ScriptEngine.c File Reference

Script engine parser and wrapper functions. More...

#include "pch.h"

Functions
UINT64	ScriptEngineWrapperGetInstructionPointer ()
	Get current ip from the debugger frame.
UINT64	ScriptEngineWrapperGetAddressOfReservedBuffer (PDEBUGGER_EVENT_ACTION Action)
	Get the address of reserved buffer.
VOID	ScriptEngineUpdateTargetCoreDateTime (PROCESSOR_DEBUGGING_STATE *DbgState)
	Create and update the target core date and time.
UINT64	ScriptEngineGetTargetCoreTime ()
	Update core's date time and return time.
UINT64	ScriptEngineGetTargetCoreDate ()
	Update core's date time and return date.

Detailed Description

Script engine parser and wrapper functions.

Author

Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)

M.H. Gholamrezaei (mh@hy.nosp@m.perd.nosp@m.bg.or.nosp@m.g)

Version

0.1

Date

2020-10-22

Copyright

This project is released under the GNU Public License v3.

Function Documentation

ScriptEngineGetTargetCoreDate()

UINT64 ScriptEngineGetTargetCoreDate

(

)

Update core's date time and return date.

Returns

UINT64

{
    ULONG                       CurrentCore = KeGetCurrentProcessorNumberEx(NULL);
    PROCESSOR_DEBUGGING_STATE * DbgState    = &g_DbgState[CurrentCore];
 
    //
    // Update the core's date time
    //
    ScriptEngineUpdateTargetCoreDateTime(DbgState);
 
    //
    // Return the date
    //
    return (UINT64)&DbgState->DateTimeHolder.DateBuffer;
}

ScriptEngineGetTargetCoreTime()

UINT64 ScriptEngineGetTargetCoreTime

(

)

Update core's date time and return time.

Returns

UINT64

{
    ULONG                       CurrentCore = KeGetCurrentProcessorNumberEx(NULL);
    PROCESSOR_DEBUGGING_STATE * DbgState    = &g_DbgState[CurrentCore];
 
    //
    // Update the core's date time
    //
    ScriptEngineUpdateTargetCoreDateTime(DbgState);
 
    //
    // Return the time
    //
    return (UINT64)&DbgState->DateTimeHolder.TimeBuffer;
}

ScriptEngineUpdateTargetCoreDateTime()

VOID ScriptEngineUpdateTargetCoreDateTime

(

PROCESSOR_DEBUGGING_STATE *

DbgState

)

Create and update the target core date and time.

Parameters

DbgState

The processor debugging state

Returns

VOID

{
    LARGE_INTEGER SystemTime, LocalTime;
    KeQuerySystemTime(&SystemTime);
    ExSystemTimeToLocalTime(&SystemTime, &LocalTime);
    RtlTimeToTimeFields(&LocalTime, &DbgState->DateTimeHolder.TimeFields);
 
    sprintf_s(DbgState->DateTimeHolder.TimeBuffer,
              RTL_NUMBER_OF(DbgState->DateTimeHolder.TimeBuffer),
              "%02hd:%02hd:%02hd.%03hd",
              DbgState->DateTimeHolder.TimeFields.Hour,
              DbgState->DateTimeHolder.TimeFields.Minute,
              DbgState->DateTimeHolder.TimeFields.Second,
              DbgState->DateTimeHolder.TimeFields.Milliseconds);
 
    sprintf_s(DbgState->DateTimeHolder.DateBuffer,
              RTL_NUMBER_OF(DbgState->DateTimeHolder.DateBuffer),
              "%04hd-%02hd-%02hd",
              DbgState->DateTimeHolder.TimeFields.Year,
              DbgState->DateTimeHolder.TimeFields.Month,
              DbgState->DateTimeHolder.TimeFields.Day);
}

ScriptEngineWrapperGetAddressOfReservedBuffer()

UINT64 ScriptEngineWrapperGetAddressOfReservedBuffer

(

PDEBUGGER_EVENT_ACTION

Action

)

Get the address of reserved buffer.

Parameters

Action

Corresponding action

Returns

UINT64 returns the requested buffer address from user

{
    return Action->RequestedBuffer.RequstBufferAddress;
}

ScriptEngineWrapperGetInstructionPointer()

UINT64 ScriptEngineWrapperGetInstructionPointer

(

)

Get current ip from the debugger frame.

Returns

UINT64 returns the rip of the current debuggee state frame

{
    //
    // Check if we are in vmx-root or not
    //
    if (VmFuncVmxGetCurrentExecutionMode() == TRUE)
    {
        return VmFuncGetRip();
    }
    else
    {
        //
        // Otherwise $ip doesn't mean anything
        //
        return (UINT64)NULL;
    }
}