HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
PseudoRegisters.c File Reference

Script engine pseudo-registers implementations. More...

#include "pch.h"

Functions

UINT64 ScriptEnginePseudoRegGetTid ()
 Implementation of $tid pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetCore ()
 Implementation of $core pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetPid ()
 Implementation of $pid pseudo-register.
 
CHARScriptEnginePseudoRegGetPname ()
 Implementation of $pname pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetProc ()
 Implementation of $proc pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetThread ()
 Implementation of $thread pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetPeb ()
 Implementation of $peb pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetTeb ()
 Implementation of $teb pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetIp ()
 Implementation of $ip pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetBuffer (UINT64 *CorrespondingAction)
 Implementation of $buffer pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetEventTag (PACTION_BUFFER ActionBuffer)
 Implementation of $tag pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetEventId (PACTION_BUFFER ActionBuffer)
 Implementation of $id pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetEventStage (PACTION_BUFFER ActionBuffer)
 Implementation of stage pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetTime ()
 Implementation of time pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetDate ()
 Implementation of date pseudo-register.
 

Detailed Description

Script engine pseudo-registers implementations.

Author
M.H. Gholamrezaei (mh@hy.nosp@m.perd.nosp@m.bg.or.nosp@m.g)
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.2
Date
2022-06-29
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ ScriptEnginePseudoRegGetBuffer()

UINT64 ScriptEnginePseudoRegGetBuffer ( UINT64 * CorrespondingAction)

Implementation of $buffer pseudo-register.

Parameters
CorrespondingAction
Returns
UINT64
328{
329#ifdef SCRIPT_ENGINE_USER_MODE
330 //
331 // $buffer doesn't mean anything in user-mode
332 //
333 return (UINT64)NULL;
334#endif // SCRIPT_ENGINE_USER_MODE
335
336#ifdef SCRIPT_ENGINE_KERNEL_MODE
337 return ScriptEngineWrapperGetAddressOfReservedBuffer((DEBUGGER_EVENT_ACTION *)CorrespondingAction);
338#endif // SCRIPT_ENGINE_KERNEL_MODE
339}
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
ScriptEngineWrapperGetAddressOfReservedBuffer
UINT64 ScriptEngineWrapperGetAddressOfReservedBuffer(PDEBUGGER_EVENT_ACTION Action)
Get the address of reserved buffer.
Definition ScriptEngine.c:46
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530
_DEBUGGER_EVENT_ACTION
The structure of actions in HyperDbg.
Definition Debugger.h:79

◆ ScriptEnginePseudoRegGetCore()

UINT64 ScriptEnginePseudoRegGetCore ( )

Implementation of $core pseudo-register.

Returns
UINT64
43{
44#ifdef SCRIPT_ENGINE_USER_MODE
45 return (UINT64)GetCurrentProcessorNumber();
46#endif // SCRIPT_ENGINE_USER_MODE
47
48#ifdef SCRIPT_ENGINE_KERNEL_MODE
49 return (UINT64)KeGetCurrentProcessorNumberEx(NULL);
50#endif // SCRIPT_ENGINE_KERNEL_MODE
51}

◆ ScriptEnginePseudoRegGetDate()

UINT64 ScriptEnginePseudoRegGetDate ( )

Implementation of date pseudo-register.

Returns
UINT64
423{
424#ifdef SCRIPT_ENGINE_USER_MODE
425 return NULL;
426#endif // SCRIPT_ENGINE_USER_MODE
427
428#ifdef SCRIPT_ENGINE_KERNEL_MODE
429
430 //
431 // Get the current core's date
432 //
433 return ScriptEngineGetTargetCoreDate();
434#endif // SCRIPT_ENGINE_KERNEL_MODE
435}
ScriptEngineGetTargetCoreDate
UINT64 ScriptEngineGetTargetCoreDate()
Update core's date time and return date.
Definition ScriptEngine.c:109

◆ ScriptEnginePseudoRegGetEventId()

UINT64 ScriptEnginePseudoRegGetEventId ( PACTION_BUFFER ActionBuffer)

Implementation of $id pseudo-register.

Parameters
ActionBuffer
Returns
UINT64
367{
368#ifdef SCRIPT_ENGINE_USER_MODE
369 return NULL;
370#endif // SCRIPT_ENGINE_USER_MODE
371
372#ifdef SCRIPT_ENGINE_KERNEL_MODE
373 return (ActionBuffer->Tag - DebuggerEventTagStartSeed);
374#endif // SCRIPT_ENGINE_KERNEL_MODE
375}
DebuggerEventTagStartSeed
#define DebuggerEventTagStartSeed
The seeds that user-mode codes use as the starter of their events' tag.
Definition Constants.h:222
ACTION_BUFFER::Tag
long long unsigned Tag
Definition ScriptEngineCommonDefinitions.h:35

◆ ScriptEnginePseudoRegGetEventStage()

UINT64 ScriptEnginePseudoRegGetEventStage ( PACTION_BUFFER ActionBuffer)

Implementation of stage pseudo-register.

Parameters
ActionBuffer
Returns
UINT64
385{
386#ifdef SCRIPT_ENGINE_USER_MODE
387 return NULL;
388#endif // SCRIPT_ENGINE_USER_MODE
389
390#ifdef SCRIPT_ENGINE_KERNEL_MODE
391 return ActionBuffer->CallingStage;
392#endif // SCRIPT_ENGINE_KERNEL_MODE
393}
ACTION_BUFFER::CallingStage
char CallingStage
Definition ScriptEngineCommonDefinitions.h:39

◆ ScriptEnginePseudoRegGetEventTag()

UINT64 ScriptEnginePseudoRegGetEventTag ( PACTION_BUFFER ActionBuffer)

Implementation of $tag pseudo-register.

Parameters
ActionBuffer
Returns
UINT64
349{
350#ifdef SCRIPT_ENGINE_USER_MODE
351 return (UINT64)NULL;
352#endif // SCRIPT_ENGINE_USER_MODE
353
354#ifdef SCRIPT_ENGINE_KERNEL_MODE
355 return ActionBuffer->Tag;
356#endif // SCRIPT_ENGINE_KERNEL_MODE
357}

◆ ScriptEnginePseudoRegGetIp()

UINT64 ScriptEnginePseudoRegGetIp ( )

Implementation of $ip pseudo-register.

Returns
UINT64
307{
308#ifdef SCRIPT_ENGINE_USER_MODE
309 //
310 // $ip doesn't have meaning in user-moderds
311 //
312 return NULL;
313#endif // SCRIPT_ENGINE_USER_MODE
314
315#ifdef SCRIPT_ENGINE_KERNEL_MODE
316 return ScriptEngineWrapperGetInstructionPointer();
317#endif // SCRIPT_ENGINE_KERNEL_MODE
318}
ScriptEngineWrapperGetInstructionPointer
UINT64 ScriptEngineWrapperGetInstructionPointer()
Get current ip from the debugger frame.
Definition ScriptEngine.c:21

◆ ScriptEnginePseudoRegGetPeb()

UINT64 ScriptEnginePseudoRegGetPeb ( )

Implementation of $peb pseudo-register.

Returns
UINT64
160{
161#ifdef SCRIPT_ENGINE_USER_MODE
162 //
163 // Hand-rolled structs ( may cause conflict depending on your dev env )
164 //
165 struct PROCESS_BASIC_INFORMATION
166 {
167 PVOID Reserved1;
168 PVOID PebBaseAddress;
169 PVOID Reserved2[2];
170 ULONG_PTR UniqueProcessId;
171 PVOID Reserved3;
172 };
173
174 struct PEB_LDR_DATA
175 {
176 BYTE Reserved1[8];
177 PVOID Reserved2[3];
178 LIST_ENTRY InMemoryOrderModuleList;
179 };
180
181 struct PEB
182 {
183 BYTE Reserved1[2];
184 BYTE BeingDebugged;
185 BYTE Reserved2[1];
186 PVOID Reserved3[2];
187 struct PEB_LDR_DATA * Ldr;
188 PVOID ProcessParameters; /* PRTL_USER_PROCESS_PARAMETERS */
189 BYTE Reserved4[104];
190 PVOID Reserved5[52];
191 PVOID PostProcessInitRoutine; /* PPS_POST_PROCESS_INIT_ROUTINE */
192 BYTE Reserved6[128];
193 PVOID Reserved7[1];
194 ULONG SessionId;
195 };
196
197 struct UNICODE_STRING
198 {
199 USHORT Length;
200 USHORT MaximumLength;
201 PWSTR Buffer;
202 };
203
204 struct LDR_MODULE
205 {
206 LIST_ENTRY InLoadOrderModuleList;
207 LIST_ENTRY InMemoryOrderModuleList;
208 LIST_ENTRY InInitializationOrderModuleList;
209 PVOID BaseAddress;
210 PVOID EntryPoint;
211 ULONG SizeOfImage;
212 struct UNICODE_STRING FullDllName;
213 struct UNICODE_STRING BaseDllName;
214 ULONG Flags;
215 SHORT LoadCount;
216 SHORT TlsIndex;
217 LIST_ENTRY HashTableEntry;
218 ULONG TimeDateStamp;
219 };
220
221 enum PROCESSINFOCLASS
222 {
223 ProcessBasicInformation = 0,
224 ProcessDebugPort = 7,
225 ProcessWow64Information = 26,
226 ProcessImageFileName = 27
227 };
228
229 LPCWSTR NTDLL_NAME = L"ntdll.dll";
230 LPCSTR NTQUERYINFO_NAME = "NtQueryInformationProcess";
231
232 HMODULE NtdllMod;
233 HANDLE ThisProcess;
234 NTSTATUS NtCallRet;
235 ULONG BytesReturned;
236
237 //
238 // function pointer to house result from GetProcAddress
239 //
240 NTSTATUS(WINAPI * QueryInfoProcPtr)
241 (HANDLE, enum PROCESSINFOCLASS, PVOID, ULONG, PULONG);
242
243 struct PROCESS_BASIC_INFORMATION BasicInfo;
244 struct PEB * PebPtr;
245
246 /* retrieve pseudo-handle */
247 ThisProcess = GetCurrentProcess();
248
249 //
250 // get address to already loaded module
251 //
252 NtdllMod = LoadLibraryW(NTDLL_NAME);
253
254 //
255 // get pointer to query function
256 //
257 QueryInfoProcPtr =
258 (NTSTATUS(WINAPI *)(HANDLE, enum PROCESSINFOCLASS, PVOID, ULONG, PULONG))GetProcAddress(NtdllMod, NTQUERYINFO_NAME);
259
260 //
261 // call function on self; introspect
262 //
263 NtCallRet = QueryInfoProcPtr(ThisProcess, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), &BytesReturned);
264
265 //
266 // get peb ptr and decode some if its fields
267 //
268 PebPtr = (struct PEB *)BasicInfo.PebBaseAddress;
269
270 return (UINT64)PebPtr;
271
272#endif // SCRIPT_ENGINE_USER_MODE
273
274#ifdef SCRIPT_ENGINE_KERNEL_MODE
275
276 //
277 // PEB doesn't make sense in kernel-mode
278 //
279 return NULL64_ZERO;
280#endif // SCRIPT_ENGINE_KERNEL_MODE
281}
BYTE
unsigned char BYTE
Definition BasicTypes.h:24
USHORT
unsigned short USHORT
Definition BasicTypes.h:36
NULL64_ZERO
#define NULL64_ZERO
Definition BasicTypes.h:52
ULONG
unsigned long ULONG
Definition BasicTypes.h:37
_PEB_LDR_DATA
PEB LDR Data.
Definition UserAccess.h:23
_PEB
PEB 64-bit.
Definition UserAccess.h:55
_UNICODE_STRING
Definition casting.cpp:25

◆ ScriptEnginePseudoRegGetPid()

UINT64 ScriptEnginePseudoRegGetPid ( )

Implementation of $pid pseudo-register.

Returns
UINT64
60{
61#ifdef SCRIPT_ENGINE_USER_MODE
62 return (UINT64)GetCurrentProcessId();
63#endif // SCRIPT_ENGINE_USER_MODE
64
65#ifdef SCRIPT_ENGINE_KERNEL_MODE
66 return (UINT64)PsGetCurrentProcessId();
67#endif // SCRIPT_ENGINE_KERNEL_MODE
68}

◆ ScriptEnginePseudoRegGetPname()

CHAR * ScriptEnginePseudoRegGetPname ( )

Implementation of $pname pseudo-register.

Returns
CHAR*
77{
78#ifdef SCRIPT_ENGINE_USER_MODE
79
80 HANDLE Handle = OpenProcess(
81 PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
82 FALSE,
83 GetCurrentProcessId() /* Current process */
84 );
85
86 if (Handle)
87 {
88 CHAR CurrentModulePath[MAX_PATH] = {0};
89 if (GetModuleFileNameEx(Handle, 0, CurrentModulePath, MAX_PATH))
90 {
91 //
92 // At this point, buffer contains the full path to the executable
93 //
94 CloseHandle(Handle);
95 return PathFindFileNameA(CurrentModulePath);
96 }
97 else
98 {
99 //
100 // error might be shown by GetLastError()
101 //
102 CloseHandle(Handle);
103 return NULL;
104 }
105 }
106
107 //
108 // unable to get handle
109 //
110 return NULL;
111
112#endif // SCRIPT_ENGINE_USER_MODE
113
114#ifdef SCRIPT_ENGINE_KERNEL_MODE
115 return CommonGetProcessNameFromProcessControlBlock(PsGetCurrentProcess());
116#endif // SCRIPT_ENGINE_KERNEL_MODE
117}
FALSE
#define FALSE
Definition BasicTypes.h:54
CHAR
char CHAR
Definition BasicTypes.h:31
CommonGetProcessNameFromProcessControlBlock
PCHAR CommonGetProcessNameFromProcessControlBlock(PEPROCESS Eprocess)
Get process name by eprocess.
Definition Common.c:48

◆ ScriptEnginePseudoRegGetProc()

UINT64 ScriptEnginePseudoRegGetProc ( )

Implementation of $proc pseudo-register.

Returns
UINT64
126{
127#ifdef SCRIPT_ENGINE_USER_MODE
128 return (UINT64)NULL;
129#endif // SCRIPT_ENGINE_USER_MODE
130
131#ifdef SCRIPT_ENGINE_KERNEL_MODE
132 return (UINT64)PsGetCurrentProcess();
133#endif // SCRIPT_ENGINE_KERNEL_MODE
134}

◆ ScriptEnginePseudoRegGetTeb()

UINT64 ScriptEnginePseudoRegGetTeb ( )

Implementation of $teb pseudo-register.

Returns
UINT64
290{
291#ifdef SCRIPT_ENGINE_USER_MODE
292 return (UINT64)NULL;
293#endif // SCRIPT_ENGINE_USER_MODE
294
295#ifdef SCRIPT_ENGINE_KERNEL_MODE
296 return (UINT64)PsGetCurrentThreadTeb();
297#endif // SCRIPT_ENGINE_KERNEL_MODE
298}

◆ ScriptEnginePseudoRegGetThread()

UINT64 ScriptEnginePseudoRegGetThread ( )

Implementation of $thread pseudo-register.

Returns
UINT64
143{
144#ifdef SCRIPT_ENGINE_USER_MODE
145 return (UINT64)NULL;
146#endif // SCRIPT_ENGINE_USER_MODE
147
148#ifdef SCRIPT_ENGINE_KERNEL_MODE
149 return (UINT64)PsGetCurrentThread();
150#endif // SCRIPT_ENGINE_KERNEL_MODE
151}

◆ ScriptEnginePseudoRegGetTid()

UINT64 ScriptEnginePseudoRegGetTid ( )

Implementation of $tid pseudo-register.

Returns
UINT64
26{
27#ifdef SCRIPT_ENGINE_USER_MODE
28 return (UINT64)GetCurrentThreadId();
29#endif // SCRIPT_ENGINE_USER_MODE
30
31#ifdef SCRIPT_ENGINE_KERNEL_MODE
32 return (UINT64)PsGetCurrentThreadId();
33#endif // SCRIPT_ENGINE_KERNEL_MODE
34}

◆ ScriptEnginePseudoRegGetTime()

UINT64 ScriptEnginePseudoRegGetTime ( )

Implementation of time pseudo-register.

Returns
UINT64
402{
403#ifdef SCRIPT_ENGINE_USER_MODE
404 return NULL;
405#endif // SCRIPT_ENGINE_USER_MODE
406
407#ifdef SCRIPT_ENGINE_KERNEL_MODE
408
409 //
410 // Get the current core's time
411 //
412 return ScriptEngineGetTargetCoreTime();
413#endif // SCRIPT_ENGINE_KERNEL_MODE
414}
ScriptEngineGetTargetCoreTime
UINT64 ScriptEngineGetTargetCoreTime()
Update core's date time and return time.
Definition ScriptEngine.c:87