HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
ScriptEngineInternalHeader.h File Reference

Internal Headers of script engine. More...

Go to the source code of this file.

Functions

BOOLEAN SetRegValueUsingSymbol (PGUEST_REGS GuestRegs, PSYMBOL Symbol, UINT64 Value)
 Set the register value.
 
UINT64 ScriptEnginePseudoRegGetTid ()
 Implementation of $tid pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetCore ()
 Implementation of $core pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetPid ()
 Implementation of $pid pseudo-register.
 
CHARScriptEnginePseudoRegGetPname ()
 Implementation of $pname pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetProc ()
 Implementation of $proc pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetThread ()
 Implementation of $thread pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetPeb ()
 Implementation of $peb pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetTeb ()
 Implementation of $teb pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetIp ()
 Implementation of $ip pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetBuffer (UINT64 *CorrespondingAction)
 Implementation of $buffer pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetEventTag (PACTION_BUFFER ActionBuffer)
 Implementation of $tag pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetEventId (PACTION_BUFFER ActionBuffer)
 Implementation of $id pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetEventStage (PACTION_BUFFER ActionBuffer)
 Implementation of stage pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetTime ()
 Implementation of time pseudo-register.
 
UINT64 ScriptEnginePseudoRegGetDate ()
 Implementation of date pseudo-register.
 
UINT64 ScriptEngineKeywordPoi (PUINT64 Address, BOOL *HasError)
 Implementation of poi keyword.
 
WORD ScriptEngineKeywordHi (PUINT64 Address, BOOL *HasError)
 Implementation of hi keyword.
 
WORD ScriptEngineKeywordLow (PUINT64 Address, BOOL *HasError)
 Implementation of low keyword.
 
BYTE ScriptEngineKeywordDb (PUINT64 Address, BOOL *HasError)
 Implementation of db keyword.
 
DWORD ScriptEngineKeywordDd (PUINT64 Address, BOOL *HasError)
 Implementation of dd keyword.
 
WORD ScriptEngineKeywordDw (PUINT64 Address, BOOL *HasError)
 Implementation of dw keyword.
 
QWORD ScriptEngineKeywordDq (PUINT64 Address, BOOL *HasError)
 Implementation of dq keyword.
 
BOOLEAN ScriptEngineFunctionEq (UINT64 Address, QWORD Value, BOOL *HasError)
 Implementation of eq function.
 
BOOLEAN ScriptEngineFunctionEd (UINT64 Address, DWORD Value, BOOL *HasError)
 Implementation of ed function.
 
BOOLEAN ScriptEngineFunctionEb (UINT64 Address, BYTE Value, BOOL *HasError)
 Implementation of eb function.
 
BOOLEAN ScriptEngineFunctionCheckAddress (UINT64 Address, UINT32 Length)
 Check whether the address is valid or not.
 
VOID ScriptEngineFunctionMemcpy (UINT64 Destination, UINT64 Source, UINT32 Num, BOOL *HasError)
 A VMX-compatible equivalent of memcpy function in C.
 
UINT64 ScriptEngineFunctionVirtualToPhysical (UINT64 Address)
 
UINT64 ScriptEngineFunctionPhysicalToVirtual (UINT64 Address)
 Convert physical address to virtual address.
 
VOID ScriptEngineFunctionPrint (UINT64 Tag, BOOLEAN ImmediateMessagePassing, UINT64 Value)
 Implementation of print function.
 
VOID ScriptEngineFunctionTestStatement (UINT64 Tag, BOOLEAN ImmediateMessagePassing, UINT64 Value)
 Implementation of test_statement function.
 
VOID ScriptEngineFunctionSpinlockLock (volatile LONG *Lock, BOOL *HasError)
 Implementation of spinlock_lock function.
 
VOID ScriptEngineFunctionSpinlockUnlock (volatile LONG *Lock, BOOL *HasError)
 Implementation of spinlock_unlock function.
 
VOID ScriptEngineFunctionSpinlockLockCustomWait (volatile long *Lock, unsigned MaxWait, BOOL *HasError)
 Implementation of spinlock_lock_custom_wait function.
 
UINT64 ScriptEngineFunctionStrlen (const char *Address)
 Implementation of strlen function.
 
UINT64 ScriptEngineFunctionDisassembleLen (PVOID Address, BOOLEAN Is32Bit)
 Implementation of disassemble_len function.
 
UINT64 ScriptEngineFunctionWcslen (const wchar_t *Address)
 Implementation of wcslen function.
 
long long ScriptEngineFunctionInterlockedExchange (long long volatile *Target, long long Value, BOOL *HasError)
 Implementation of interlocked_exchange function.
 
long long ScriptEngineFunctionInterlockedExchangeAdd (long long volatile *Addend, long long Value, BOOL *HasError)
 Implementation of interlocked_exchange_add function.
 
long long ScriptEngineFunctionInterlockedIncrement (long long volatile *Addend, BOOL *HasError)
 Implementation of interlocked_exchange_increment function.
 
long long ScriptEngineFunctionInterlockedDecrement (long long volatile *Addend, BOOL *HasError)
 Implementation of interlocked_exchange_decrement function.
 
long long ScriptEngineFunctionInterlockedCompareExchange (long long volatile *Destination, long long ExChange, long long Comperand, BOOL *HasError)
 Implementation of interlocked_compare_exchange function.
 
VOID ScriptEngineFunctionEventEnable (UINT64 EventId)
 Implementation of event_enable function.
 
VOID ScriptEngineFunctionEventDisable (UINT64 EventId)
 Implementation of event_disable function.
 
VOID ScriptEngineFunctionEventClear (UINT64 EventId)
 Implementation of event_clear function.
 
VOID ScriptEngineFunctionPause (ACTION_BUFFER *ActionDetail, PGUEST_REGS GuestRegs)
 Implementation of pause function.
 
VOID ScriptEngineFunctionFlush ()
 Implementation of flush function.
 
VOID ScriptEngineFunctionShortCircuitingEvent (UINT64 State, ACTION_BUFFER *ActionDetail)
 Implementation of event_ignore function.
 
VOID ScriptEngineFunctionFormats (UINT64 Tag, BOOLEAN ImmediateMessagePassing, UINT64 Value)
 Implementation of formats function.
 
VOID ScriptEngineFunctionPrintf (PGUEST_REGS GuestRegs, ACTION_BUFFER *ActionDetail, SCRIPT_ENGINE_VARIABLES_LIST *VariablesList, UINT64 Tag, BOOLEAN ImmediateMessagePassing, char *Format, UINT64 ArgCount, PSYMBOL FirstArg, BOOLEAN *HasError, SYMBOL_BUFFER *StackBuffer, UINT64 *StackIndx, UINT64 *StackBaseIndx, UINT64 *ReturnValue)
 Implementation of printf function.
 
VOID ScriptEngineFunctionEventInject (UINT32 InterruptionType, UINT32 Vector, BOOL *HasError)
 Implementation of event_inject function.
 
VOID ScriptEngineFunctionEventInjectErrorCode (UINT32 InterruptionType, UINT32 Vector, UINT32 ErrorCode, BOOL *HasError)
 Implementation of event_inject_error_code function.
 
VOID ScriptEngineFunctionEventTraceInstrumentationStep ()
 Implementation of event_trace_instrumentation_step function.
 
VOID ScriptEngineFunctionEventTraceStepIn ()
 Implementation of event_trace_step_in function.
 
UINT64 ScriptEngineFunctionStrcmp (const char *Address1, const char *Address2)
 Implementation of strcmp function.
 
UINT64 ScriptEngineFunctionStrncmp (const char *Address1, const char *Address2, size_t Num)
 Implementation of strcmp function.
 
UINT64 ScriptEngineFunctionWcscmp (const wchar_t *Address1, const wchar_t *Address2)
 Implementation of wcscmp function.
 
UINT64 ScriptEngineFunctionWcsncmp (const wchar_t *Address1, const wchar_t *Address2, size_t Num)
 Implementation of wcsncmp function.
 
UINT64 ScriptEngineFunctionMemcmp (const char *Address1, const char *Address2, size_t Count)
 Implementation of memcmp function.
 

Detailed Description

Internal Headers of script engine.

Author
M.H. Gholamrezaei (mh@hy.nosp@m.perd.nosp@m.bg.or.nosp@m.g)
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.2
Date
2022-06-29
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ ScriptEngineFunctionCheckAddress()

BOOLEAN ScriptEngineFunctionCheckAddress ( UINT64 Address,
UINT32 Length )

Check whether the address is valid or not.

Parameters
Address
Length
Returns
BOOLEAN
169{
170#ifdef SCRIPT_ENGINE_USER_MODE
171
172 if (CheckAccessValidityAndSafety(Address, Length))
173 {
174 return TRUE;
175 }
176
177#endif // SCRIPT_ENGINE_USER_MODE
178
179#ifdef SCRIPT_ENGINE_KERNEL_MODE
180
181 if (CheckAccessValidityAndSafety(Address, Length))
182 {
183 return TRUE;
184 }
185
186#endif // SCRIPT_ENGINE_KERNEL_MODE
187
188 return FALSE;
189}
CheckAccessValidityAndSafety
BOOLEAN CheckAccessValidityAndSafety(UINT64 TargetAddress, UINT32 Size)
Check the safety to access the memory.
Definition AddressCheck.c:156
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
Address
UINT64 Address
Definition HyperDbgScriptImports.h:67

◆ ScriptEngineFunctionDisassembleLen()

UINT64 ScriptEngineFunctionDisassembleLen ( PVOID Address,
BOOLEAN Is32Bit )

Implementation of disassemble_len function.

Parameters
Address
Is32Bit
Returns
UINT64
525{
526 UINT64 Result = 0;
527#ifdef SCRIPT_ENGINE_USER_MODE
528 Result = HyperDbgLengthDisassemblerEngine((unsigned char *)Address, MAXIMUM_INSTR_SIZE, Is32Bit ? FALSE : TRUE);
529#endif // SCRIPT_ENGINE_USER_MODE
530
531#ifdef SCRIPT_ENGINE_KERNEL_MODE
532 Result = DisassemblerLengthDisassembleEngineInVmxRootOnTargetProcess(Address, Is32Bit);
533#endif // SCRIPT_ENGINE_KERNEL_MODE
534
535 return Result;
536}
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
MAXIMUM_INSTR_SIZE
#define MAXIMUM_INSTR_SIZE
maximum instruction size in Intel
Definition Constants.h:468
DisassemblerLengthDisassembleEngineInVmxRootOnTargetProcess
UINT32 DisassemblerLengthDisassembleEngineInVmxRootOnTargetProcess(PVOID Address, BOOLEAN Is32Bit)
Disassembler length disassembler engine.
Definition Disassembler.c:297
HyperDbgLengthDisassemblerEngine
UINT32 HyperDbgLengthDisassemblerEngine(unsigned char *BufferToDisassemble, UINT64 BuffLength, BOOLEAN Isx86_64)
Length Disassembler engine based on Zydis.
Definition disassembler.cpp:856

◆ ScriptEngineFunctionEb()

BOOLEAN ScriptEngineFunctionEb ( UINT64 Address,
BYTE Value,
BOOL * HasError )

Implementation of eb function.

Parameters
Address
Value
HasError
Returns
BOOLEAN
131{
132 UNREFERENCED_PARAMETER(HasError);
133
134#ifdef SCRIPT_ENGINE_KERNEL_MODE
135
136 if (!CheckAccessValidityAndSafety(Address, sizeof(BYTE)))
137 {
138 //
139 // Instead of indicating an error, just return false
140 // to assign it as a return result to a variable
141 //
142 // *HasError = TRUE;
143
144 return FALSE;
145 }
146
147#endif // SCRIPT_ENGINE_KERNEL_MODE
148
149#ifdef SCRIPT_ENGINE_USER_MODE
150 *(BYTE *)Address = Value;
151#endif // SCRIPT_ENGINE_USER_MODE
152
153#ifdef SCRIPT_ENGINE_KERNEL_MODE
154 MemoryMapperWriteMemorySafeOnTargetProcess(Address, &Value, sizeof(BYTE));
155#endif // SCRIPT_ENGINE_KERNEL_MODE
156
157 return TRUE;
158}
BYTE
unsigned char BYTE
Definition BasicTypes.h:24
MemoryMapperWriteMemorySafeOnTargetProcess
_Use_decl_annotations_ BOOLEAN MemoryMapperWriteMemorySafeOnTargetProcess(UINT64 Destination, PVOID Source, SIZE_T Size)
Write memory safely by mapping the buffer on the target process memory (It's a wrapper)
Definition MemoryMapper.c:1165
Value
RequestedActionOfThePacket Value(0x1) 00000000

◆ ScriptEngineFunctionEd()

BOOLEAN ScriptEngineFunctionEd ( UINT64 Address,
DWORD Value,
BOOL * HasError )

Implementation of ed function.

Parameters
Address
Value
HasError
Returns
BOOLEAN
92{
93 UNREFERENCED_PARAMETER(HasError);
94
95#ifdef SCRIPT_ENGINE_KERNEL_MODE
96
97 if (!CheckAccessValidityAndSafety(Address, sizeof(DWORD)))
98 {
99 //
100 // Instead of indicating an error, just return false
101 // to assign it as a return result to a variable
102 //
103 // *HasError = TRUE;
104
105 return FALSE;
106 }
107
108#endif // SCRIPT_ENGINE_KERNEL_MODE
109
110#ifdef SCRIPT_ENGINE_USER_MODE
111 *(DWORD *)Address = Value;
112#endif // SCRIPT_ENGINE_USER_MODE
113
114#ifdef SCRIPT_ENGINE_KERNEL_MODE
115 MemoryMapperWriteMemorySafeOnTargetProcess(Address, &Value, sizeof(DWORD));
116#endif // SCRIPT_ENGINE_KERNEL_MODE
117
118 return TRUE;
119}
DWORD
unsigned long DWORD
Definition BasicTypes.h:22

◆ ScriptEngineFunctionEq()

BOOLEAN ScriptEngineFunctionEq ( UINT64 Address,
QWORD Value,
BOOL * HasError )

Implementation of eq function.

Parameters
Address
Value
HasError
Returns
BOOLEAN
53{
54 UNREFERENCED_PARAMETER(HasError);
55
56#ifdef SCRIPT_ENGINE_KERNEL_MODE
57
58 if (!CheckAccessValidityAndSafety(Address, sizeof(QWORD)))
59 {
60 //
61 // Instead of indicating an error, just return false
62 // to assign it as a return result to a variable
63 //
64 // *HasError = TRUE;
65
66 return FALSE;
67 }
68
69#endif // SCRIPT_ENGINE_KERNEL_MODE
70
71#ifdef SCRIPT_ENGINE_USER_MODE
72 *(UINT64 *)Address = Value;
73#endif // SCRIPT_ENGINE_USER_MODE
74
75#ifdef SCRIPT_ENGINE_KERNEL_MODE
76 MemoryMapperWriteMemorySafeOnTargetProcess(Address, &Value, sizeof(QWORD));
77#endif // SCRIPT_ENGINE_KERNEL_MODE
78
79 return TRUE;
80}
QWORD
unsigned long long QWORD
Definition BasicTypes.h:20

◆ ScriptEngineFunctionEventClear()

VOID ScriptEngineFunctionEventClear ( UINT64 EventId)

Implementation of event_clear function.

Parameters
EventId
Returns
VOID
762{
763#ifdef SCRIPT_ENGINE_USER_MODE
764 ShowMessages("err, disabling events is not possible in user-mode\n");
765#endif // SCRIPT_ENGINE_USER_MODE
766
767#ifdef SCRIPT_ENGINE_KERNEL_MODE
768
769 BOOLEAN PoolManagerAllocatedMemory = FALSE;
770
771 if (g_KernelDebuggerState && EnableInstantEventMechanism)
772 {
773 PoolManagerAllocatedMemory = TRUE;
774 }
775
776 if (!DebuggerClearEvent(EventId + DebuggerEventTagStartSeed, VmFuncVmxGetCurrentExecutionMode(), PoolManagerAllocatedMemory))
777 {
778 LogInfo("Invalid tag id (%x)", EventId);
779 }
780#endif // SCRIPT_ENGINE_KERNEL_MODE
781}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
EnableInstantEventMechanism
#define EnableInstantEventMechanism
Enable or disable the instant event mechanism.
Definition Configuration.h:75
DebuggerEventTagStartSeed
#define DebuggerEventTagStartSeed
The seeds that user-mode codes use as the starter of their events' tag.
Definition Constants.h:222
DebuggerClearEvent
BOOLEAN DebuggerClearEvent(UINT64 Tag, BOOLEAN InputFromVmxRoot, BOOLEAN PoolManagerAllocatedMemory)
Clear an event by tag.
Definition Debugger.c:2400
VmFuncVmxGetCurrentExecutionMode
BOOLEAN VmFuncVmxGetCurrentExecutionMode()
Get the current VMX operation state.
Definition Export.c:552
LogInfo
#define LogInfo(format,...)
Define log variables.
Definition HyperDbgHyperLogIntrinsics.h:71
g_KernelDebuggerState
BOOLEAN g_KernelDebuggerState
shows whether the kernel debugger is enabled or disabled
Definition Global.h:103
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition libhyperdbg.cpp:96

◆ ScriptEngineFunctionEventDisable()

VOID ScriptEngineFunctionEventDisable ( UINT64 EventId)

Implementation of event_disable function.

Parameters
EventId
Returns
VOID
740{
741#ifdef SCRIPT_ENGINE_USER_MODE
742 ShowMessages("err, disabling events is not possible in user-mode\n");
743#endif // SCRIPT_ENGINE_USER_MODE
744
745#ifdef SCRIPT_ENGINE_KERNEL_MODE
746 if (!DebuggerDisableEvent(EventId + DebuggerEventTagStartSeed))
747 {
748 LogInfo("Invalid tag id (%x)", EventId);
749 }
750#endif // SCRIPT_ENGINE_KERNEL_MODE
751}
DebuggerDisableEvent
BOOLEAN DebuggerDisableEvent(UINT64 Tag)
Disable an event by tag.
Definition Debugger.c:2363

◆ ScriptEngineFunctionEventEnable()

VOID ScriptEngineFunctionEventEnable ( UINT64 EventId)

Implementation of event_enable function.

Parameters
EventId
Returns
VOID
718{
719#ifdef SCRIPT_ENGINE_USER_MODE
720 ShowMessages("err, enabling events is not possible in user-mode\n");
721#endif // SCRIPT_ENGINE_USER_MODE
722
723#ifdef SCRIPT_ENGINE_KERNEL_MODE
724 if (!DebuggerEnableEvent(EventId + DebuggerEventTagStartSeed))
725 {
726 LogInfo("Invalid tag id (%x)", EventId);
727 }
728#endif // SCRIPT_ENGINE_KERNEL_MODE
729}
DebuggerEnableEvent
BOOLEAN DebuggerEnableEvent(UINT64 Tag)
Enable an event by tag.
Definition Debugger.c:2302

◆ ScriptEngineFunctionEventInject()

VOID ScriptEngineFunctionEventInject ( UINT32 InterruptionType,
UINT32 Vector,
BOOL * HasError )

Implementation of event_inject function.

Parameters
InterruptionType
Vector
HasError
Returns
VOID
1505{
1506 UNREFERENCED_PARAMETER(HasError);
1507
1508#ifdef SCRIPT_ENGINE_USER_MODE
1509
1510 ShowMessages("err, event_inject is not supported in user-mode\n");
1511
1512#endif // SCRIPT_ENGINE_USER_MODE
1513
1514#ifdef SCRIPT_ENGINE_KERNEL_MODE
1515
1516 //
1517 // Validate the arguments
1518 //
1519 if (Vector >= 256 || InterruptionType >= 8)
1520 {
1521 LogInfo("Err, invalid event vector or interruption type is specified");
1522 return;
1523 }
1524 else
1525 {
1526 VmFuncEventInjectInterruption(InterruptionType, Vector, FALSE, 0);
1527 }
1528
1529#endif // SCRIPT_ENGINE_KERNEL_MODE
1530}
VmFuncEventInjectInterruption
VOID VmFuncEventInjectInterruption(UINT32 InterruptionType, UINT32 Vector, BOOLEAN DeliverErrorCode, UINT32 ErrorCode)
Inject interrupt/faults/exceptions.
Definition Export.c:662

◆ ScriptEngineFunctionEventInjectErrorCode()

VOID ScriptEngineFunctionEventInjectErrorCode ( UINT32 InterruptionType,
UINT32 Vector,
UINT32 ErrorCode,
BOOL * HasError )

Implementation of event_inject_error_code function.

Parameters
InterruptionType
Vector
ErrorCode
HasError
Returns
VOID
1543{
1544 UNREFERENCED_PARAMETER(HasError);
1545
1546#ifdef SCRIPT_ENGINE_USER_MODE
1547
1548 ShowMessages("err, event_inject is not supported in user-mode\n");
1549
1550#endif // SCRIPT_ENGINE_USER_MODE
1551
1552#ifdef SCRIPT_ENGINE_KERNEL_MODE
1553
1554 //
1555 // Validate the arguments
1556 //
1557 if (Vector >= 256 || InterruptionType >= 8)
1558 {
1559 LogInfo("Err, invalid event vector or interruption type is specified");
1560 return;
1561 }
1562 else
1563 {
1564 VmFuncEventInjectInterruption(InterruptionType, Vector, TRUE, ErrorCode);
1565 }
1566
1567#endif // SCRIPT_ENGINE_KERNEL_MODE
1568}

◆ ScriptEngineFunctionEventTraceInstrumentationStep()

VOID ScriptEngineFunctionEventTraceInstrumentationStep ( )

Implementation of event_trace_instrumentation_step function.

Returns
VOID
1694{
1695#ifdef SCRIPT_ENGINE_USER_MODE
1696 ShowMessages("err, it's not possible to call event_trace_instrumentation_step function in the user-mode\n");
1697#endif // SCRIPT_ENGINE_USER_MODE
1698
1699#ifdef SCRIPT_ENGINE_KERNEL_MODE
1700
1701 ULONG CurrentCore = KeGetCurrentProcessorNumberEx(NULL);
1702
1703 //
1704 // Call instrumentation step in
1705 //
1706 TracingPerformInstrumentationStepIn(&g_DbgState[CurrentCore]);
1707
1708#endif // SCRIPT_ENGINE_KERNEL_MODE
1709}
ULONG
unsigned long ULONG
Definition BasicTypes.h:37
TracingPerformInstrumentationStepIn
VOID TracingPerformInstrumentationStepIn(PROCESSOR_DEBUGGING_STATE *DbgState)
Perform tracing of instructions (instrumentation step-in)
Definition Tracing.c:22
g_DbgState
PROCESSOR_DEBUGGING_STATE * g_DbgState
Save the state and variables related to debugging on each to logical core.
Definition Global.h:17

◆ ScriptEngineFunctionEventTraceStepIn()

VOID ScriptEngineFunctionEventTraceStepIn ( )

Implementation of event_trace_step_in function.

Returns
VOID
1718{
1719#ifdef SCRIPT_ENGINE_USER_MODE
1720 ShowMessages("err, it's not possible to call event_trace_instrumentation_step function in the user-mode\n");
1721#endif // SCRIPT_ENGINE_USER_MODE
1722
1723#ifdef SCRIPT_ENGINE_KERNEL_MODE
1724
1725 ULONG CurrentCore = KeGetCurrentProcessorNumberEx(NULL);
1726
1727 //
1728 // Call instrumentation step in
1729 //
1730 TracingPerformRegularStepInInstruction(&g_DbgState[CurrentCore]);
1731
1732#endif // SCRIPT_ENGINE_KERNEL_MODE
1733}
TracingPerformRegularStepInInstruction
VOID TracingPerformRegularStepInInstruction(PROCESSOR_DEBUGGING_STATE *DbgState)
Regular step-in | step one instruction to the debuggee.
Definition Tracing.c:113

◆ ScriptEngineFunctionFlush()

VOID ScriptEngineFunctionFlush ( )

Implementation of flush function.

Returns
VOID
867{
868#ifdef SCRIPT_ENGINE_USER_MODE
869 ShowMessages("err, it's not possible to flush buffers in user-mode\n");
870#endif // SCRIPT_ENGINE_USER_MODE
871
872#ifdef SCRIPT_ENGINE_KERNEL_MODE
873
874 //
875 // Mark all buffers as read
876 //
877 LogMarkAllAsRead(TRUE);
878 LogMarkAllAsRead(FALSE);
879
880#endif // SCRIPT_ENGINE_KERNEL_MODE
881}
LogMarkAllAsRead
UINT32 LogMarkAllAsRead(BOOLEAN IsVmxRoot)
Mark all buffers as read.
Definition Logging.c:558

◆ ScriptEngineFunctionFormats()

VOID ScriptEngineFunctionFormats ( UINT64 Tag,
BOOLEAN ImmediateMessagePassing,
UINT64 Value )

Implementation of formats function.

Parameters
Tag
ImmediateMessagePassing
Value
Returns
VOID
930{
931#ifdef SCRIPT_ENGINE_USER_MODE
932
933 ScriptEngineFunctionTestStatement(Tag, ImmediateMessagePassing, Value);
934
935#endif // SCRIPT_ENGINE_USER_MODE
936
937#ifdef SCRIPT_ENGINE_KERNEL_MODE
938 if (g_KernelDebuggerState)
939 {
940 KdSendFormatsFunctionResult(Value);
941 }
942 else
943 {
944 //
945 // Prepare a buffer to bypass allocating a huge stack space for logging
946 //
947 char TempBuffer[20] = {0};
948 UINT32 TempBufferLen = sprintf(TempBuffer, "%llx\n", Value);
949
950 LogSimpleWithTag((UINT32)Tag, ImmediateMessagePassing, TempBuffer, TempBufferLen + 1);
951 }
952#endif // SCRIPT_ENGINE_KERNEL_MODE
953}
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
ScriptEngineFunctionTestStatement
VOID ScriptEngineFunctionTestStatement(UINT64 Tag, BOOLEAN ImmediateMessagePassing, UINT64 Value)
Implementation of test_statement function.
Definition Functions.c:392
Tag
POOL_TYPE SIZE_T ULONG Tag
Definition Hooks.h:168
LogSimpleWithTag
#define LogSimpleWithTag(tag, isimmdte, buffer, len)
Log without any prefix and bypass the stack problem (getting two temporary stacks in preparing phase)
Definition HyperDbgHyperLogIntrinsics.h:142
KdSendFormatsFunctionResult
VOID KdSendFormatsFunctionResult(UINT64 Value)
Notify user-mode to unload the debuggee and close the connections.
Definition Kd.c:900

◆ ScriptEngineFunctionInterlockedCompareExchange()

long long ScriptEngineFunctionInterlockedCompareExchange ( long long volatile * Destination,
long long ExChange,
long long Comperand,
BOOL * HasError )

Implementation of interlocked_compare_exchange function.

Parameters
Destination
ExChange
Comperand
HasError
Returns
long long
691{
692 long long Result = 0;
693
694#ifdef SCRIPT_ENGINE_KERNEL_MODE
695
696 if (!CheckAccessValidityAndSafety((UINT64)Destination, sizeof(long long)))
697 {
698 *HasError = TRUE;
699 return (long long)NULL;
700 }
701
702#endif // SCRIPT_ENGINE_KERNEL_MODE
703
704 Result = InterlockedCompareExchange64(Destination, ExChange, Comperand);
705
706 return Result;
707}
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530

◆ ScriptEngineFunctionInterlockedDecrement()

long long ScriptEngineFunctionInterlockedDecrement ( long long volatile * Addend,
BOOL * HasError )

Implementation of interlocked_exchange_decrement function.

Parameters
Addend
HasError
Returns
long long
658{
659 long long Result = 0;
660
661#ifdef SCRIPT_ENGINE_KERNEL_MODE
662
663 if (!CheckAccessValidityAndSafety((UINT64)Addend, sizeof(long long)))
664 {
665 *HasError = TRUE;
666 return (long long)NULL;
667 }
668
669#endif // SCRIPT_ENGINE_KERNEL_MODE
670
671 Result = InterlockedDecrement64(Addend);
672
673 return Result;
674}

◆ ScriptEngineFunctionInterlockedExchange()

long long ScriptEngineFunctionInterlockedExchange ( long long volatile * Target,
long long Value,
BOOL * HasError )

Implementation of interlocked_exchange function.

Parameters
Target
Value
HasError
Returns
long long
572{
573 long long Result = 0;
574
575#ifdef SCRIPT_ENGINE_KERNEL_MODE
576
577 if (!CheckAccessValidityAndSafety((UINT64)Target, sizeof(long long)))
578 {
579 *HasError = TRUE;
580 return (long long)NULL;
581 }
582
583#endif // SCRIPT_ENGINE_KERNEL_MODE
584
585 Result = InterlockedExchange64(Target, Value);
586
587 return Result;
588}

◆ ScriptEngineFunctionInterlockedExchangeAdd()

long long ScriptEngineFunctionInterlockedExchangeAdd ( long long volatile * Addend,
long long Value,
BOOL * HasError )

Implementation of interlocked_exchange_add function.

Parameters
Addend
Value
HasError
Returns
long long
602{
603 long long Result = 0;
604
605#ifdef SCRIPT_ENGINE_KERNEL_MODE
606
607 if (!CheckAccessValidityAndSafety((UINT64)Addend, sizeof(long long)))
608 {
609 *HasError = TRUE;
610 return (long long)NULL;
611 }
612
613#endif // SCRIPT_ENGINE_KERNEL_MODE
614
615 Result = InterlockedExchangeAdd64(Addend, Value);
616
617 return Result;
618}

◆ ScriptEngineFunctionInterlockedIncrement()

long long ScriptEngineFunctionInterlockedIncrement ( long long volatile * Addend,
BOOL * HasError )

Implementation of interlocked_exchange_increment function.

Parameters
Addend
HasError
Returns
long long
630{
631 long long Result = 0;
632
633#ifdef SCRIPT_ENGINE_KERNEL_MODE
634
635 if (!CheckAccessValidityAndSafety((UINT64)Addend, sizeof(long long)))
636 {
637 *HasError = TRUE;
638 return (long long)NULL;
639 }
640
641#endif // SCRIPT_ENGINE_KERNEL_MODE
642
643 Result = InterlockedIncrement64(Addend);
644
645 return Result;
646}

◆ ScriptEngineFunctionMemcmp()

UINT64 ScriptEngineFunctionMemcmp ( const char * Address1,
const char * Address2,
size_t Count )

Implementation of memcmp function.

Parameters
Address1
Address2
Count
Returns
UINT64
1674{
1675 UINT64 Result = 0;
1676#ifdef SCRIPT_ENGINE_USER_MODE
1677 Result = memcmp(Address1, Address2, Count);
1678#endif // SCRIPT_ENGINE_USER_MODE
1679
1680#ifdef SCRIPT_ENGINE_KERNEL_MODE
1681 Result = VmFuncVmxCompatibleMemcmp(Address1, Address2, Count);
1682#endif // SCRIPT_ENGINE_KERNEL_MODE
1683
1684 return Result;
1685}
VmFuncVmxCompatibleMemcmp
INT32 VmFuncVmxCompatibleMemcmp(const CHAR *Address1, const CHAR *Address2, size_t Count)
VMX-root compatible memcmp.
Definition Export.c:787

◆ ScriptEngineFunctionMemcpy()

VOID ScriptEngineFunctionMemcpy ( UINT64 Destination,
UINT64 Source,
UINT32 Num,
BOOL * HasError )

A VMX-compatible equivalent of memcpy function in C.

Parameters
Destination
Source
Num
HasError
Returns
VOID
202{
203 UINT64 PrevReadLen = 0;
204 BYTE MovingBuffer[DebuggerScriptEngineMemcpyMovingBufferSize] = {0};
205
206#ifdef SCRIPT_ENGINE_USER_MODE
207
208 //
209 // Check the destination address
210 //
211 if (!CheckAccessValidityAndSafety(Destination, Num))
212 {
213 *HasError = TRUE;
214 return;
215 }
216
217 //
218 // Check the source address
219 //
220 if (!CheckAccessValidityAndSafety(Source, Num))
221 {
222 *HasError = TRUE;
223 return;
224 }
225
226 //
227 // Address is valid, perform the memcpy in user-mode
228 //
229 memcpy((void *)Destination, (void *)Source, Num);
230
231#endif // SCRIPT_ENGINE_USER_MODE
232
233#ifdef SCRIPT_ENGINE_KERNEL_MODE
234
235 //
236 // Check the destination address
237 //
238 if (!CheckAccessValidityAndSafety(Destination, Num))
239 {
240 *HasError = TRUE;
241 return;
242 }
243
244 //
245 // Check the source address
246 //
247 if (!CheckAccessValidityAndSafety(Source, Num))
248 {
249 *HasError = TRUE;
250 return;
251 }
252
253 //
254 // Address is valid, perform the memcpy in kernel-mode (VMX-root mode)
255 //
256 while (Num > 0)
257 {
258 //
259 // Check the target buffer size
260 //
261 if (Num > DebuggerScriptEngineMemcpyMovingBufferSize)
262 {
263 //
264 // *** The size of read buffer is greater to maximum the moving buffer size ***
265 //
266
267 //
268 // Read memory into the buffer
269 //
270 MemoryMapperReadMemorySafeOnTargetProcess(Source + PrevReadLen, MovingBuffer, DebuggerScriptEngineMemcpyMovingBufferSize);
271
272 //
273 // Write the moving buffer into the target buffer
274 //
275 MemoryMapperWriteMemorySafeOnTargetProcess(Destination + PrevReadLen, MovingBuffer, DebuggerScriptEngineMemcpyMovingBufferSize);
276
277 //
278 // Computing the bytes that we read
279 //
280 PrevReadLen += DebuggerScriptEngineMemcpyMovingBufferSize;
281 Num -= DebuggerScriptEngineMemcpyMovingBufferSize;
282 }
283 else
284 {
285 //
286 // *** The size of read buffer is lower than or equal to the moving buffer size ***
287 //
288
289 //
290 // Read memory into the buffer
291 //
292 MemoryMapperReadMemorySafeOnTargetProcess(Source + PrevReadLen, MovingBuffer, Num);
293
294 //
295 // Write the moving buffer into the target buffer
296 //
297 MemoryMapperWriteMemorySafeOnTargetProcess(Destination + PrevReadLen, MovingBuffer, Num);
298
299 //
300 // Computing the bytes that we gonna read
301 //
302 PrevReadLen += Num;
303 Num = 0; // or Num -= Num;
304 }
305 }
306
307#endif // SCRIPT_ENGINE_KERNEL_MODE
308}
DebuggerScriptEngineMemcpyMovingBufferSize
#define DebuggerScriptEngineMemcpyMovingBufferSize
The size of each chunk of memory used in the 'memcpy' function of the script engine for transferring ...
Definition Constants.h:250
MemoryMapperReadMemorySafeOnTargetProcess
_Use_decl_annotations_ BOOLEAN MemoryMapperReadMemorySafeOnTargetProcess(UINT64 VaAddressToRead, PVOID BufferToSaveMemory, SIZE_T SizeToRead)
Read memory safely by mapping the buffer on the target process memory (It's a wrapper)
Definition MemoryMapper.c:1120

◆ ScriptEngineFunctionPause()

VOID ScriptEngineFunctionPause ( ACTION_BUFFER * ActionDetail,
PGUEST_REGS GuestRegs )

Implementation of pause function.

Parameters
ActionDetail
GuestRegs
Returns
VOID
795{
796#ifdef SCRIPT_ENGINE_USER_MODE
797 ShowMessages("err, breaking is not possible in user-mode\n");
798#endif // SCRIPT_ENGINE_USER_MODE
799
800#ifdef SCRIPT_ENGINE_KERNEL_MODE
801
802 //
803 // pause(); function is only working when kernel debugger is working
804 // it's not designed to work on vmi-mode (local debugging)
805 //
806 if (g_KernelDebuggerState && g_DebuggeeHaltReason == DEBUGGEE_PAUSING_REASON_NOT_PAUSED)
807 {
808 DEBUGGER_TRIGGERED_EVENT_DETAILS TriggeredEventDetail = {0};
809 ULONG CurrentCore = KeGetCurrentProcessorNumberEx(NULL);
810
811 //
812 // Make the details of context
813 //
814 TriggeredEventDetail.Tag = ActionDetail->Tag;
815 TriggeredEventDetail.Context = (PVOID)ActionDetail->Context;
816
817 if (ActionDetail->CallingStage == 1)
818 {
819 TriggeredEventDetail.Stage = VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION;
820 }
821 else
822 {
823 TriggeredEventDetail.Stage = VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION;
824 }
825
826 if (VmFuncVmxGetCurrentExecutionMode() == TRUE)
827 {
828 //
829 // The guest is already in vmx-root mode
830 // Halt other cores
831 //
832
833 KdHandleBreakpointAndDebugBreakpointsCallback(
834 CurrentCore,
835 DEBUGGEE_PAUSING_REASON_DEBUGGEE_EVENT_TRIGGERED,
836 &TriggeredEventDetail);
837 }
838 else
839 {
840 //
841 // The guest is on vmx non-root mode, the first parameter
842 // is context and the second parameter is tag
843 //
844 VmFuncVmxVmcall(DEBUGGER_VMCALL_VM_EXIT_HALT_SYSTEM_AS_A_RESULT_OF_TRIGGERING_EVENT,
845 (UINT64)&TriggeredEventDetail,
846 (UINT64)GuestRegs,
847 (UINT64)NULL);
848 }
849 }
850 else
851 {
852 LogInfo("The 'pause();' function is either called from the vmi-mode or is "
853 "evaluated by the '?' command. It's not allowed to use it on vmi-mode "
854 "(local debugging) or by the '?' command");
855 }
856
857#endif // SCRIPT_ENGINE_KERNEL_MODE
858}
DEBUGGEE_PAUSING_REASON_DEBUGGEE_EVENT_TRIGGERED
@ DEBUGGEE_PAUSING_REASON_DEBUGGEE_EVENT_TRIGGERED
Definition Connection.h:35
DEBUGGEE_PAUSING_REASON_NOT_PAUSED
@ DEBUGGEE_PAUSING_REASON_NOT_PAUSED
Definition Connection.h:24
VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION
@ VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION
Definition DataTypes.h:93
VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION
@ VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION
Definition DataTypes.h:94
DEBUGGER_VMCALL_VM_EXIT_HALT_SYSTEM_AS_A_RESULT_OF_TRIGGERING_EVENT
#define DEBUGGER_VMCALL_VM_EXIT_HALT_SYSTEM_AS_A_RESULT_OF_TRIGGERING_EVENT
VMCALL to cause vm-exit and halt the system because of triggering an event.
Definition DebuggerVmcalls.h:29
VmFuncVmxVmcall
NTSTATUS VmFuncVmxVmcall(unsigned long long VmcallNumber, unsigned long long OptionalParam1, unsigned long long OptionalParam2, unsigned long long OptionalParam3)
Export for running VMX VMCALLs.
Definition Export.c:683
KdHandleBreakpointAndDebugBreakpointsCallback
_Use_decl_annotations_ VOID KdHandleBreakpointAndDebugBreakpointsCallback(UINT32 CoreId, DEBUGGEE_PAUSING_REASON Reason, PDEBUGGER_TRIGGERED_EVENT_DETAILS EventDetails)
Handle #DBs and #BPs for kernel debugger.
Definition Kd.c:1124
g_DebuggeeHaltReason
DEBUGGEE_PAUSING_REASON g_DebuggeeHaltReason
Reason that the debuggee is halted.
Definition Global.h:127
_DEBUGGER_TRIGGERED_EVENT_DETAILS
The structure of detail of a triggered event in HyperDbg.
Definition DataTypes.h:192
_DEBUGGER_TRIGGERED_EVENT_DETAILS::Tag
UINT64 Tag
Definition DataTypes.h:193
_DEBUGGER_TRIGGERED_EVENT_DETAILS::Context
PVOID Context
Definition DataTypes.h:194
ACTION_BUFFER::Context
long long unsigned Context
Definition ScriptEngineCommonDefinitions.h:38
ACTION_BUFFER::Tag
long long unsigned Tag
Definition ScriptEngineCommonDefinitions.h:35
ACTION_BUFFER::CallingStage
char CallingStage
Definition ScriptEngineCommonDefinitions.h:39

◆ ScriptEngineFunctionPhysicalToVirtual()

UINT64 ScriptEngineFunctionPhysicalToVirtual ( UINT64 Address)

Convert physical address to virtual address.

Parameters
Address
Returns
UINT64
339{
340#ifdef SCRIPT_ENGINE_USER_MODE
341
342 //
343 // There is no conversion in user-mode
344 //
345 return NULL;
346#endif // SCRIPT_ENGINE_USER_MODE
347
348#ifdef SCRIPT_ENGINE_KERNEL_MODE
349
350 return PhysicalAddressToVirtualAddressOnTargetProcess((PVOID)Address);
351
352#endif // SCRIPT_ENGINE_KERNEL_MODE
353}
PhysicalAddressToVirtualAddressOnTargetProcess
_Use_decl_annotations_ UINT64 PhysicalAddressToVirtualAddressOnTargetProcess(PVOID PhysicalAddress)
Converts Physical Address to Virtual Address based on current process's kernel cr3.
Definition Conversion.c:137

◆ ScriptEngineFunctionPrint()

VOID ScriptEngineFunctionPrint ( UINT64 Tag,
BOOLEAN ImmediateMessagePassing,
UINT64 Value )

Implementation of print function.

Parameters
Tag
ImmediateMessagePassing
Value
Returns
VOID
365{
366#ifdef SCRIPT_ENGINE_USER_MODE
367 ShowMessages("%llx\n", Value);
368#endif // SCRIPT_ENGINE_USER_MODE
369
370#ifdef SCRIPT_ENGINE_KERNEL_MODE
371
372 //
373 // Prepare a buffer to bypass allocating a huge stack space for logging
374 //
375 char TempBuffer[20] = {0};
376 UINT32 TempBufferLen = sprintf(TempBuffer, "%llx", Value);
377
378 LogSimpleWithTag((UINT32)Tag, ImmediateMessagePassing, TempBuffer, TempBufferLen + 1);
379
380#endif // SCRIPT_ENGINE_KERNEL_MODE
381}

◆ ScriptEngineFunctionPrintf()

VOID ScriptEngineFunctionPrintf ( PGUEST_REGS GuestRegs,
ACTION_BUFFER * ActionDetail,
SCRIPT_ENGINE_VARIABLES_LIST * VariablesList,
UINT64 Tag,
BOOLEAN ImmediateMessagePassing,
char * Format,
UINT64 ArgCount,
PSYMBOL FirstArg,
BOOLEAN * HasError,
SYMBOL_BUFFER * StackBuffer,
UINT64 * StackIndx,
UINT64 * StackBaseIndx,
UINT64 * ReturnValue )

Implementation of printf function.

Parameters
GuestRegs
ActionDetail
VariablesList
Tag
ImmediateMessagePassing
Format
ArgCount
FirstArg
HasError
Returns
VOID
1283{
1284 //
1285 // *** The printf function ***
1286 //
1287
1288 char FinalBuffer[PacketChunkSize] = {0};
1289 UINT32 CurrentPositionInFinalBuffer = 0;
1290 UINT32 CurrentProcessedPositionFromStartOfFormat = 0;
1291 BOOLEAN WithoutAnyFormatSpecifier = TRUE;
1292
1293 UINT64 Val;
1294 UINT32 Position;
1295 UINT32 LenOfFormats = (UINT32)strlen(Format) + 1;
1296 PSYMBOL Symbol;
1297
1298 *HasError = FALSE;
1299
1300 for (int i = 0; i < ArgCount; i++)
1301 {
1302 WithoutAnyFormatSpecifier = FALSE;
1303 Symbol = FirstArg + i;
1304
1305 //
1306 // Address is either wstring (%ws) or string (%s)
1307 //
1308
1309 Position = (Symbol->Type >> 32) + 1;
1310
1311 SYMBOL TempSymbol = {0};
1312 memcpy(&TempSymbol, Symbol, sizeof(SYMBOL));
1313 TempSymbol.Type &= 0x7fffffff;
1314
1315 Val = GetValue(GuestRegs, ActionDetail, VariablesList, &TempSymbol, FALSE, StackBuffer, StackIndx, StackBaseIndx, ReturnValue);
1316
1317 CHAR PercentageChar = Format[Position];
1318
1319 /*
1320 printf("position = %d is %c%c \n", Position, PercentageChar,
1321 IndicatorChar1);
1322 */
1323
1324 if (CurrentProcessedPositionFromStartOfFormat != Position)
1325 {
1326 //
1327 // There is some strings before this format specifier
1328 // we should move it to the buffer
1329 //
1330 UINT32 StringLen = Position - CurrentProcessedPositionFromStartOfFormat;
1331
1332 //
1333 // Check final buffer capacity
1334 //
1335 if (CurrentPositionInFinalBuffer + StringLen < sizeof(FinalBuffer))
1336 {
1337 memcpy(&FinalBuffer[CurrentPositionInFinalBuffer],
1338 &Format[CurrentProcessedPositionFromStartOfFormat],
1339 StringLen);
1340
1341 CurrentProcessedPositionFromStartOfFormat += StringLen;
1342 CurrentPositionInFinalBuffer += StringLen;
1343 }
1344 }
1345
1346 //
1347 // Double check and apply
1348 //
1349 if (PercentageChar == '%')
1350 {
1351 //
1352 // Set first character of specifier
1353 //
1354 CHAR FormatSpecifier[5] = {0};
1355 FormatSpecifier[0] = '%';
1356
1357 //
1358 // Read second char
1359 //
1360 CHAR IndicatorChar2 = Format[Position + 1];
1361
1362 //
1363 // Check if IndicatorChar2 is 2 character long or more
1364 //
1365 if (IndicatorChar2 == 'l' || IndicatorChar2 == 'w' ||
1366 IndicatorChar2 == 'h')
1367 {
1368 //
1369 // Set second char in format specifier
1370 //
1371 FormatSpecifier[1] = IndicatorChar2;
1372
1373 if (IndicatorChar2 == 'l' && Format[Position + 2] == 'l')
1374 {
1375 //
1376 // Set third character in format specifier "ll"
1377 //
1378 FormatSpecifier[2] = 'l';
1379
1380 //
1381 // Set last character
1382 //
1383 FormatSpecifier[3] = Format[Position + 3];
1384 }
1385 else
1386 {
1387 //
1388 // Set last character
1389 //
1390 FormatSpecifier[2] = Format[Position + 2];
1391 }
1392 }
1393 else
1394 {
1395 //
1396 // It's a one char specifier (Set last character)
1397 //
1398 FormatSpecifier[1] = IndicatorChar2;
1399 }
1400
1401 //
1402 // Apply the specifier
1403 //
1404 if (!strncmp(FormatSpecifier, "%s", 2))
1405 {
1406 //
1407 // for string
1408 //
1409 if (!ApplyStringFormatSpecifier(
1410 "%s",
1411 FinalBuffer,
1412 &CurrentProcessedPositionFromStartOfFormat,
1413 &CurrentPositionInFinalBuffer,
1414 Val,
1415 FALSE,
1416 sizeof(FinalBuffer)))
1417 {
1418 *HasError = TRUE;
1419 return;
1420 }
1421 }
1422 else if (!strncmp(FormatSpecifier, "%ls", 3) ||
1423 !strncmp(FormatSpecifier, "%ws", 3))
1424 {
1425 //
1426 // for wide string (not important if %ls or %ws , only the length is
1427 // important)
1428 //
1429 if (!ApplyStringFormatSpecifier(
1430 "%ws",
1431 FinalBuffer,
1432 &CurrentProcessedPositionFromStartOfFormat,
1433 &CurrentPositionInFinalBuffer,
1434 Val,
1435 TRUE,
1436 sizeof(FinalBuffer)))
1437 {
1438 *HasError = TRUE;
1439 return;
1440 }
1441 }
1442 else
1443 {
1444 ApplyFormatSpecifier(FormatSpecifier, FinalBuffer, &CurrentProcessedPositionFromStartOfFormat, &CurrentPositionInFinalBuffer, Val, sizeof(FinalBuffer));
1445 }
1446 }
1447 }
1448
1449 if (WithoutAnyFormatSpecifier)
1450 {
1451 //
1452 // Means that it's just a simple print without any format specifier
1453 //
1454 if (LenOfFormats < sizeof(FinalBuffer))
1455 {
1456 memcpy(FinalBuffer, Format, LenOfFormats);
1457 }
1458 }
1459 else
1460 {
1461 //
1462 // Check if there is anything after the last format specifier
1463 //
1464 if (LenOfFormats > CurrentProcessedPositionFromStartOfFormat)
1465 {
1466 UINT32 RemainedLen =
1467 LenOfFormats - CurrentProcessedPositionFromStartOfFormat;
1468
1469 if (CurrentPositionInFinalBuffer + RemainedLen < sizeof(FinalBuffer))
1470 {
1471 memcpy(&FinalBuffer[CurrentPositionInFinalBuffer],
1472 &Format[CurrentProcessedPositionFromStartOfFormat],
1473 RemainedLen);
1474 }
1475 }
1476 }
1477
1478//
1479// Print final result
1480//
1481#ifdef SCRIPT_ENGINE_USER_MODE
1482 printf("%s", FinalBuffer);
1483#endif // SCRIPT_ENGINE_USER_MODE
1484
1485#ifdef SCRIPT_ENGINE_KERNEL_MODE
1486
1487 //
1488 // Prepare a buffer to bypass allocating a huge stack space for logging
1489 //
1490 LogSimpleWithTag((UINT32)Tag, ImmediateMessagePassing, FinalBuffer, (UINT32)strlen(FinalBuffer) + 1);
1491
1492#endif // SCRIPT_ENGINE_KERNEL_MODE
1493}
CHAR
char CHAR
Definition BasicTypes.h:31
PacketChunkSize
#define PacketChunkSize
Size of each packet.
Definition Constants.h:179
ApplyStringFormatSpecifier
BOOLEAN ApplyStringFormatSpecifier(const CHAR *CurrentSpecifier, CHAR *FinalBuffer, PUINT32 CurrentProcessedPositionFromStartOfFormat, PUINT32 CurrentPositionInFinalBuffer, UINT64 Val, BOOLEAN IsWstring, UINT32 SizeOfFinalBuffer)
Apply string format specifiers (s, ws, etc.)
Definition Functions.c:1110
GetValue
UINT64 GetValue(PGUEST_REGS GuestRegs, PACTION_BUFFER ActionBuffer, SCRIPT_ENGINE_VARIABLES_LIST *VariablesList, PSYMBOL Symbol, BOOLEAN ReturnReference, SYMBOL_BUFFER *StackBuffer, UINT64 *StackIndx, UINT64 *StackBaseIndx, UINT64 *ReturnValue)
ApplyFormatSpecifier
VOID ApplyFormatSpecifier(const CHAR *CurrentSpecifier, CHAR *FinalBuffer, PUINT32 CurrentProcessedPositionFromStartOfFormat, PUINT32 CurrentPositionInFinalBuffer, UINT64 Val, UINT32 SizeOfFinalBuffer)
Apply format specifiers (d, x, llx, etc.)
Definition Functions.c:1031
SYMBOL
Definition ScriptEngineCommonDefinitions.h:6
SYMBOL::Type
long long unsigned Type
Definition ScriptEngineCommonDefinitions.h:7

◆ ScriptEngineFunctionShortCircuitingEvent()

VOID ScriptEngineFunctionShortCircuitingEvent ( UINT64 State,
ACTION_BUFFER * ActionDetail )

Implementation of event_ignore function.

Parameters
State
ActionDetail
Returns
VOID
892{
893#ifdef SCRIPT_ENGINE_USER_MODE
894 ShowMessages("err, it's not possible to short-circuit events in user-mode\n");
895#endif // SCRIPT_ENGINE_USER_MODE
896
897#ifdef SCRIPT_ENGINE_KERNEL_MODE
898
899 if (ActionDetail->CallingStage == 1)
900 {
901 LogWarning("Warning, calling the 'event_sc' function in the 'post' calling stage doesn't make sense as the emulation is already performed!\n"
902 "You can use this function in the 'pre' calling stage");
903 return;
904 }
905
906 ULONG CurrentCore = KeGetCurrentProcessorNumberEx(NULL);
907
908 if (State != 0)
909 {
910 g_DbgState[CurrentCore].ShortCircuitingEvent = TRUE;
911 }
912 else
913 {
914 g_DbgState[CurrentCore].ShortCircuitingEvent = FALSE;
915 }
916
917#endif // SCRIPT_ENGINE_KERNEL_MODE
918}
LogWarning
#define LogWarning(format,...)
Log in the case of warning.
Definition HyperDbgHyperLogIntrinsics.h:99
_PROCESSOR_DEBUGGING_STATE::ShortCircuitingEvent
BOOLEAN ShortCircuitingEvent
Definition State.h:170

◆ ScriptEngineFunctionSpinlockLock()

VOID ScriptEngineFunctionSpinlockLock ( volatile LONG * Lock,
BOOL * HasError )

Implementation of spinlock_lock function.

Parameters
Lock
HasError
Returns
VOID
415{
416#ifdef SCRIPT_ENGINE_USER_MODE
417
418 SpinlockLock(Lock);
419
420#endif // SCRIPT_ENGINE_USER_MODE
421
422#ifdef SCRIPT_ENGINE_KERNEL_MODE
423
424 if (!CheckAccessValidityAndSafety((UINT64)Lock, sizeof(LONG)))
425 {
426 *HasError = TRUE;
427 return;
428 }
429
430 SpinlockLock(Lock);
431
432#endif // SCRIPT_ENGINE_KERNEL_MODE
433}
SpinlockLock
void SpinlockLock(volatile LONG *Lock)
Tries to get the lock and won't return until successfully get the lock.
Definition Spinlock.c:52

◆ ScriptEngineFunctionSpinlockLockCustomWait()

VOID ScriptEngineFunctionSpinlockLockCustomWait ( volatile long * Lock,
unsigned MaxWait,
BOOL * HasError )

Implementation of spinlock_lock_custom_wait function.

Parameters
Lock
MaxWait
HasError
Returns
VOID
474{
475#ifdef SCRIPT_ENGINE_USER_MODE
476
477 SpinlockLockWithCustomWait(Lock, MaxWait);
478
479#endif // SCRIPT_ENGINE_USER_MODE
480
481#ifdef SCRIPT_ENGINE_KERNEL_MODE
482
483 if (!CheckAccessValidityAndSafety((UINT64)Lock, sizeof(LONG)))
484 {
485 *HasError = TRUE;
486 return;
487 }
488
489 SpinlockLockWithCustomWait(Lock, MaxWait);
490
491#endif // SCRIPT_ENGINE_KERNEL_MODE
492}
SpinlockLockWithCustomWait
void SpinlockLockWithCustomWait(volatile LONG *Lock, unsigned MaximumWait)
Tries to get the lock and won't return until successfully get the lock.
Definition Spinlock.c:125

◆ ScriptEngineFunctionSpinlockUnlock()

VOID ScriptEngineFunctionSpinlockUnlock ( volatile LONG * Lock,
BOOL * HasError )

Implementation of spinlock_unlock function.

Parameters
Lock
HasError
Returns
VOID
444{
445#ifdef SCRIPT_ENGINE_USER_MODE
446
447 SpinlockUnlock(Lock);
448
449#endif // SCRIPT_ENGINE_USER_MODE
450
451#ifdef SCRIPT_ENGINE_KERNEL_MODE
452
453 if (!CheckAccessValidityAndSafety((UINT64)Lock, sizeof(LONG)))
454 {
455 *HasError = TRUE;
456 return;
457 }
458
459 SpinlockUnlock(Lock);
460
461#endif // SCRIPT_ENGINE_KERNEL_MODE
462}
SpinlockUnlock
void SpinlockUnlock(volatile LONG *Lock)
Release the lock.
Definition Spinlock.c:158

◆ ScriptEngineFunctionStrcmp()

UINT64 ScriptEngineFunctionStrcmp ( const char * Address1,
const char * Address2 )

Implementation of strcmp function.

Parameters
Address1
Address2
Returns
UINT64
1580{
1581 UINT64 Result = 0;
1582#ifdef SCRIPT_ENGINE_USER_MODE
1583 Result = strcmp(Address1, Address2);
1584#endif // SCRIPT_ENGINE_USER_MODE
1585
1586#ifdef SCRIPT_ENGINE_KERNEL_MODE
1587 Result = VmFuncVmxCompatibleStrcmp(Address1, Address2);
1588#endif // SCRIPT_ENGINE_KERNEL_MODE
1589
1590 return Result;
1591}
VmFuncVmxCompatibleStrcmp
INT32 VmFuncVmxCompatibleStrcmp(const CHAR *Address1, const CHAR *Address2)
VMX-root compatible strcmp.
Definition Export.c:732

◆ ScriptEngineFunctionStrlen()

UINT64 ScriptEngineFunctionStrlen ( const char * Address)

Implementation of strlen function.

Parameters
Address
Returns
UINT64
502{
503 UINT64 Result = 0;
504#ifdef SCRIPT_ENGINE_USER_MODE
505 Result = strlen(Address);
506#endif // SCRIPT_ENGINE_USER_MODE
507
508#ifdef SCRIPT_ENGINE_KERNEL_MODE
509 Result = VmFuncVmxCompatibleStrlen(Address);
510#endif // SCRIPT_ENGINE_KERNEL_MODE
511
512 return Result;
513}
VmFuncVmxCompatibleStrlen
UINT32 VmFuncVmxCompatibleStrlen(const CHAR *s)
VMX-root compatible strlen.
Definition Export.c:599

◆ ScriptEngineFunctionStrncmp()

UINT64 ScriptEngineFunctionStrncmp ( const char * Address1,
const char * Address2,
size_t Num )

Implementation of strcmp function.

Parameters
Address1
Address2
Num
Returns
UINT64
1604{
1605 UINT64 Result = 0;
1606#ifdef SCRIPT_ENGINE_USER_MODE
1607 Result = strncmp(Address1, Address2, Num);
1608#endif // SCRIPT_ENGINE_USER_MODE
1609
1610#ifdef SCRIPT_ENGINE_KERNEL_MODE
1611 Result = VmFuncVmxCompatibleStrncmp(Address1, Address2, Num);
1612#endif // SCRIPT_ENGINE_KERNEL_MODE
1613
1614 return Result;
1615}
VmFuncVmxCompatibleStrncmp
INT32 VmFuncVmxCompatibleStrncmp(const CHAR *Address1, const CHAR *Address2, SIZE_T Num)
VMX-root compatible strncmp.
Definition Export.c:746

◆ ScriptEngineFunctionTestStatement()

VOID ScriptEngineFunctionTestStatement ( UINT64 Tag,
BOOLEAN ImmediateMessagePassing,
UINT64 Value )

Implementation of test_statement function.

Parameters
Tag
ImmediateMessagePassing
Value
Returns
VOID
393{
394 UNREFERENCED_PARAMETER(Tag);
395 UNREFERENCED_PARAMETER(ImmediateMessagePassing);
396 UNREFERENCED_PARAMETER(Value);
397
398#ifdef SCRIPT_ENGINE_USER_MODE
399
400 g_CurrentExprEvalResult = Value;
401 g_CurrentExprEvalResultHasError = FALSE;
402
403#endif // SCRIPT_ENGINE_USER_MODE
404}
g_CurrentExprEvalResultHasError
BOOLEAN g_CurrentExprEvalResultHasError
global variable to detect if there was an error in the result of script-engine statement tests
Definition globals.h:671
g_CurrentExprEvalResult
UINT64 g_CurrentExprEvalResult
global variable to save the result of script-engine statement tests
Definition globals.h:664

◆ ScriptEngineFunctionVirtualToPhysical()

UINT64 ScriptEngineFunctionVirtualToPhysical ( UINT64 Address)
315{
316#ifdef SCRIPT_ENGINE_USER_MODE
317
318 //
319 // There is no conversion in user-mode
320 //
321 return NULL;
322#endif // SCRIPT_ENGINE_USER_MODE
323
324#ifdef SCRIPT_ENGINE_KERNEL_MODE
325
326 return VirtualAddressToPhysicalAddressOnTargetProcess((PVOID)Address);
327
328#endif // SCRIPT_ENGINE_KERNEL_MODE
329}
VirtualAddressToPhysicalAddressOnTargetProcess
_Use_decl_annotations_ UINT64 VirtualAddressToPhysicalAddressOnTargetProcess(PVOID VirtualAddress)
Converts Virtual Address to Physical Address based on the current process's kernel cr3.
Definition Conversion.c:258

◆ ScriptEngineFunctionWcscmp()

UINT64 ScriptEngineFunctionWcscmp ( const wchar_t * Address1,
const wchar_t * Address2 )

Implementation of wcscmp function.

Parameters
Address1
Address2
Returns
UINT64
1627{
1628 UINT64 Result = 0;
1629#ifdef SCRIPT_ENGINE_USER_MODE
1630 Result = wcscmp(Address1, Address2);
1631#endif // SCRIPT_ENGINE_USER_MODE
1632
1633#ifdef SCRIPT_ENGINE_KERNEL_MODE
1634 Result = VmFuncVmxCompatibleWcscmp(Address1, Address2);
1635#endif // SCRIPT_ENGINE_KERNEL_MODE
1636
1637 return Result;
1638}
VmFuncVmxCompatibleWcscmp
INT32 VmFuncVmxCompatibleWcscmp(const wchar_t *Address1, const wchar_t *Address2)
VMX-root compatible wcscmp.
Definition Export.c:759

◆ ScriptEngineFunctionWcslen()

UINT64 ScriptEngineFunctionWcslen ( const wchar_t * Address)

Implementation of wcslen function.

Parameters
Address
Returns
UINT64
546{
547 UINT64 Result = 0;
548
549#ifdef SCRIPT_ENGINE_USER_MODE
550 Result = wcslen(Address);
551#endif // SCRIPT_ENGINE_USER_MODE
552
553#ifdef SCRIPT_ENGINE_KERNEL_MODE
554 Result = VmFuncVmxCompatibleWcslen(Address);
555#endif // SCRIPT_ENGINE_KERNEL_MODE
556
557 return Result;
558}
VmFuncVmxCompatibleWcslen
UINT32 VmFuncVmxCompatibleWcslen(const wchar_t *s)
VMX-root compatible strlen.
Definition Export.c:611

◆ ScriptEngineFunctionWcsncmp()

UINT64 ScriptEngineFunctionWcsncmp ( const wchar_t * Address1,
const wchar_t * Address2,
size_t Num )

Implementation of wcsncmp function.

Parameters
Address1
Address2
Num
Returns
UINT64
1651{
1652 UINT64 Result = 0;
1653#ifdef SCRIPT_ENGINE_USER_MODE
1654 Result = wcsncmp(Address1, Address2, Num);
1655#endif // SCRIPT_ENGINE_USER_MODE
1656
1657#ifdef SCRIPT_ENGINE_KERNEL_MODE
1658 Result = VmFuncVmxCompatibleWcsncmp(Address1, Address2, Num);
1659#endif // SCRIPT_ENGINE_KERNEL_MODE
1660
1661 return Result;
1662}
VmFuncVmxCompatibleWcsncmp
INT32 VmFuncVmxCompatibleWcsncmp(const wchar_t *Address1, const wchar_t *Address2, SIZE_T Num)
VMX-root compatible wcsncmp.
Definition Export.c:773

◆ ScriptEngineKeywordDb()

BYTE ScriptEngineKeywordDb ( PUINT64 Address,
BOOL * HasError )

Implementation of db keyword.

Parameters
Address
HasError
Returns
BYTE
130{
131 BYTE Result = NULL_ZERO;
132
133#ifdef SCRIPT_ENGINE_KERNEL_MODE
134
135 if (!CheckAccessValidityAndSafety((UINT64)Address, sizeof(BYTE)))
136 {
137 *HasError = TRUE;
138
139 return NULL_ZERO;
140 }
141
142#endif // SCRIPT_ENGINE_KERNEL_MODE
143
144#ifdef SCRIPT_ENGINE_USER_MODE
145 Result = (BYTE)*Address;
146#endif // SCRIPT_ENGINE_USER_MODE
147
148#ifdef SCRIPT_ENGINE_KERNEL_MODE
149 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)Address, &Result, sizeof(BYTE));
150#endif // SCRIPT_ENGINE_KERNEL_MODE
151
152 return Result;
153}
NULL_ZERO
#define NULL_ZERO
Definition BasicTypes.h:51

◆ ScriptEngineKeywordDd()

DWORD ScriptEngineKeywordDd ( PUINT64 Address,
BOOL * HasError )

Implementation of dd keyword.

Parameters
Address
HasError
Returns
DWORD
164{
165 DWORD Result = NULL_ZERO;
166
167#ifdef SCRIPT_ENGINE_KERNEL_MODE
168
169 if (!CheckAccessValidityAndSafety((UINT64)Address, sizeof(DWORD)))
170 {
171 *HasError = TRUE;
172
173 return NULL_ZERO;
174 }
175
176#endif // SCRIPT_ENGINE_KERNEL_MODE
177
178#ifdef SCRIPT_ENGINE_USER_MODE
179 Result = (DWORD)*Address;
180#endif // SCRIPT_ENGINE_USER_MODE
181
182#ifdef SCRIPT_ENGINE_KERNEL_MODE
183 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)Address, &Result, sizeof(DWORD));
184#endif // SCRIPT_ENGINE_KERNEL_MODE
185
186 return Result;
187}

◆ ScriptEngineKeywordDq()

QWORD ScriptEngineKeywordDq ( PUINT64 Address,
BOOL * HasError )

Implementation of dq keyword.

Parameters
Address
HasError
Returns
QWORD
232{
233 QWORD Result = (QWORD)NULL;
234
235#ifdef SCRIPT_ENGINE_KERNEL_MODE
236
237 if (!CheckAccessValidityAndSafety((UINT64)Address, sizeof(DWORD)))
238 {
239 *HasError = TRUE;
240
241 return (QWORD)NULL;
242 }
243
244#endif // SCRIPT_ENGINE_KERNEL_MODE
245
246#ifdef SCRIPT_ENGINE_USER_MODE
247 Result = *Address;
248#endif // SCRIPT_ENGINE_USER_MODE
249
250#ifdef SCRIPT_ENGINE_KERNEL_MODE
251 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)Address, &Result, sizeof(QWORD));
252#endif // SCRIPT_ENGINE_KERNEL_MODE
253
254 return Result;
255}

◆ ScriptEngineKeywordDw()

WORD ScriptEngineKeywordDw ( PUINT64 Address,
BOOL * HasError )

Implementation of dw keyword.

Parameters
Address
HasError
Returns
WORD
198{
199 WORD Result = NULL_ZERO;
200
201#ifdef SCRIPT_ENGINE_KERNEL_MODE
202
203 if (!CheckAccessValidityAndSafety((UINT64)Address, sizeof(WORD)))
204 {
205 *HasError = TRUE;
206
207 return NULL_ZERO;
208 }
209
210#endif // SCRIPT_ENGINE_KERNEL_MODE
211
212#ifdef SCRIPT_ENGINE_USER_MODE
213 Result = (WORD)*Address;
214#endif // SCRIPT_ENGINE_USER_MODE
215
216#ifdef SCRIPT_ENGINE_KERNEL_MODE
217 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)Address, &Result, sizeof(WORD));
218#endif // SCRIPT_ENGINE_KERNEL_MODE
219
220 return Result;
221}
WORD
unsigned short WORD
Definition BasicTypes.h:25

◆ ScriptEngineKeywordHi()

WORD ScriptEngineKeywordHi ( PUINT64 Address,
BOOL * HasError )

Implementation of hi keyword.

Parameters
Address
HasError
Returns
WORD
62{
63 QWORD Result = NULL64_ZERO;
64
65#ifdef SCRIPT_ENGINE_KERNEL_MODE
66
67 if (!CheckAccessValidityAndSafety((UINT64)Address, sizeof(UINT64)))
68 {
69 *HasError = TRUE;
70
71 return NULL64_ZERO;
72 }
73
74#endif // SCRIPT_ENGINE_KERNEL_MODE
75
76#ifdef SCRIPT_ENGINE_USER_MODE
77 Result = *Address;
78#endif // SCRIPT_ENGINE_USER_MODE
79
80#ifdef SCRIPT_ENGINE_KERNEL_MODE
81 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)Address, &Result, sizeof(UINT64));
82#endif // SCRIPT_ENGINE_KERNEL_MODE
83
84 return HIWORD(Result);
85}
NULL64_ZERO
#define NULL64_ZERO
Definition BasicTypes.h:52
HIWORD
#define HIWORD(l)
Definition Constants.h:555

◆ ScriptEngineKeywordLow()

WORD ScriptEngineKeywordLow ( PUINT64 Address,
BOOL * HasError )

Implementation of low keyword.

Parameters
Address
HasError
Returns
WORD
96{
97 QWORD Result = NULL64_ZERO;
98
99#ifdef SCRIPT_ENGINE_KERNEL_MODE
100
101 if (!CheckAccessValidityAndSafety((UINT64)Address, sizeof(UINT64)))
102 {
103 *HasError = TRUE;
104
105 return NULL64_ZERO;
106 }
107
108#endif // SCRIPT_ENGINE_KERNEL_MODE
109
110#ifdef SCRIPT_ENGINE_USER_MODE
111 Result = *Address;
112#endif // SCRIPT_ENGINE_USER_MODE
113
114#ifdef SCRIPT_ENGINE_KERNEL_MODE
115 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)Address, &Result, sizeof(UINT64));
116#endif // SCRIPT_ENGINE_KERNEL_MODE
117
118 return LOWORD(Result);
119}
LOWORD
#define LOWORD(l)
Definition Constants.h:551

◆ ScriptEngineKeywordPoi()

UINT64 ScriptEngineKeywordPoi ( PUINT64 Address,
BOOL * HasError )

Implementation of poi keyword.

Parameters
Address
HasError
Returns
UINT64
28{
29 UINT64 Result = (UINT64)NULL;
30
31#ifdef SCRIPT_ENGINE_KERNEL_MODE
32
33 if (!CheckAccessValidityAndSafety((UINT64)Address, sizeof(UINT64)))
34 {
35 *HasError = TRUE;
36
37 return (UINT64)NULL;
38 }
39
40#endif // SCRIPT_ENGINE_KERNEL_MODE
41
42#ifdef SCRIPT_ENGINE_USER_MODE
43 Result = *Address;
44#endif // SCRIPT_ENGINE_USER_MODE
45
46#ifdef SCRIPT_ENGINE_KERNEL_MODE
47 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)Address, &Result, sizeof(UINT64));
48#endif // SCRIPT_ENGINE_KERNEL_MODE
49
50 return Result;
51}

◆ ScriptEnginePseudoRegGetBuffer()

UINT64 ScriptEnginePseudoRegGetBuffer ( UINT64 * CorrespondingAction)

Implementation of $buffer pseudo-register.

Parameters
CorrespondingAction
Returns
UINT64
328{
329#ifdef SCRIPT_ENGINE_USER_MODE
330 //
331 // $buffer doesn't mean anything in user-mode
332 //
333 return (UINT64)NULL;
334#endif // SCRIPT_ENGINE_USER_MODE
335
336#ifdef SCRIPT_ENGINE_KERNEL_MODE
337 return ScriptEngineWrapperGetAddressOfReservedBuffer((DEBUGGER_EVENT_ACTION *)CorrespondingAction);
338#endif // SCRIPT_ENGINE_KERNEL_MODE
339}
ScriptEngineWrapperGetAddressOfReservedBuffer
UINT64 ScriptEngineWrapperGetAddressOfReservedBuffer(PDEBUGGER_EVENT_ACTION Action)
Get the address of reserved buffer.
Definition ScriptEngine.c:46
_DEBUGGER_EVENT_ACTION
The structure of actions in HyperDbg.
Definition Debugger.h:79

◆ ScriptEnginePseudoRegGetCore()

UINT64 ScriptEnginePseudoRegGetCore ( )

Implementation of $core pseudo-register.

Returns
UINT64
43{
44#ifdef SCRIPT_ENGINE_USER_MODE
45 return (UINT64)GetCurrentProcessorNumber();
46#endif // SCRIPT_ENGINE_USER_MODE
47
48#ifdef SCRIPT_ENGINE_KERNEL_MODE
49 return (UINT64)KeGetCurrentProcessorNumberEx(NULL);
50#endif // SCRIPT_ENGINE_KERNEL_MODE
51}

◆ ScriptEnginePseudoRegGetDate()

UINT64 ScriptEnginePseudoRegGetDate ( )

Implementation of date pseudo-register.

Returns
UINT64
423{
424#ifdef SCRIPT_ENGINE_USER_MODE
425 return NULL;
426#endif // SCRIPT_ENGINE_USER_MODE
427
428#ifdef SCRIPT_ENGINE_KERNEL_MODE
429
430 //
431 // Get the current core's date
432 //
433 return ScriptEngineGetTargetCoreDate();
434#endif // SCRIPT_ENGINE_KERNEL_MODE
435}
ScriptEngineGetTargetCoreDate
UINT64 ScriptEngineGetTargetCoreDate()
Update core's date time and return date.
Definition ScriptEngine.c:109

◆ ScriptEnginePseudoRegGetEventId()

UINT64 ScriptEnginePseudoRegGetEventId ( PACTION_BUFFER ActionBuffer)

Implementation of $id pseudo-register.

Parameters
ActionBuffer
Returns
UINT64
367{
368#ifdef SCRIPT_ENGINE_USER_MODE
369 return NULL;
370#endif // SCRIPT_ENGINE_USER_MODE
371
372#ifdef SCRIPT_ENGINE_KERNEL_MODE
373 return (ActionBuffer->Tag - DebuggerEventTagStartSeed);
374#endif // SCRIPT_ENGINE_KERNEL_MODE
375}

◆ ScriptEnginePseudoRegGetEventStage()

UINT64 ScriptEnginePseudoRegGetEventStage ( PACTION_BUFFER ActionBuffer)

Implementation of stage pseudo-register.

Parameters
ActionBuffer
Returns
UINT64
385{
386#ifdef SCRIPT_ENGINE_USER_MODE
387 return NULL;
388#endif // SCRIPT_ENGINE_USER_MODE
389
390#ifdef SCRIPT_ENGINE_KERNEL_MODE
391 return ActionBuffer->CallingStage;
392#endif // SCRIPT_ENGINE_KERNEL_MODE
393}

◆ ScriptEnginePseudoRegGetEventTag()

UINT64 ScriptEnginePseudoRegGetEventTag ( PACTION_BUFFER ActionBuffer)

Implementation of $tag pseudo-register.

Parameters
ActionBuffer
Returns
UINT64
349{
350#ifdef SCRIPT_ENGINE_USER_MODE
351 return (UINT64)NULL;
352#endif // SCRIPT_ENGINE_USER_MODE
353
354#ifdef SCRIPT_ENGINE_KERNEL_MODE
355 return ActionBuffer->Tag;
356#endif // SCRIPT_ENGINE_KERNEL_MODE
357}

◆ ScriptEnginePseudoRegGetIp()

UINT64 ScriptEnginePseudoRegGetIp ( )

Implementation of $ip pseudo-register.

Returns
UINT64
307{
308#ifdef SCRIPT_ENGINE_USER_MODE
309 //
310 // $ip doesn't have meaning in user-moderds
311 //
312 return NULL;
313#endif // SCRIPT_ENGINE_USER_MODE
314
315#ifdef SCRIPT_ENGINE_KERNEL_MODE
316 return ScriptEngineWrapperGetInstructionPointer();
317#endif // SCRIPT_ENGINE_KERNEL_MODE
318}
ScriptEngineWrapperGetInstructionPointer
UINT64 ScriptEngineWrapperGetInstructionPointer()
Get current ip from the debugger frame.
Definition ScriptEngine.c:21

◆ ScriptEnginePseudoRegGetPeb()

UINT64 ScriptEnginePseudoRegGetPeb ( )

Implementation of $peb pseudo-register.

Returns
UINT64
160{
161#ifdef SCRIPT_ENGINE_USER_MODE
162 //
163 // Hand-rolled structs ( may cause conflict depending on your dev env )
164 //
165 struct PROCESS_BASIC_INFORMATION
166 {
167 PVOID Reserved1;
168 PVOID PebBaseAddress;
169 PVOID Reserved2[2];
170 ULONG_PTR UniqueProcessId;
171 PVOID Reserved3;
172 };
173
174 struct PEB_LDR_DATA
175 {
176 BYTE Reserved1[8];
177 PVOID Reserved2[3];
178 LIST_ENTRY InMemoryOrderModuleList;
179 };
180
181 struct PEB
182 {
183 BYTE Reserved1[2];
184 BYTE BeingDebugged;
185 BYTE Reserved2[1];
186 PVOID Reserved3[2];
187 struct PEB_LDR_DATA * Ldr;
188 PVOID ProcessParameters; /* PRTL_USER_PROCESS_PARAMETERS */
189 BYTE Reserved4[104];
190 PVOID Reserved5[52];
191 PVOID PostProcessInitRoutine; /* PPS_POST_PROCESS_INIT_ROUTINE */
192 BYTE Reserved6[128];
193 PVOID Reserved7[1];
194 ULONG SessionId;
195 };
196
197 struct UNICODE_STRING
198 {
199 USHORT Length;
200 USHORT MaximumLength;
201 PWSTR Buffer;
202 };
203
204 struct LDR_MODULE
205 {
206 LIST_ENTRY InLoadOrderModuleList;
207 LIST_ENTRY InMemoryOrderModuleList;
208 LIST_ENTRY InInitializationOrderModuleList;
209 PVOID BaseAddress;
210 PVOID EntryPoint;
211 ULONG SizeOfImage;
212 struct UNICODE_STRING FullDllName;
213 struct UNICODE_STRING BaseDllName;
214 ULONG Flags;
215 SHORT LoadCount;
216 SHORT TlsIndex;
217 LIST_ENTRY HashTableEntry;
218 ULONG TimeDateStamp;
219 };
220
221 enum PROCESSINFOCLASS
222 {
223 ProcessBasicInformation = 0,
224 ProcessDebugPort = 7,
225 ProcessWow64Information = 26,
226 ProcessImageFileName = 27
227 };
228
229 LPCWSTR NTDLL_NAME = L"ntdll.dll";
230 LPCSTR NTQUERYINFO_NAME = "NtQueryInformationProcess";
231
232 HMODULE NtdllMod;
233 HANDLE ThisProcess;
234 NTSTATUS NtCallRet;
235 ULONG BytesReturned;
236
237 //
238 // function pointer to house result from GetProcAddress
239 //
240 NTSTATUS(WINAPI * QueryInfoProcPtr)
241 (HANDLE, enum PROCESSINFOCLASS, PVOID, ULONG, PULONG);
242
243 struct PROCESS_BASIC_INFORMATION BasicInfo;
244 struct PEB * PebPtr;
245
246 /* retrieve pseudo-handle */
247 ThisProcess = GetCurrentProcess();
248
249 //
250 // get address to already loaded module
251 //
252 NtdllMod = LoadLibraryW(NTDLL_NAME);
253
254 //
255 // get pointer to query function
256 //
257 QueryInfoProcPtr =
258 (NTSTATUS(WINAPI *)(HANDLE, enum PROCESSINFOCLASS, PVOID, ULONG, PULONG))GetProcAddress(NtdllMod, NTQUERYINFO_NAME);
259
260 //
261 // call function on self; introspect
262 //
263 NtCallRet = QueryInfoProcPtr(ThisProcess, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), &BytesReturned);
264
265 //
266 // get peb ptr and decode some if its fields
267 //
268 PebPtr = (struct PEB *)BasicInfo.PebBaseAddress;
269
270 return (UINT64)PebPtr;
271
272#endif // SCRIPT_ENGINE_USER_MODE
273
274#ifdef SCRIPT_ENGINE_KERNEL_MODE
275
276 //
277 // PEB doesn't make sense in kernel-mode
278 //
279 return NULL64_ZERO;
280#endif // SCRIPT_ENGINE_KERNEL_MODE
281}
USHORT
unsigned short USHORT
Definition BasicTypes.h:36
_PEB_LDR_DATA
PEB LDR Data.
Definition UserAccess.h:23
_PEB
PEB 64-bit.
Definition UserAccess.h:55
_UNICODE_STRING
Definition casting.cpp:25

◆ ScriptEnginePseudoRegGetPid()

UINT64 ScriptEnginePseudoRegGetPid ( )

Implementation of $pid pseudo-register.

Returns
UINT64
60{
61#ifdef SCRIPT_ENGINE_USER_MODE
62 return (UINT64)GetCurrentProcessId();
63#endif // SCRIPT_ENGINE_USER_MODE
64
65#ifdef SCRIPT_ENGINE_KERNEL_MODE
66 return (UINT64)PsGetCurrentProcessId();
67#endif // SCRIPT_ENGINE_KERNEL_MODE
68}

◆ ScriptEnginePseudoRegGetPname()

CHAR * ScriptEnginePseudoRegGetPname ( )

Implementation of $pname pseudo-register.

Returns
CHAR*
77{
78#ifdef SCRIPT_ENGINE_USER_MODE
79
80 HANDLE Handle = OpenProcess(
81 PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
82 FALSE,
83 GetCurrentProcessId() /* Current process */
84 );
85
86 if (Handle)
87 {
88 CHAR CurrentModulePath[MAX_PATH] = {0};
89 if (GetModuleFileNameEx(Handle, 0, CurrentModulePath, MAX_PATH))
90 {
91 //
92 // At this point, buffer contains the full path to the executable
93 //
94 CloseHandle(Handle);
95 return PathFindFileNameA(CurrentModulePath);
96 }
97 else
98 {
99 //
100 // error might be shown by GetLastError()
101 //
102 CloseHandle(Handle);
103 return NULL;
104 }
105 }
106
107 //
108 // unable to get handle
109 //
110 return NULL;
111
112#endif // SCRIPT_ENGINE_USER_MODE
113
114#ifdef SCRIPT_ENGINE_KERNEL_MODE
115 return CommonGetProcessNameFromProcessControlBlock(PsGetCurrentProcess());
116#endif // SCRIPT_ENGINE_KERNEL_MODE
117}
CommonGetProcessNameFromProcessControlBlock
PCHAR CommonGetProcessNameFromProcessControlBlock(PEPROCESS Eprocess)
Get process name by eprocess.
Definition Common.c:48

◆ ScriptEnginePseudoRegGetProc()

UINT64 ScriptEnginePseudoRegGetProc ( )

Implementation of $proc pseudo-register.

Returns
UINT64
126{
127#ifdef SCRIPT_ENGINE_USER_MODE
128 return (UINT64)NULL;
129#endif // SCRIPT_ENGINE_USER_MODE
130
131#ifdef SCRIPT_ENGINE_KERNEL_MODE
132 return (UINT64)PsGetCurrentProcess();
133#endif // SCRIPT_ENGINE_KERNEL_MODE
134}

◆ ScriptEnginePseudoRegGetTeb()

UINT64 ScriptEnginePseudoRegGetTeb ( )

Implementation of $teb pseudo-register.

Returns
UINT64
290{
291#ifdef SCRIPT_ENGINE_USER_MODE
292 return (UINT64)NULL;
293#endif // SCRIPT_ENGINE_USER_MODE
294
295#ifdef SCRIPT_ENGINE_KERNEL_MODE
296 return (UINT64)PsGetCurrentThreadTeb();
297#endif // SCRIPT_ENGINE_KERNEL_MODE
298}

◆ ScriptEnginePseudoRegGetThread()

UINT64 ScriptEnginePseudoRegGetThread ( )

Implementation of $thread pseudo-register.

Returns
UINT64
143{
144#ifdef SCRIPT_ENGINE_USER_MODE
145 return (UINT64)NULL;
146#endif // SCRIPT_ENGINE_USER_MODE
147
148#ifdef SCRIPT_ENGINE_KERNEL_MODE
149 return (UINT64)PsGetCurrentThread();
150#endif // SCRIPT_ENGINE_KERNEL_MODE
151}

◆ ScriptEnginePseudoRegGetTid()

UINT64 ScriptEnginePseudoRegGetTid ( )

Implementation of $tid pseudo-register.

Returns
UINT64
26{
27#ifdef SCRIPT_ENGINE_USER_MODE
28 return (UINT64)GetCurrentThreadId();
29#endif // SCRIPT_ENGINE_USER_MODE
30
31#ifdef SCRIPT_ENGINE_KERNEL_MODE
32 return (UINT64)PsGetCurrentThreadId();
33#endif // SCRIPT_ENGINE_KERNEL_MODE
34}

◆ ScriptEnginePseudoRegGetTime()

UINT64 ScriptEnginePseudoRegGetTime ( )

Implementation of time pseudo-register.

Returns
UINT64
402{
403#ifdef SCRIPT_ENGINE_USER_MODE
404 return NULL;
405#endif // SCRIPT_ENGINE_USER_MODE
406
407#ifdef SCRIPT_ENGINE_KERNEL_MODE
408
409 //
410 // Get the current core's time
411 //
412 return ScriptEngineGetTargetCoreTime();
413#endif // SCRIPT_ENGINE_KERNEL_MODE
414}
ScriptEngineGetTargetCoreTime
UINT64 ScriptEngineGetTargetCoreTime()
Update core's date time and return time.
Definition ScriptEngine.c:87

◆ SetRegValueUsingSymbol()

BOOLEAN SetRegValueUsingSymbol ( PGUEST_REGS GuestRegs,
PSYMBOL Symbol,
UINT64 Value )

Set the register value.

Parameters
GuestRegs
Symbol
Value
Returns
BOOLEAN
1994{
1995 return SetRegValue(GuestRegs, (UINT32)Symbol->Value, Value);
1996}
SetRegValue
BOOLEAN SetRegValue(PGUEST_REGS GuestRegs, UINT32 RegisterId, UINT64 Value)
Set the register value.
Definition Regs.c:963
SYMBOL::Value
long long unsigned Value
Definition ScriptEngineCommonDefinitions.h:10