp()

UINT64 ScriptEngineFunctionWcscmp ( const wchar_t * Address1,
const wchar_t * Address2 )

Implementation of wcscmp function.

Parameters
Address1
Address2
Returns
UINT64
1921{
1922 UINT64 Result = 0;
1923#ifdef SCRIPT_ENGINE_USER_MODE
1924 Result = wcscmp(Address1, Address2);
1925#endif // SCRIPT_ENGINE_USER_MODE
1926
1927#ifdef SCRIPT_ENGINE_KERNEL_MODE
1928 Result = VmFuncVmxCompatibleWcscmp(Address1, Address2);
1929#endif // SCRIPT_ENGINE_KERNEL_MODE
1930
1931 return Result;
1932}
IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleWcscmp(const WCHAR *Address1, const WCHAR *Address2)
VMX-root compatible wcscmp.
Definition Export.c:1033

◆ ScriptEngineFunctionWcslen()

UINT64 ScriptEngineFunctionWcslen ( const wchar_t * Address)

Implementation of wcslen function.

Parameters
Address
Returns
UINT64
781{
782 UINT64 Result = 0;
783
784#ifdef SCRIPT_ENGINE_USER_MODE
785 Result = wcslen(Address);
786#endif // SCRIPT_ENGINE_USER_MODE
787
788#ifdef SCRIPT_ENGINE_KERNEL_MODE
789 Result = VmFuncVmxCompatibleWcslen(Address);
790#endif // SCRIPT_ENGINE_KERNEL_MODE
791
792 return Result;
793}

◆ ScriptEngineFunctionWcsncmp()

UINT64 ScriptEngineFunctionWcsncmp ( const wchar_t * Address1,
const wchar_t * Address2,
size_t Num )

Implementation of wcsncmp function.

Parameters
Address1
Address2
Num
Returns
UINT64
1945{
1946 UINT64 Result = 0;
1947#ifdef SCRIPT_ENGINE_USER_MODE
1948 Result = wcsncmp(Address1, Address2, Num);
1949#endif // SCRIPT_ENGINE_USER_MODE
1950
1951#ifdef SCRIPT_ENGINE_KERNEL_MODE
1952 Result = VmFuncVmxCompatibleWcsncmp(Address1, Address2, Num);
1953#endif // SCRIPT_ENGINE_KERNEL_MODE
1954
1955 return Result;
1956}
IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleWcsncmp(const WCHAR *Address1, const WCHAR *Address2, SIZE_T Num)
VMX-root compatible wcsncmp.
Definition Export.c:1047

◆ WcharToChar()

size_t WcharToChar ( const wchar_t * src,
char * dest,
size_t dest_len )

Convert WCHAR* to CHAR*.

Parameters
src
dest
dest_len
Returns
size_t
1370{
1371 wchar_t Code;
1372 size_t i;
1373
1374 i = 0;
1375
1376 while ((src[i] != '\0') && i < (dest_len - 1))
1377 {
1378 Code = src[i];
1379 if (Code < 128)
1380 dest[i] = (char)Code;
1381 else
1382 {
1383 dest[i] = '?';
1384 if (Code >= 0xD800 && Code <= 0xD8FF)
1385 {
1386 //
1387 // Lead surrogate, skip the next code unit, which is the trail
1388 //
1389 i++;
1390 }
1391 }
1392 i++;
1393 }
1394
1395 return i - 1;
1396}