HyperDbg Debugger
Loading...
Searching...
No Matches
ScriptEngineInternalHeader.h File Reference

Internal Headers of script engine. More...

Go to the source code of this file.

Functions

BOOLEAN SetRegValueUsingSymbol (PGUEST_REGS GuestRegs, PSYMBOL Symbol, UINT64 Value)
 Set the register value.
UINT64 ScriptEnginePseudoRegGetTid ()
 Implementation of $tid pseudo-register.
UINT64 ScriptEnginePseudoRegGetCore ()
 Implementation of $core pseudo-register.
UINT64 ScriptEnginePseudoRegGetPid ()
 Implementation of $pid pseudo-register.
CHARScriptEnginePseudoRegGetPname ()
 Implementation of $pname pseudo-register.
UINT64 ScriptEnginePseudoRegGetProc ()
 Implementation of $proc pseudo-register.
UINT64 ScriptEnginePseudoRegGetThread ()
 Implementation of $thread pseudo-register.
UINT64 ScriptEnginePseudoRegGetPeb ()
 Implementation of $peb pseudo-register.
UINT64 ScriptEnginePseudoRegGetTeb ()
 Implementation of $teb pseudo-register.
UINT64 ScriptEnginePseudoRegGetIp ()
 Implementation of $ip pseudo-register.
UINT64 ScriptEnginePseudoRegGetBuffer (UINT64 *CorrespondingAction)
 Implementation of $buffer pseudo-register.
UINT64 ScriptEnginePseudoRegGetEventTag (PACTION_BUFFER ActionBuffer)
 Implementation of $tag pseudo-register.
UINT64 ScriptEnginePseudoRegGetEventId (PACTION_BUFFER ActionBuffer)
 Implementation of $id pseudo-register.
UINT64 ScriptEnginePseudoRegGetEventStage (PACTION_BUFFER ActionBuffer)
 Implementation of stage pseudo-register.
UINT64 ScriptEnginePseudoRegGetTime ()
 Implementation of time pseudo-register.
UINT64 ScriptEnginePseudoRegGetDate ()
 Implementation of date pseudo-register.
UINT64 ScriptEngineKeywordPoi (PUINT64 Address, BOOL *HasError)
 Implementation of poi keyword.
WORD ScriptEngineKeywordHi (PUINT64 Address, BOOL *HasError)
 Implementation of hi keyword.
WORD ScriptEngineKeywordLow (PUINT64 Address, BOOL *HasError)
 Implementation of low keyword.
BYTE ScriptEngineKeywordDb (PUINT64 Address, BOOL *HasError)
 Implementation of db keyword.
DWORD ScriptEngineKeywordDd (PUINT64 Address, BOOL *HasError)
 Implementation of dd keyword.
WORD ScriptEngineKeywordDw (PUINT64 Address, BOOL *HasError)
 Implementation of dw keyword.
QWORD ScriptEngineKeywordDq (PUINT64 Address, BOOL *HasError)
 Implementation of dq keyword.
UINT64 ScriptEngineKeywordPoiPa (PUINT64 Address, BOOL *HasError)
 Implementation of poi_pa keyword.
WORD ScriptEngineKeywordHiPa (PUINT64 Address, BOOL *HasError)
 Implementation of hi keyword.
WORD ScriptEngineKeywordLowPa (PUINT64 Address, BOOL *HasError)
 Implementation of low keyword.
BYTE ScriptEngineKeywordDbPa (PUINT64 Address, BOOL *HasError)
 Implementation of db keyword.
DWORD ScriptEngineKeywordDdPa (PUINT64 Address, BOOL *HasError)
 Implementation of dd keyword.
WORD ScriptEngineKeywordDwPa (PUINT64 Address, BOOL *HasError)
 Implementation of dw keyword.
QWORD ScriptEngineKeywordDqPa (PUINT64 Address, BOOL *HasError)
 Implementation of dq keyword.
BOOLEAN ScriptEngineFunctionEq (UINT64 Address, QWORD Value, BOOL *HasError)
 Implementation of eq function.
BOOLEAN ScriptEngineFunctionEd (UINT64 Address, DWORD Value, BOOL *HasError)
 Implementation of ed function.
BOOLEAN ScriptEngineFunctionEb (UINT64 Address, BYTE Value, BOOL *HasError)
 Implementation of eb function.
BOOLEAN ScriptEngineFunctionEqPa (UINT64 Address, QWORD Value, BOOL *HasError)
 Implementation of eq function (Physical Memory).
BOOLEAN ScriptEngineFunctionEdPa (UINT64 Address, DWORD Value, BOOL *HasError)
 Implementation of ed function (Physical Memory).
BOOLEAN ScriptEngineFunctionEbPa (UINT64 Address, BYTE Value, BOOL *HasError)
 Implementation of eb function (Physical Memory).
BOOLEAN ScriptEngineFunctionCheckAddress (UINT64 Address, UINT32 Length)
 Check whether the address is valid or not.
VOID ScriptEngineFunctionMemcpy (UINT64 Destination, UINT64 Source, UINT32 Num, BOOL *HasError)
 A VMX-compatible equivalent of memcpy function in C.
VOID ScriptEngineFunctionMemcpyPa (UINT64 Destination, UINT64 Source, UINT32 Num, BOOL *HasError)
 A VMX-compatible equivalent of memcpy function in C for physical memory.
VOID ScriptEngineFunctionPrint (UINT64 Tag, BOOLEAN ImmediateMessagePassing, UINT64 Value)
 Implementation of print function.
VOID ScriptEngineFunctionTestStatement (UINT64 Tag, BOOLEAN ImmediateMessagePassing, UINT64 Value)
 Implementation of test_statement function.
VOID ScriptEngineFunctionSpinlockLock (volatile LONG *Lock, BOOL *HasError)
 Implementation of spinlock_lock function.
VOID ScriptEngineFunctionSpinlockUnlock (volatile LONG *Lock, BOOL *HasError)
 Implementation of spinlock_unlock function.
VOID ScriptEngineFunctionSpinlockLockCustomWait (volatile long *Lock, unsigned MaxWait, BOOL *HasError)
 Implementation of spinlock_lock_custom_wait function.
UINT64 ScriptEngineFunctionVirtualToPhysical (UINT64 Address)
UINT64 ScriptEngineFunctionPhysicalToVirtual (UINT64 Address)
 Convert physical address to virtual address.
UINT64 ScriptEngineFunctionStrlen (const char *Address)
 Implementation of strlen function.
UINT64 ScriptEngineFunctionDisassembleLen (PVOID Address, BOOLEAN Is32Bit)
 Implementation of disassemble_len function.
UINT64 ScriptEngineFunctionWcslen (const wchar_t *Address)
 Implementation of wcslen function.
VOID ScriptEngineFunctionMicroSleep (UINT64 Us)
 Implementation of microsleep function.
UINT64 ScriptEngineFunctionRdtsc ()
 Implementation of rdtsc function.
UINT64 ScriptEngineFunctionRdtscp ()
 Implementation of rdtscp function.
long long ScriptEngineFunctionInterlockedExchange (long long volatile *Target, long long Value, BOOL *HasError)
 Implementation of interlocked_exchange function.
long long ScriptEngineFunctionInterlockedExchangeAdd (long long volatile *Addend, long long Value, BOOL *HasError)
 Implementation of interlocked_exchange_add function.
long long ScriptEngineFunctionInterlockedIncrement (long long volatile *Addend, BOOL *HasError)
 Implementation of interlocked_exchange_increment function.
long long ScriptEngineFunctionInterlockedDecrement (long long volatile *Addend, BOOL *HasError)
 Implementation of interlocked_exchange_decrement function.
long long ScriptEngineFunctionInterlockedCompareExchange (long long volatile *Destination, long long ExChange, long long Comperand, BOOL *HasError)
 Implementation of interlocked_compare_exchange function.
VOID ScriptEngineFunctionEventEnable (UINT64 EventId)
 Implementation of event_enable function.
VOID ScriptEngineFunctionEventDisable (UINT64 EventId)
 Implementation of event_disable function.
VOID ScriptEngineFunctionEventClear (UINT64 EventId)
 Implementation of event_clear function.
VOID ScriptEngineFunctionPause (ACTION_BUFFER *ActionDetail, PGUEST_REGS GuestRegs)
 Implementation of pause function.
VOID ScriptEngineFunctionFlush ()
 Implementation of flush function.
VOID ScriptEngineFunctionShortCircuitingEvent (UINT64 State, ACTION_BUFFER *ActionDetail)
 Implementation of event_ignore function.
VOID ScriptEngineFunctionFormats (UINT64 Tag, BOOLEAN ImmediateMessagePassing, UINT64 Value)
 Implementation of formats function.
VOID ScriptEngineFunctionPrintf (PGUEST_REGS GuestRegs, ACTION_BUFFER *ActionDetail, SCRIPT_ENGINE_GENERAL_REGISTERS *ScriptGeneralRegisters, UINT64 Tag, BOOLEAN ImmediateMessagePassing, char *Format, UINT64 ArgCount, PSYMBOL FirstArg, BOOLEAN *HasError)
 Implementation of printf function.
VOID ScriptEngineFunctionEventInject (UINT32 InterruptionType, UINT32 Vector, BOOL *HasError)
 Implementation of event_inject function.
VOID ScriptEngineFunctionEventInjectErrorCode (UINT32 InterruptionType, UINT32 Vector, UINT32 ErrorCode, BOOL *HasError)
 Implementation of event_inject_error_code function.
VOID ScriptEngineFunctionEventTraceInstrumentationStep ()
 Implementation of event_trace_instrumentation_step function.
VOID ScriptEngineFunctionEventTraceStepIn ()
 Implementation of event_trace_step_in function.
BOOLEAN ScriptEngineFunctionLbrSave ()
 Implementation of lbr_save function.
BOOLEAN ScriptEngineFunctionLbrPrint ()
 Implementation of lbr_print function.
BOOLEAN ScriptEngineFunctionLbrCheck ()
 Implementation of lbr_check function.
BOOLEAN ScriptEngineFunctionLbrRestore ()
 Implementation of lbr_restore function.
BOOLEAN ScriptEngineFunctionLbrRestoreByFilter (UINT64 FilterOptions)
 Implementation of lbr_restore_by_filter function.
UINT64 ScriptEngineFunctionStrcmp (const char *Address1, const char *Address2)
 Implementation of strcmp function.
UINT64 ScriptEngineFunctionStrncmp (const char *Address1, const char *Address2, size_t Num)
 Implementation of strcmp function.
UINT64 ScriptEngineFunctionWcscmp (const wchar_t *Address1, const wchar_t *Address2)
 Implementation of wcscmp function.
UINT64 ScriptEngineFunctionWcsncmp (const wchar_t *Address1, const wchar_t *Address2, size_t Num)
 Implementation of wcsncmp function.
UINT64 ScriptEngineFunctionMemcmp (const char *Address1, const char *Address2, size_t Count)
 Implementation of memcmp function.

Detailed Description

Internal Headers of script engine.

Author
M.H. Gholamrezaei (mh@hy.nosp@m.perd.nosp@m.bg.or.nosp@m.g)
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.2
Date
2022-06-29

Function Documentation

◆ ScriptEngineFunctionCheckAddress()

BOOLEAN ScriptEngineFunctionCheckAddress ( UINT64 Address,
UINT32 Length )

Check whether the address is valid or not.

Parameters
Address
Length
Returns
BOOLEAN
291{
292#ifdef SCRIPT_ENGINE_USER_MODE
293
294 if (CheckAccessValidityAndSafety(Address, Length))
295 {
296 return TRUE;
297 }
298
299#endif // SCRIPT_ENGINE_USER_MODE
300
301#ifdef SCRIPT_ENGINE_KERNEL_MODE
302
303 if (CheckAccessValidityAndSafety(Address, Length))
304 {
305 return TRUE;
306 }
307
308#endif // SCRIPT_ENGINE_KERNEL_MODE
309
310 return FALSE;
311}
#define TRUE
Definition BasicTypes.h:114
#define FALSE
Definition BasicTypes.h:113
IMPORT_EXPORT_VMM BOOLEAN CheckAccessValidityAndSafety(UINT64 TargetAddress, UINT32 Size)
Check the safety to access the memory.
Definition AddressCheck.c:318

◆ ScriptEngineFunctionDisassembleLen()

UINT64 ScriptEngineFunctionDisassembleLen ( PVOID Address,
BOOLEAN Is32Bit )

Implementation of disassemble_len function.

Parameters
Address
Is32Bit
Returns
UINT64
760{
761 UINT64 Result = 0;
762#ifdef SCRIPT_ENGINE_USER_MODE
763 Result = HyperDbgLengthDisassemblerEngine((unsigned char *)Address, MAXIMUM_INSTR_SIZE, Is32Bit ? FALSE : TRUE);
764#endif // SCRIPT_ENGINE_USER_MODE
765
766#ifdef SCRIPT_ENGINE_KERNEL_MODE
768#endif // SCRIPT_ENGINE_KERNEL_MODE
769
770 return Result;
771}
#define MAXIMUM_INSTR_SIZE
maximum instruction size in Intel
Definition Constants.h:470
IMPORT_EXPORT_VMM UINT32 DisassemblerLengthDisassembleEngineInVmxRootOnTargetProcess(PVOID Address, BOOLEAN Is32Bit)
Disassembler length disassembler engine.
Definition Disassembler.c:297
UINT32 HyperDbgLengthDisassemblerEngine(UCHAR *BufferToDisassemble, UINT64 BuffLength, BOOLEAN Isx86_64)
Length Disassembler engine based on Zydis.
Definition disassembler.cpp:856

◆ ScriptEngineFunctionEb()

BOOLEAN ScriptEngineFunctionEb ( UINT64 Address,
BYTE Value,
BOOL * HasError )

Implementation of eb function.

Parameters
Address
Value
HasError
Returns
BOOLEAN
127{
128 UNREFERENCED_PARAMETER(HasError);
129
130#ifdef SCRIPT_ENGINE_KERNEL_MODE
131
132 if (!CheckAccessValidityAndSafety(Address, sizeof(BYTE)))
133 {
134 //
135 // Instead of indicating an error, just return false
136 // to assign it as a return result to a variable
137 //
138 // *HasError = TRUE;
139
140 return FALSE;
141 }
142
143#endif // SCRIPT_ENGINE_KERNEL_MODE
144
145#ifdef SCRIPT_ENGINE_USER_MODE
146 *(BYTE *)Address = Value;
147#endif // SCRIPT_ENGINE_USER_MODE
148
149#ifdef SCRIPT_ENGINE_KERNEL_MODE
151#endif // SCRIPT_ENGINE_KERNEL_MODE
152
153 return TRUE;
154}
unsigned char BYTE
Definition BasicTypes.h:40
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperWriteMemorySafeOnTargetProcess(_Inout_ UINT64 Destination, _In_ PVOID Source, _In_ SIZE_T Size)
RequestedActionOfThePacket Value(0x1) 00000000

◆ ScriptEngineFunctionEbPa()

BOOLEAN ScriptEngineFunctionEbPa ( UINT64 Address,
BYTE Value,
BOOL * HasError )

Implementation of eb function (Physical Memory).

Parameters
Address
Value
HasError
Returns
BOOLEAN
250{
251 UNREFERENCED_PARAMETER(HasError);
252
253#ifdef SCRIPT_ENGINE_KERNEL_MODE
254
255 if (!CheckAddressPhysical(Address))
256 {
257 //
258 // Instead of indicating an error, just return false
259 // to assign it as a return result to a variable
260 //
261 // *HasError = TRUE;
262
263 return FALSE;
264 }
265
266#endif // SCRIPT_ENGINE_KERNEL_MODE
267
268#ifdef SCRIPT_ENGINE_USER_MODE
269
270 ShowMessages("err, using physical address functions (eb_pa) is not possible in user-mode\n");
271 return FALSE;
272
273#endif // SCRIPT_ENGINE_USER_MODE
274
275#ifdef SCRIPT_ENGINE_KERNEL_MODE
276 MemoryMapperWriteMemorySafeByPhysicalAddress(Address, (UINT64)&Value, sizeof(BYTE));
277#endif // SCRIPT_ENGINE_KERNEL_MODE
278
279 return TRUE;
280}
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperWriteMemorySafeByPhysicalAddress(_Inout_ UINT64 DestinationPa, _In_ UINT64 Source, _In_ SIZE_T SizeToWrite)
IMPORT_EXPORT_VMM BOOLEAN CheckAddressPhysical(UINT64 PAddr)
Checks if the physical address is correct or not based on physical address width.
Definition AddressCheck.c:120

◆ ScriptEngineFunctionEd()

BOOLEAN ScriptEngineFunctionEd ( UINT64 Address,
DWORD Value,
BOOL * HasError )

Implementation of ed function.

Parameters
Address
Value
HasError
Returns
BOOLEAN
88{
89 UNREFERENCED_PARAMETER(HasError);
90
91#ifdef SCRIPT_ENGINE_KERNEL_MODE
92
93 if (!CheckAccessValidityAndSafety(Address, sizeof(DWORD)))
94 {
95 //
96 // Instead of indicating an error, just return false
97 // to assign it as a return result to a variable
98 //
99 // *HasError = TRUE;
100
101 return FALSE;
102 }
103
104#endif // SCRIPT_ENGINE_KERNEL_MODE
105
106#ifdef SCRIPT_ENGINE_USER_MODE
107 *(DWORD *)Address = Value;
108#endif // SCRIPT_ENGINE_USER_MODE
109
110#ifdef SCRIPT_ENGINE_KERNEL_MODE
112#endif // SCRIPT_ENGINE_KERNEL_MODE
113
114 return TRUE;
115}
unsigned long DWORD
Definition BasicTypes.h:38

◆ ScriptEngineFunctionEdPa()

BOOLEAN ScriptEngineFunctionEdPa ( UINT64 Address,
DWORD Value,
BOOL * HasError )

Implementation of ed function (Physical Memory).

Parameters
Address
Value
HasError
Returns
BOOLEAN
208{
209 UNREFERENCED_PARAMETER(HasError);
210
211#ifdef SCRIPT_ENGINE_KERNEL_MODE
212
213 if (!CheckAddressPhysical(Address))
214 {
215 //
216 // Instead of indicating an error, just return false
217 // to assign it as a return result to a variable
218 //
219 // *HasError = TRUE;
220
221 return FALSE;
222 }
223
224#endif // SCRIPT_ENGINE_KERNEL_MODE
225
226#ifdef SCRIPT_ENGINE_USER_MODE
227
228 ShowMessages("err, using physical address functions (ed_pa) is not possible in user-mode\n");
229 return FALSE;
230
231#endif // SCRIPT_ENGINE_USER_MODE
232
233#ifdef SCRIPT_ENGINE_KERNEL_MODE
234 MemoryMapperWriteMemorySafeByPhysicalAddress(Address, (UINT64)&Value, sizeof(DWORD));
235#endif // SCRIPT_ENGINE_KERNEL_MODE
236
237 return TRUE;
238}

◆ ScriptEngineFunctionEq()

BOOLEAN ScriptEngineFunctionEq ( UINT64 Address,
QWORD Value,
BOOL * HasError )

Implementation of eq function.

Parameters
Address
Value
HasError
Returns
BOOLEAN
49{
50 UNREFERENCED_PARAMETER(HasError);
51
52#ifdef SCRIPT_ENGINE_KERNEL_MODE
53
54 if (!CheckAccessValidityAndSafety(Address, sizeof(QWORD)))
55 {
56 //
57 // Instead of indicating an error, just return false
58 // to assign it as a return result to a variable
59 //
60 // *HasError = TRUE;
61
62 return FALSE;
63 }
64
65#endif // SCRIPT_ENGINE_KERNEL_MODE
66
67#ifdef SCRIPT_ENGINE_USER_MODE
68 *(UINT64 *)Address = Value;
69#endif // SCRIPT_ENGINE_USER_MODE
70
71#ifdef SCRIPT_ENGINE_KERNEL_MODE
73#endif // SCRIPT_ENGINE_KERNEL_MODE
74
75 return TRUE;
76}
unsigned long long QWORD
Definition BasicTypes.h:24

◆ ScriptEngineFunctionEqPa()

BOOLEAN ScriptEngineFunctionEqPa ( UINT64 Address,
QWORD Value,
BOOL * HasError )

Implementation of eq function (Physical Memory).

Parameters
Address
Value
HasError
Returns
BOOLEAN
166{
167 UNREFERENCED_PARAMETER(HasError);
168
169#ifdef SCRIPT_ENGINE_KERNEL_MODE
170
171 if (!CheckAddressPhysical(Address))
172 {
173 //
174 // Instead of indicating an error, just return false
175 // to assign it as a return result to a variable
176 //
177 // *HasError = TRUE;
178
179 return FALSE;
180 }
181
182#endif // SCRIPT_ENGINE_KERNEL_MODE
183
184#ifdef SCRIPT_ENGINE_USER_MODE
185
186 ShowMessages("err, using physical address functions (eq_pa) is not possible in user-mode\n");
187 return FALSE;
188
189#endif // SCRIPT_ENGINE_USER_MODE
190
191#ifdef SCRIPT_ENGINE_KERNEL_MODE
192 MemoryMapperWriteMemorySafeByPhysicalAddress(Address, (UINT64)&Value, sizeof(QWORD));
193#endif // SCRIPT_ENGINE_KERNEL_MODE
194
195 return TRUE;
196}

◆ ScriptEngineFunctionEventClear()

VOID ScriptEngineFunctionEventClear ( UINT64 EventId)

Implementation of event_clear function.

Parameters
EventId
Returns
VOID
1059{
1060#ifdef SCRIPT_ENGINE_USER_MODE
1061 ShowMessages("err, disabling events is not possible in user-mode\n");
1062#endif // SCRIPT_ENGINE_USER_MODE
1063
1064#ifdef SCRIPT_ENGINE_KERNEL_MODE
1065
1066 BOOLEAN PoolManagerAllocatedMemory = FALSE;
1067
1069 {
1070 PoolManagerAllocatedMemory = TRUE;
1071 }
1072
1073 if (!DebuggerClearEvent(EventId + DebuggerEventTagStartSeed, VmFuncVmxGetCurrentExecutionMode(), PoolManagerAllocatedMemory))
1074 {
1075 LogInfo("Invalid tag id (%x)", EventId);
1076 }
1077#endif // SCRIPT_ENGINE_KERNEL_MODE
1078}
#define EnableInstantEventMechanism
Enable or disable the instant event mechanism.
Definition Configuration.h:70
BOOLEAN DebuggerClearEvent(UINT64 Tag, BOOLEAN InputFromVmxRoot, BOOLEAN PoolManagerAllocatedMemory)
Clear an event by tag.
Definition Debugger.c:2434
UCHAR BOOLEAN
Definition BasicTypes.h:35
#define DebuggerEventTagStartSeed
The seeds that user-mode codes use as the starter of their events' tag.
Definition Constants.h:230
#define LogInfo(format,...)
Define log variables.
Definition HyperDbgHyperLogIntrinsics.h:71
IMPORT_EXPORT_VMM BOOLEAN VmFuncVmxGetCurrentExecutionMode()
Get the current VMX operation state.
Definition Export.c:802
BOOLEAN g_KernelDebuggerState
shows whether the kernel debugger is enabled or disabled
Definition Global.h:151

◆ ScriptEngineFunctionEventDisable()

VOID ScriptEngineFunctionEventDisable ( UINT64 EventId)

Implementation of event_disable function.

Parameters
EventId
Returns
VOID
1037{
1038#ifdef SCRIPT_ENGINE_USER_MODE
1039 ShowMessages("err, disabling events is not possible in user-mode\n");
1040#endif // SCRIPT_ENGINE_USER_MODE
1041
1042#ifdef SCRIPT_ENGINE_KERNEL_MODE
1044 {
1045 LogInfo("Invalid tag id (%x)", EventId);
1046 }
1047#endif // SCRIPT_ENGINE_KERNEL_MODE
1048}
BOOLEAN DebuggerDisableEvent(UINT64 Tag)
Disable an event by tag.
Definition Debugger.c:2397

◆ ScriptEngineFunctionEventEnable()

VOID ScriptEngineFunctionEventEnable ( UINT64 EventId)

Implementation of event_enable function.

Parameters
EventId
Returns
VOID
1015{
1016#ifdef SCRIPT_ENGINE_USER_MODE
1017 ShowMessages("err, enabling events is not possible in user-mode\n");
1018#endif // SCRIPT_ENGINE_USER_MODE
1019
1020#ifdef SCRIPT_ENGINE_KERNEL_MODE
1022 {
1023 LogInfo("Invalid tag id (%x)", EventId);
1024 }
1025#endif // SCRIPT_ENGINE_KERNEL_MODE
1026}
BOOLEAN DebuggerEnableEvent(UINT64 Tag)
Enable an event by tag.
Definition Debugger.c:2336

◆ ScriptEngineFunctionEventInject()

VOID ScriptEngineFunctionEventInject ( UINT32 InterruptionType,
UINT32 Vector,
BOOL * HasError )

Implementation of event_inject function.

Parameters
InterruptionType
Vector
HasError
Returns
VOID
1799{
1800 UNREFERENCED_PARAMETER(HasError);
1801
1802#ifdef SCRIPT_ENGINE_USER_MODE
1803
1804 ShowMessages("err, event_inject is not supported in user-mode\n");
1805
1806#endif // SCRIPT_ENGINE_USER_MODE
1807
1808#ifdef SCRIPT_ENGINE_KERNEL_MODE
1809
1810 //
1811 // Validate the arguments
1812 //
1813 if (Vector >= 256 || InterruptionType >= 8)
1814 {
1815 LogInfo("Err, invalid event vector or interruption type is specified");
1816 return;
1817 }
1818 else
1819 {
1820 VmFuncEventInjectInterruption(InterruptionType, Vector, FALSE, 0);
1821 }
1822
1823#endif // SCRIPT_ENGINE_KERNEL_MODE
1824}
IMPORT_EXPORT_VMM VOID VmFuncEventInjectInterruption(UINT32 InterruptionType, UINT32 Vector, BOOLEAN DeliverErrorCode, UINT32 ErrorCode)
Inject interrupt/faults/exceptions.
Definition Export.c:936

◆ ScriptEngineFunctionEventInjectErrorCode()

VOID ScriptEngineFunctionEventInjectErrorCode ( UINT32 InterruptionType,
UINT32 Vector,
UINT32 ErrorCode,
BOOL * HasError )

Implementation of event_inject_error_code function.

Parameters
InterruptionType
Vector
ErrorCode
HasError
Returns
VOID
1837{
1838 UNREFERENCED_PARAMETER(HasError);
1839
1840#ifdef SCRIPT_ENGINE_USER_MODE
1841
1842 ShowMessages("err, event_inject is not supported in user-mode\n");
1843
1844#endif // SCRIPT_ENGINE_USER_MODE
1845
1846#ifdef SCRIPT_ENGINE_KERNEL_MODE
1847
1848 //
1849 // Validate the arguments
1850 //
1851 if (Vector >= 256 || InterruptionType >= 8)
1852 {
1853 LogInfo("Err, invalid event vector or interruption type is specified");
1854 return;
1855 }
1856 else
1857 {
1858 VmFuncEventInjectInterruption(InterruptionType, Vector, TRUE, ErrorCode);
1859 }
1860
1861#endif // SCRIPT_ENGINE_KERNEL_MODE
1862}

◆ ScriptEngineFunctionEventTraceInstrumentationStep()

VOID ScriptEngineFunctionEventTraceInstrumentationStep ( )

Implementation of event_trace_instrumentation_step function.

Returns
VOID
1988{
1989#ifdef SCRIPT_ENGINE_USER_MODE
1990 ShowMessages("err, it's not possible to call event_trace_instrumentation_step function in the user-mode\n");
1991#endif // SCRIPT_ENGINE_USER_MODE
1992
1993#ifdef SCRIPT_ENGINE_KERNEL_MODE
1994
1995 ULONG CurrentCore = KeGetCurrentProcessorNumberEx(NULL);
1996
1997 //
1998 // Call instrumentation step in
1999 //
2001
2002#endif // SCRIPT_ENGINE_KERNEL_MODE
2003}
VOID TracingPerformInstrumentationStepIn(PROCESSOR_DEBUGGING_STATE *DbgState)
Perform tracing of instructions (instrumentation step-in).
Definition Tracing.c:22
unsigned long ULONG
Definition BasicTypes.h:31
PROCESSOR_DEBUGGING_STATE * g_DbgState
Save the state and variables related to debugging on each to logical core.
Definition Global.h:17

◆ ScriptEngineFunctionEventTraceStepIn()

VOID ScriptEngineFunctionEventTraceStepIn ( )

Implementation of event_trace_step_in function.

Returns
VOID
2012{
2013#ifdef SCRIPT_ENGINE_USER_MODE
2014 ShowMessages("err, it's not possible to call event_trace_instrumentation_step function in the user-mode\n");
2015#endif // SCRIPT_ENGINE_USER_MODE
2016
2017#ifdef SCRIPT_ENGINE_KERNEL_MODE
2018
2019 //
2020 // Call instrumentation step in
2021 //
2023
2024#endif // SCRIPT_ENGINE_KERNEL_MODE
2025}
VOID TracingPerformRegularStepInInstruction()
Regular step-in, step one instruction to the debuggee.
Definition Tracing.c:135

◆ ScriptEngineFunctionFlush()

VOID ScriptEngineFunctionFlush ( )

Implementation of flush function.

Returns
VOID
1164{
1165#ifdef SCRIPT_ENGINE_USER_MODE
1166 ShowMessages("err, it's not possible to flush buffers in user-mode\n");
1167#endif // SCRIPT_ENGINE_USER_MODE
1168
1169#ifdef SCRIPT_ENGINE_KERNEL_MODE
1170
1171 //
1172 // Mark all buffers as read
1173 //
1176
1177#endif // SCRIPT_ENGINE_KERNEL_MODE
1178}
IMPORT_EXPORT_HYPERLOG UINT32 LogMarkAllAsRead(BOOLEAN IsVmxRoot)
Mark all buffers as read.
Definition Logging.c:569

◆ ScriptEngineFunctionFormats()

VOID ScriptEngineFunctionFormats ( UINT64 Tag,
BOOLEAN ImmediateMessagePassing,
UINT64 Value )

Implementation of formats function.

Parameters
Tag
ImmediateMessagePassing
Value
Returns
VOID
1227{
1228#ifdef SCRIPT_ENGINE_USER_MODE
1229
1230 ScriptEngineFunctionTestStatement(Tag, ImmediateMessagePassing, Value);
1231
1232#endif // SCRIPT_ENGINE_USER_MODE
1233
1234#ifdef SCRIPT_ENGINE_KERNEL_MODE
1236 {
1238 }
1239 else if (g_UserDebuggerState)
1240 {
1242 }
1243 else
1244 {
1245 //
1246 // Prepare a buffer to bypass allocating a huge stack space for logging
1247 //
1248 char TempBuffer[20] = {0};
1249 UINT32 TempBufferLen = sprintf(TempBuffer, "%llx\n", Value);
1250
1251 LogSimpleWithTag((UINT32)Tag, ImmediateMessagePassing, TempBuffer, TempBufferLen + 1);
1252 }
1253#endif // SCRIPT_ENGINE_KERNEL_MODE
1254}
VOID ScriptEngineFunctionTestStatement(UINT64 Tag, BOOLEAN ImmediateMessagePassing, UINT64 Value)
Implementation of test_statement function.
Definition Functions.c:627
POOL_TYPE SIZE_T ULONG Tag
Definition Hooks.h:89
VOID KdSendFormatsFunctionResult(UINT64 Value)
Send the result of formats command to the kernel debugger.
Definition Kd.c:863
VOID UdSendFormatsFunctionResult(UINT64 Value)
Send the result of formats command to the user debugger.
Definition Ud.c:195
unsigned int UINT32
Definition BasicTypes.h:54
#define LogSimpleWithTag(tag, isimmdte, buffer, len)
Log without any prefix and bypass the stack problem (getting two temporary stacks in preparing phase)...
Definition HyperDbgHyperLogIntrinsics.h:142
BOOLEAN g_UserDebuggerState
shows whether the user debugger is enabled or disabled
Definition Global.h:157

◆ ScriptEngineFunctionInterlockedCompareExchange()

long long ScriptEngineFunctionInterlockedCompareExchange ( long long volatile * Destination,
long long ExChange,
long long Comperand,
BOOL * HasError )

Implementation of interlocked_compare_exchange function.

Parameters
Destination
ExChange
Comperand
HasError
Returns
long long
988{
989 long long Result = 0;
990
991#ifdef SCRIPT_ENGINE_KERNEL_MODE
992
993 if (!CheckAccessValidityAndSafety((UINT64)Destination, sizeof(long long)))
994 {
995 *HasError = TRUE;
996 return (long long)NULL;
997 }
998
999#endif // SCRIPT_ENGINE_KERNEL_MODE
1000
1001 Result = CpuInterlockedCompareExchange64(Destination, ExChange, Comperand);
1002
1003 return Result;
1004}
INT64 CpuInterlockedCompareExchange64(INT64 volatile *Destination, INT64 ExChange, INT64 Comparand)
Atomic 64-bit compare-exchange.
Definition PlatformIntrinsics.c:396
NULL()
Definition test-case-generator.py:530

◆ ScriptEngineFunctionInterlockedDecrement()

long long ScriptEngineFunctionInterlockedDecrement ( long long volatile * Addend,
BOOL * HasError )

Implementation of interlocked_exchange_decrement function.

Parameters
Addend
HasError
Returns
long long
955{
956 long long Result = 0;
957
958#ifdef SCRIPT_ENGINE_KERNEL_MODE
959
960 if (!CheckAccessValidityAndSafety((UINT64)Addend, sizeof(long long)))
961 {
962 *HasError = TRUE;
963 return (long long)NULL;
964 }
965
966#endif // SCRIPT_ENGINE_KERNEL_MODE
967
968 Result = CpuInterlockedDecrement64(Addend);
969
970 return Result;
971}
INT64 CpuInterlockedDecrement64(INT64 volatile *Addend)
Atomic 64-bit decrement.
Definition PlatformIntrinsics.c:381

◆ ScriptEngineFunctionInterlockedExchange()

long long ScriptEngineFunctionInterlockedExchange ( long long volatile * Target,
long long Value,
BOOL * HasError )

Implementation of interlocked_exchange function.

Parameters
Target
Value
HasError
Returns
long long
869{
870 long long Result = 0;
871
872#ifdef SCRIPT_ENGINE_KERNEL_MODE
873
874 if (!CheckAccessValidityAndSafety((UINT64)Target, sizeof(long long)))
875 {
876 *HasError = TRUE;
877 return (long long)NULL;
878 }
879
880#endif // SCRIPT_ENGINE_KERNEL_MODE
881
882 Result = CpuInterlockedExchange64(Target, Value);
883
884 return Result;
885}
INT64 CpuInterlockedExchange64(INT64 volatile *Target, INT64 Value)
Atomic 64-bit exchange.
Definition PlatformIntrinsics.c:336

◆ ScriptEngineFunctionInterlockedExchangeAdd()

long long ScriptEngineFunctionInterlockedExchangeAdd ( long long volatile * Addend,
long long Value,
BOOL * HasError )

Implementation of interlocked_exchange_add function.

Parameters
Addend
Value
HasError
Returns
long long
899{
900 long long Result = 0;
901
902#ifdef SCRIPT_ENGINE_KERNEL_MODE
903
904 if (!CheckAccessValidityAndSafety((UINT64)Addend, sizeof(long long)))
905 {
906 *HasError = TRUE;
907 return (long long)NULL;
908 }
909
910#endif // SCRIPT_ENGINE_KERNEL_MODE
911
912 Result = CpuInterlockedExchangeAdd64(Addend, Value);
913
914 return Result;
915}
INT64 CpuInterlockedExchangeAdd64(INT64 volatile *Addend, INT64 Value)
Atomic 64-bit exchange-add.
Definition PlatformIntrinsics.c:351

◆ ScriptEngineFunctionInterlockedIncrement()

long long ScriptEngineFunctionInterlockedIncrement ( long long volatile * Addend,
BOOL * HasError )

Implementation of interlocked_exchange_increment function.

Parameters
Addend
HasError
Returns
long long
927{
928 long long Result = 0;
929
930#ifdef SCRIPT_ENGINE_KERNEL_MODE
931
932 if (!CheckAccessValidityAndSafety((UINT64)Addend, sizeof(long long)))
933 {
934 *HasError = TRUE;
935 return (long long)NULL;
936 }
937
938#endif // SCRIPT_ENGINE_KERNEL_MODE
939
940 Result = CpuInterlockedIncrement64(Addend);
941
942 return Result;
943}
INT64 CpuInterlockedIncrement64(INT64 volatile *Addend)
Atomic 64-bit increment.
Definition PlatformIntrinsics.c:366

◆ ScriptEngineFunctionLbrCheck()

BOOLEAN ScriptEngineFunctionLbrCheck ( )

Implementation of lbr_check function.

Returns
BOOLEAN
2080{
2081#ifdef SCRIPT_ENGINE_USER_MODE
2082 ShowMessages("err, it's not possible to call lbr_check function in the user-mode\n");
2083 return FALSE;
2084#endif // SCRIPT_ENGINE_USER_MODE
2085
2086#ifdef SCRIPT_ENGINE_KERNEL_MODE
2087
2088 return HyperTraceLbrCheck();
2089
2090#endif // SCRIPT_ENGINE_KERNEL_MODE
2091}
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrCheck()
Check if LBR is supported and enabled on the current core.
Definition LbrApi.c:104

◆ ScriptEngineFunctionLbrPrint()

BOOLEAN ScriptEngineFunctionLbrPrint ( )

Implementation of lbr_print function.

Returns
BOOLEAN
2057{
2058#ifdef SCRIPT_ENGINE_USER_MODE
2059 ShowMessages("err, it's not possible to call lbr_print function in the user-mode\n");
2060 return FALSE;
2061#endif // SCRIPT_ENGINE_USER_MODE
2062
2063#ifdef SCRIPT_ENGINE_KERNEL_MODE
2064
2065 //
2066 // Depending if we are in VMX-root then a VMCALL is issued by default instead, otherwise the VMCALL is ignored
2067 //
2068 return HyperTraceLbrPrint(NULL);
2069
2070#endif // SCRIPT_ENGINE_KERNEL_MODE
2071}
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrPrint(HYPERTRACE_LBR_OPERATION_PACKETS *HyperTraceOperationRequest)
Print LBR tracing for HyperTrace.
Definition LbrApi.c:386

◆ ScriptEngineFunctionLbrRestore()

BOOLEAN ScriptEngineFunctionLbrRestore ( )

Implementation of lbr_restore function.

Returns
BOOLEAN
2100{
2101#ifdef SCRIPT_ENGINE_USER_MODE
2102 ShowMessages("err, it's not possible to call lbr_restore function in the user-mode\n");
2103 return FALSE;
2104#endif // SCRIPT_ENGINE_USER_MODE
2105
2106#ifdef SCRIPT_ENGINE_KERNEL_MODE
2107
2108 return HyperTraceLbrRestore();
2109
2110#endif // SCRIPT_ENGINE_KERNEL_MODE
2111}
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrRestore()
Restore (re-enable) LBR collection on the current core with previous filter options.
Definition LbrApi.c:143

◆ ScriptEngineFunctionLbrRestoreByFilter()

BOOLEAN ScriptEngineFunctionLbrRestoreByFilter ( UINT64 FilterOptions)

Implementation of lbr_restore_by_filter function.

Returns
BOOLEAN
2120{
2121#ifdef SCRIPT_ENGINE_USER_MODE
2122 ShowMessages("err, it's not possible to call lbr_restore_by_filter function in the user-mode\n");
2123 return FALSE;
2124#endif // SCRIPT_ENGINE_USER_MODE
2125
2126#ifdef SCRIPT_ENGINE_KERNEL_MODE
2127
2128 return HyperTraceLbrRestoreByFilter(FilterOptions);
2129
2130#endif // SCRIPT_ENGINE_KERNEL_MODE
2131}
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrRestoreByFilter(UINT64 FilterOptions)
Restore (re-enable) LBR collection on the current core with the specified filter options.
Definition LbrApi.c:124

◆ ScriptEngineFunctionLbrSave()

BOOLEAN ScriptEngineFunctionLbrSave ( )

Implementation of lbr_save function.

Returns
BOOLEAN
2034{
2035#ifdef SCRIPT_ENGINE_USER_MODE
2036 ShowMessages("err, it's not possible to call lbr_save function in the user-mode\n");
2037 return FALSE;
2038#endif // SCRIPT_ENGINE_USER_MODE
2039
2040#ifdef SCRIPT_ENGINE_KERNEL_MODE
2041
2042 //
2043 // Depending if we are in VMX-root then a VMCALL is issued by default instead, otherwise the VMCALL is ignored
2044 //
2045 return HyperTraceLbrSave(NULL);
2046
2047#endif // SCRIPT_ENGINE_KERNEL_MODE
2048}
IMPORT_EXPORT_HYPERTRACE BOOLEAN HyperTraceLbrSave(HYPERTRACE_LBR_OPERATION_PACKETS *HyperTraceOperationRequest)
Save LBR tracing for HyperTrace.
Definition LbrApi.c:352

◆ ScriptEngineFunctionMemcmp()

UINT64 ScriptEngineFunctionMemcmp ( const char * Address1,
const char * Address2,
size_t Count )

Implementation of memcmp function.

Parameters
Address1
Address2
Count
Returns
UINT64
1968{
1969 UINT64 Result = 0;
1970#ifdef SCRIPT_ENGINE_USER_MODE
1971 Result = memcmp(Address1, Address2, Count);
1972#endif // SCRIPT_ENGINE_USER_MODE
1973
1974#ifdef SCRIPT_ENGINE_KERNEL_MODE
1975 Result = VmFuncVmxCompatibleMemcmp(Address1, Address2, Count);
1976#endif // SCRIPT_ENGINE_KERNEL_MODE
1977
1978 return Result;
1979}
IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleMemcmp(const CHAR *Address1, const CHAR *Address2, SIZE_T Count)
VMX-root compatible memcmp.
Definition Export.c:1061

◆ ScriptEngineFunctionMemcpy()

VOID ScriptEngineFunctionMemcpy ( UINT64 Destination,
UINT64 Source,
UINT32 Num,
BOOL * HasError )

A VMX-compatible equivalent of memcpy function in C.

Parameters
Destination
Source
Num
HasError
Returns
VOID
324{
325 UINT64 PrevReadLen = 0;
327
328 //
329 // Reject zero-length copies: a Num of 0 would pass address-range
330 // validation vacuously (checking 0 bytes at any mapped page succeeds),
331 // which could be abused as a kernel address-mapping oracle.
332 //
333 if (Num == 0)
334 {
335 *HasError = TRUE;
336 return;
337 }
338
339#ifdef SCRIPT_ENGINE_USER_MODE
340
341 //
342 // Check the destination address
343 //
344 if (!CheckAccessValidityAndSafety(Destination, Num))
345 {
346 *HasError = TRUE;
347 return;
348 }
349
350 //
351 // Check the source address
352 //
353 if (!CheckAccessValidityAndSafety(Source, Num))
354 {
355 *HasError = TRUE;
356 return;
357 }
358
359 //
360 // Address is valid, perform the memcpy in user-mode
361 //
362 memcpy((void *)Destination, (void *)Source, Num);
363
364#endif // SCRIPT_ENGINE_USER_MODE
365
366#ifdef SCRIPT_ENGINE_KERNEL_MODE
367
368 //
369 // Check the destination address
370 //
371 if (!CheckAccessValidityAndSafety(Destination, Num))
372 {
373 *HasError = TRUE;
374 return;
375 }
376
377 //
378 // Check the source address
379 //
380 if (!CheckAccessValidityAndSafety(Source, Num))
381 {
382 *HasError = TRUE;
383 return;
384 }
385
386 //
387 // Address is valid, perform the memcpy in kernel-mode (VMX-root mode)
388 //
389 while (Num > 0)
390 {
391 //
392 // Check the target buffer size
393 //
395 {
396 //
397 // *** The size of read buffer is greater to maximum the moving buffer size ***
398 //
399
400 //
401 // Read memory into the buffer
402 //
404
405 //
406 // Write the moving buffer into the target buffer
407 //
409
410 //
411 // Computing the bytes that we read
412 //
415 }
416 else
417 {
418 //
419 // *** The size of read buffer is lower than or equal to the moving buffer size ***
420 //
421
422 //
423 // Read memory into the buffer
424 //
425 MemoryMapperReadMemorySafeOnTargetProcess(Source + PrevReadLen, MovingBuffer, Num);
426
427 //
428 // Write the moving buffer into the target buffer
429 //
430 MemoryMapperWriteMemorySafeOnTargetProcess(Destination + PrevReadLen, MovingBuffer, Num);
431
432 //
433 // Computing the bytes that we gonna read
434 //
435 PrevReadLen += Num;
436 Num = 0; // or Num -= Num;
437 }
438 }
439
440#endif // SCRIPT_ENGINE_KERNEL_MODE
441}
#define DebuggerScriptEngineMemcpyMovingBufferSize
The size of each chunk of memory used in the 'memcpy' function of the script engine for transferring ...
Definition Constants.h:258
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperReadMemorySafeOnTargetProcess(_In_ UINT64 VaAddressToRead, _Inout_ PVOID BufferToSaveMemory, _In_ SIZE_T SizeToRead)
@ Num
Definition commands.h:167

◆ ScriptEngineFunctionMemcpyPa()

VOID ScriptEngineFunctionMemcpyPa ( UINT64 Destination,
UINT64 Source,
UINT32 Num,
BOOL * HasError )

A VMX-compatible equivalent of memcpy function in C for physical memory.

Parameters
Destination
Source
Num
HasError
Returns
VOID
454{
455 UINT64 PrevReadLen = 0;
457
458#ifdef SCRIPT_ENGINE_USER_MODE
459
460 //
461 // Show an error message in user-mode
462 //
463 ShowMessages("err, using physical address functions (memcpy_pa) is not possible in user-mode\n");
464 return;
465
466#endif // SCRIPT_ENGINE_USER_MODE
467
468#ifdef SCRIPT_ENGINE_KERNEL_MODE
469
470 //
471 // Check the destination address (physical)
472 //
473 if (!CheckAddressPhysical(Destination))
474 {
475 *HasError = TRUE;
476 return;
477 }
478
479 //
480 // Check the source address (physical)
481 //
482 if (!CheckAddressPhysical(Source))
483 {
484 *HasError = TRUE;
485 return;
486 }
487
488 //
489 // Address is valid, perform the memcpy in kernel-mode (VMX-root mode)
490 //
491 while (Num > 0)
492 {
493 //
494 // Check the target buffer size
495 //
497 {
498 //
499 // *** The size of read buffer is greater to maximum the moving buffer size ***
500 //
501
502 //
503 // Read memory into the buffer
504 //
506
507 //
508 // Write the moving buffer into the target buffer
509 //
511
512 //
513 // Computing the bytes that we read
514 //
517 }
518 else
519 {
520 //
521 // *** The size of read buffer is lower than or equal to the moving buffer size ***
522 //
523
524 //
525 // Read memory into the buffer
526 //
527 MemoryMapperReadMemorySafeByPhysicalAddress(Source + PrevReadLen, (UINT64)MovingBuffer, Num);
528
529 //
530 // Write the moving buffer into the target buffer
531 //
532 MemoryMapperWriteMemorySafeByPhysicalAddress(Destination + PrevReadLen, (UINT64)MovingBuffer, Num);
533
534 //
535 // Computing the bytes that we gonna read
536 //
537 PrevReadLen += Num;
538 Num = 0; // or Num -= Num;
539 }
540 }
541
542#endif // SCRIPT_ENGINE_KERNEL_MODE
543}
IMPORT_EXPORT_VMM BOOLEAN MemoryMapperReadMemorySafeByPhysicalAddress(_In_ UINT64 PaAddressToRead, _Inout_ UINT64 BufferToSaveMemory, _In_ SIZE_T SizeToRead)

◆ ScriptEngineFunctionMicroSleep()

VOID ScriptEngineFunctionMicroSleep ( UINT64 Us)

Implementation of microsleep function.

Parameters
Usdelay in micro second
826{
827#ifdef SCRIPT_ENGINE_USER_MODE
828 UserModeMicroSleep(Us);
829#endif
830
831#ifdef SCRIPT_ENGINE_KERNEL_MODE
833#endif
834}
IMPORT_EXPORT_VMM VOID VmFuncVmxCompatibleMicroSleep(UINT64 us)
VMX-root compatible micro sleep.
Definition Export.c:885

◆ ScriptEngineFunctionPause()

VOID ScriptEngineFunctionPause ( ACTION_BUFFER * ActionDetail,
PGUEST_REGS GuestRegs )

Implementation of pause function.

Parameters
ActionDetail
GuestRegs
Returns
VOID
1092{
1093#ifdef SCRIPT_ENGINE_USER_MODE
1094 ShowMessages("err, breaking is not possible in user-mode\n");
1095#endif // SCRIPT_ENGINE_USER_MODE
1096
1097#ifdef SCRIPT_ENGINE_KERNEL_MODE
1098
1099 //
1100 // pause(); function is only working when kernel debugger is working
1101 // it's not designed to work on vmi-mode (local debugging)
1102 //
1104 {
1105 DEBUGGER_TRIGGERED_EVENT_DETAILS TriggeredEventDetail = {0};
1106 ULONG CurrentCore = KeGetCurrentProcessorNumberEx(NULL);
1107
1108 //
1109 // Make the details of context
1110 //
1111 TriggeredEventDetail.Tag = ActionDetail->Tag;
1112 TriggeredEventDetail.Context = (PVOID)ActionDetail->Context;
1113
1114 if (ActionDetail->CallingStage == 1)
1115 {
1116 TriggeredEventDetail.Stage = VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION;
1117 }
1118 else
1119 {
1120 TriggeredEventDetail.Stage = VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION;
1121 }
1122
1124 {
1125 //
1126 // The guest is already in vmx-root mode
1127 // Halt other cores
1128 //
1129
1131 CurrentCore,
1133 &TriggeredEventDetail);
1134 }
1135 else
1136 {
1137 //
1138 // The guest is on vmx non-root mode, the first parameter
1139 // is context and the second parameter is tag
1140 //
1142 (UINT64)&TriggeredEventDetail,
1143 (UINT64)GuestRegs,
1144 (UINT64)NULL);
1145 }
1146 }
1147 else
1148 {
1149 LogInfo("The 'pause();' function is either called from the vmi-mode or is "
1150 "evaluated by the '?' command. It's not allowed to use it on vmi-mode "
1151 "(local debugging) or by the '?' command");
1152 }
1153
1154#endif // SCRIPT_ENGINE_KERNEL_MODE
1155}
#define DEBUGGER_VMCALL_VM_EXIT_HALT_SYSTEM_AS_A_RESULT_OF_TRIGGERING_EVENT
VMCALL to cause vm-exit and halt the system because of triggering an event.
Definition DebuggerVmcalls.h:29
_Use_decl_annotations_ VOID KdHandleBreakpointAndDebugBreakpointsCallback(UINT32 CoreId, DEBUGGEE_PAUSING_REASON Reason, PDEBUGGER_TRIGGERED_EVENT_DETAILS EventDetails)
Handle DBs and BPs for kernel debugger.
Definition Kd.c:1087
void * PVOID
Definition BasicTypes.h:56
@ DEBUGGEE_PAUSING_REASON_DEBUGGEE_EVENT_TRIGGERED
Definition Connection.h:35
@ DEBUGGEE_PAUSING_REASON_NOT_PAUSED
Definition Connection.h:24
struct _DEBUGGER_TRIGGERED_EVENT_DETAILS DEBUGGER_TRIGGERED_EVENT_DETAILS
The structure of detail of a triggered event in HyperDbg.
@ VMM_CALLBACK_CALLING_STAGE_PRE_EVENT_EMULATION
Definition DataTypes.h:126
@ VMM_CALLBACK_CALLING_STAGE_POST_EVENT_EMULATION
Definition DataTypes.h:127
IMPORT_EXPORT_VMM NTSTATUS VmFuncVmxVmcall(UINT64 VmcallNumber, UINT64 OptionalParam1, UINT64 OptionalParam2, UINT64 OptionalParam3)
Export for running VMX VMCALLs.
Definition Export.c:957
DEBUGGEE_PAUSING_REASON g_DebuggeeHaltReason
Reason that the debuggee is halted.
Definition Global.h:175
UINT64 Tag
Definition DataTypes.h:226
PVOID Context
Definition DataTypes.h:227
long long unsigned Context
Definition ScriptEngineCommonDefinitions.h:39
long long unsigned Tag
Definition ScriptEngineCommonDefinitions.h:36
char CallingStage
Definition ScriptEngineCommonDefinitions.h:40

◆ ScriptEngineFunctionPhysicalToVirtual()

UINT64 ScriptEngineFunctionPhysicalToVirtual ( UINT64 Address)

Convert physical address to virtual address.

Parameters
Address
Returns
UINT64
574{
575#ifdef SCRIPT_ENGINE_USER_MODE
576
577 //
578 // There is no conversion in user-mode
579 //
580 return NULL;
581#endif // SCRIPT_ENGINE_USER_MODE
582
583#ifdef SCRIPT_ENGINE_KERNEL_MODE
584
586
587#endif // SCRIPT_ENGINE_KERNEL_MODE
588}
IMPORT_EXPORT_VMM UINT64 PhysicalAddressToVirtualAddressOnTargetProcess(_In_ PVOID PhysicalAddress)

◆ ScriptEngineFunctionPrint()

VOID ScriptEngineFunctionPrint ( UINT64 Tag,
BOOLEAN ImmediateMessagePassing,
UINT64 Value )

Implementation of print function.

Parameters
Tag
ImmediateMessagePassing
Value
Returns
VOID
600{
601#ifdef SCRIPT_ENGINE_USER_MODE
602 ShowMessages("%llx\n", Value);
603#endif // SCRIPT_ENGINE_USER_MODE
604
605#ifdef SCRIPT_ENGINE_KERNEL_MODE
606
607 //
608 // Prepare a buffer to bypass allocating a huge stack space for logging
609 //
610 char TempBuffer[20] = {0};
611 UINT32 TempBufferLen = sprintf(TempBuffer, "%llx\n", Value);
612
613 LogSimpleWithTag((UINT32)Tag, ImmediateMessagePassing, TempBuffer, TempBufferLen + 1);
614
615#endif // SCRIPT_ENGINE_KERNEL_MODE
616}

◆ ScriptEngineFunctionPrintf()

VOID ScriptEngineFunctionPrintf ( PGUEST_REGS GuestRegs,
ACTION_BUFFER * ActionDetail,
SCRIPT_ENGINE_GENERAL_REGISTERS * ScriptGeneralRegisters,
UINT64 Tag,
BOOLEAN ImmediateMessagePassing,
char * Format,
UINT64 ArgCount,
PSYMBOL FirstArg,
BOOLEAN * HasError )

Implementation of printf function.

Parameters
GuestRegs
ActionDetail
ScriptGeneralRegisters
Tag
ImmediateMessagePassing
Format
ArgCount
FirstArg
HasError
Returns
VOID
1580{
1581 //
1582 // *** The printf function ***
1583 //
1584
1585 char FinalBuffer[PacketChunkSize] = {0};
1586 UINT32 CurrentPositionInFinalBuffer = 0;
1587 UINT32 CurrentProcessedPositionFromStartOfFormat = 0;
1588 BOOLEAN WithoutAnyFormatSpecifier = TRUE;
1589
1590 UINT64 Val;
1591 UINT32 Position;
1592 UINT32 LenOfFormats = (UINT32)strlen(Format) + 1;
1593 PSYMBOL Symbol;
1594
1595 *HasError = FALSE;
1596
1597 for (int i = 0; i < ArgCount; i++)
1598 {
1599 WithoutAnyFormatSpecifier = FALSE;
1600 Symbol = FirstArg + i;
1601
1602 //
1603 // Address is either wstring (%ws) or string (%s)
1604 //
1605
1606 Position = (Symbol->Type >> 32) + 1;
1607
1608 SYMBOL TempSymbol = {0};
1609 memcpy(&TempSymbol, Symbol, sizeof(SYMBOL));
1610 TempSymbol.Type &= 0x7fffffff;
1611
1612 Val = GetValue(GuestRegs, ActionDetail, ScriptGeneralRegisters, &TempSymbol, FALSE);
1613
1614 CHAR PercentageChar = Format[Position];
1615
1616 // printf("position = %d is %c%c \n", Position, PercentageChar, IndicatorChar1);
1617
1618 if (CurrentProcessedPositionFromStartOfFormat != Position)
1619 {
1620 //
1621 // There is some strings before this format specifier
1622 // we should move it to the buffer
1623 //
1624 UINT32 StringLen = Position - CurrentProcessedPositionFromStartOfFormat;
1625
1626 //
1627 // Check final buffer capacity
1628 //
1629 if (CurrentPositionInFinalBuffer + StringLen < sizeof(FinalBuffer))
1630 {
1631 memcpy(&FinalBuffer[CurrentPositionInFinalBuffer],
1632 &Format[CurrentProcessedPositionFromStartOfFormat],
1633 StringLen);
1634
1635 CurrentProcessedPositionFromStartOfFormat += StringLen;
1636 CurrentPositionInFinalBuffer += StringLen;
1637 }
1638 }
1639
1640 //
1641 // Double check and apply
1642 //
1643 if (PercentageChar == '%')
1644 {
1645 //
1646 // Set first character of specifier
1647 //
1648 CHAR FormatSpecifier[5] = {0};
1649 FormatSpecifier[0] = '%';
1650
1651 //
1652 // Read second char
1653 //
1654 CHAR IndicatorChar2 = Format[Position + 1];
1655
1656 //
1657 // Check if IndicatorChar2 is 2 character long or more
1658 //
1659 if (IndicatorChar2 == 'l' || IndicatorChar2 == 'w' ||
1660 IndicatorChar2 == 'h')
1661 {
1662 //
1663 // Set second char in format specifier
1664 //
1665 FormatSpecifier[1] = IndicatorChar2;
1666
1667 if (IndicatorChar2 == 'l' && Format[Position + 2] == 'l')
1668 {
1669 //
1670 // Set third character in format specifier "ll"
1671 //
1672 FormatSpecifier[2] = 'l';
1673
1674 //
1675 // Set last character
1676 //
1677 FormatSpecifier[3] = Format[Position + 3];
1678 }
1679 else
1680 {
1681 //
1682 // Set last character
1683 //
1684 FormatSpecifier[2] = Format[Position + 2];
1685 }
1686 }
1687 else
1688 {
1689 //
1690 // It's a one char specifier (Set last character)
1691 //
1692 FormatSpecifier[1] = IndicatorChar2;
1693 }
1694
1695 //
1696 // Apply the specifier
1697 //
1698 if (!strncmp(FormatSpecifier, "%s", 2))
1699 {
1700 //
1701 // for string
1702 //
1704 "%s",
1705 FinalBuffer,
1706 &CurrentProcessedPositionFromStartOfFormat,
1707 &CurrentPositionInFinalBuffer,
1708 Val,
1709 FALSE,
1710 sizeof(FinalBuffer)))
1711 {
1712 *HasError = TRUE;
1713 return;
1714 }
1715 }
1716 else if (!strncmp(FormatSpecifier, "%ls", 3) ||
1717 !strncmp(FormatSpecifier, "%ws", 3))
1718 {
1719 //
1720 // for wide string (not important if %ls or %ws , only the length is
1721 // important)
1722 //
1724 "%ws",
1725 FinalBuffer,
1726 &CurrentProcessedPositionFromStartOfFormat,
1727 &CurrentPositionInFinalBuffer,
1728 Val,
1729 TRUE,
1730 sizeof(FinalBuffer)))
1731 {
1732 *HasError = TRUE;
1733 return;
1734 }
1735 }
1736 else
1737 {
1738 ApplyFormatSpecifier(FormatSpecifier, FinalBuffer, &CurrentProcessedPositionFromStartOfFormat, &CurrentPositionInFinalBuffer, Val, sizeof(FinalBuffer));
1739 }
1740 }
1741 }
1742
1743 if (WithoutAnyFormatSpecifier)
1744 {
1745 //
1746 // Means that it's just a simple print without any format specifier
1747 //
1748 if (LenOfFormats < sizeof(FinalBuffer))
1749 {
1750 memcpy(FinalBuffer, Format, LenOfFormats);
1751 }
1752 }
1753 else
1754 {
1755 //
1756 // Check if there is anything after the last format specifier
1757 //
1758 if (LenOfFormats > CurrentProcessedPositionFromStartOfFormat)
1759 {
1760 UINT32 RemainedLen =
1761 LenOfFormats - CurrentProcessedPositionFromStartOfFormat;
1762
1763 if (CurrentPositionInFinalBuffer + RemainedLen < sizeof(FinalBuffer))
1764 {
1765 memcpy(&FinalBuffer[CurrentPositionInFinalBuffer],
1766 &Format[CurrentProcessedPositionFromStartOfFormat],
1767 RemainedLen);
1768 }
1769 }
1770 }
1771
1772//
1773// Print final result
1774//
1775#ifdef SCRIPT_ENGINE_USER_MODE
1776 printf("%s", FinalBuffer);
1777#endif // SCRIPT_ENGINE_USER_MODE
1778
1779#ifdef SCRIPT_ENGINE_KERNEL_MODE
1780
1781 //
1782 // Prepare a buffer to bypass allocating a huge stack space for logging
1783 //
1784 LogSimpleWithTag((UINT32)Tag, ImmediateMessagePassing, FinalBuffer, (UINT32)strlen(FinalBuffer) + 1);
1785
1786#endif // SCRIPT_ENGINE_KERNEL_MODE
1787}
BOOLEAN ApplyStringFormatSpecifier(const CHAR *CurrentSpecifier, CHAR *FinalBuffer, PUINT32 CurrentProcessedPositionFromStartOfFormat, PUINT32 CurrentPositionInFinalBuffer, UINT64 Val, BOOLEAN IsWstring, UINT32 SizeOfFinalBuffer)
Apply string format specifiers (s, ws, etc.).
Definition Functions.c:1411
UINT64 GetValue(PGUEST_REGS GuestRegs, PACTION_BUFFER ActionBuffer, PSCRIPT_ENGINE_GENERAL_REGISTERS ScriptGeneralRegisters, PSYMBOL Symbol, BOOLEAN ReturnReference)
Get the Value (reg, peseudo-reg, etc.).
Definition ScriptEngineEval.c:92
VOID ApplyFormatSpecifier(const CHAR *CurrentSpecifier, CHAR *FinalBuffer, PUINT32 CurrentProcessedPositionFromStartOfFormat, PUINT32 CurrentPositionInFinalBuffer, UINT64 Val, UINT32 SizeOfFinalBuffer)
Apply format specifiers (d, x, llx, etc.).
Definition Functions.c:1332
char CHAR
Definition BasicTypes.h:33
#define PacketChunkSize
Size of each packet.
Definition Constants.h:187
struct SYMBOL * PSYMBOL
printf("ho")
Definition ScriptEngineCommonDefinitions.h:6
long long unsigned Type
Definition ScriptEngineCommonDefinitions.h:7

◆ ScriptEngineFunctionRdtsc()

UINT64 ScriptEngineFunctionRdtsc ( )

Implementation of rdtsc function.

842{
843 return CpuReadTsc();
844}
UINT64 CpuReadTsc(VOID)
Read Time-Stamp Counter.
Definition PlatformIntrinsics.c:295

◆ ScriptEngineFunctionRdtscp()

UINT64 ScriptEngineFunctionRdtscp ( )

Implementation of rdtscp function.

852{
853 UINT32 Aux;
854 return CpuReadTscp(&Aux);
855}
UINT64 CpuReadTscp(UINT32 *Aux)
Read Time-Stamp Counter and Processor ID.
Definition PlatformIntrinsics.c:315

◆ ScriptEngineFunctionShortCircuitingEvent()

VOID ScriptEngineFunctionShortCircuitingEvent ( UINT64 State,
ACTION_BUFFER * ActionDetail )

Implementation of event_ignore function.

Parameters
State
ActionDetail
Returns
VOID
1189{
1190#ifdef SCRIPT_ENGINE_USER_MODE
1191 ShowMessages("err, it's not possible to short-circuit events in user-mode\n");
1192#endif // SCRIPT_ENGINE_USER_MODE
1193
1194#ifdef SCRIPT_ENGINE_KERNEL_MODE
1195
1196 if (ActionDetail->CallingStage == 1)
1197 {
1198 LogWarning("Warning, calling the 'event_sc' function in the 'post' calling stage doesn't make sense as the emulation is already performed!\n"
1199 "You can use this function in the 'pre' calling stage");
1200 return;
1201 }
1202
1203 ULONG CurrentCore = KeGetCurrentProcessorNumberEx(NULL);
1204
1205 if (State != 0)
1206 {
1207 g_DbgState[CurrentCore].ShortCircuitingEvent = TRUE;
1208 }
1209 else
1210 {
1211 g_DbgState[CurrentCore].ShortCircuitingEvent = FALSE;
1212 }
1213
1214#endif // SCRIPT_ENGINE_KERNEL_MODE
1215}
#define LogWarning(format,...)
Log in the case of warning.
Definition HyperDbgHyperLogIntrinsics.h:99

◆ ScriptEngineFunctionSpinlockLock()

VOID ScriptEngineFunctionSpinlockLock ( volatile LONG * Lock,
BOOL * HasError )

Implementation of spinlock_lock function.

Parameters
Lock
HasError
Returns
VOID
650{
651#ifdef SCRIPT_ENGINE_USER_MODE
652
653 SpinlockLock(Lock);
654
655#endif // SCRIPT_ENGINE_USER_MODE
656
657#ifdef SCRIPT_ENGINE_KERNEL_MODE
658
659 if (!CheckAccessValidityAndSafety((UINT64)Lock, sizeof(LONG)))
660 {
661 *HasError = TRUE;
662 return;
663 }
664
665 SpinlockLock(Lock);
666
667#endif // SCRIPT_ENGINE_KERNEL_MODE
668}
VOID SpinlockLock(volatile LONG *Lock)
Tries to get the lock and won't return until successfully get the lock.
Definition Spinlock.c:53
long LONG
Definition BasicTypes.h:28

◆ ScriptEngineFunctionSpinlockLockCustomWait()

VOID ScriptEngineFunctionSpinlockLockCustomWait ( volatile long * Lock,
unsigned MaxWait,
BOOL * HasError )

Implementation of spinlock_lock_custom_wait function.

Parameters
Lock
MaxWait
HasError
Returns
VOID
709{
710#ifdef SCRIPT_ENGINE_USER_MODE
711
712 SpinlockLockWithCustomWait(Lock, MaxWait);
713
714#endif // SCRIPT_ENGINE_USER_MODE
715
716#ifdef SCRIPT_ENGINE_KERNEL_MODE
717
718 if (!CheckAccessValidityAndSafety((UINT64)Lock, sizeof(LONG)))
719 {
720 *HasError = TRUE;
721 return;
722 }
723
724 SpinlockLockWithCustomWait(Lock, MaxWait);
725
726#endif // SCRIPT_ENGINE_KERNEL_MODE
727}
VOID SpinlockLockWithCustomWait(volatile LONG *Lock, UINT32 MaximumWait)
Tries to get the lock and won't return until successfully get the lock.
Definition Spinlock.c:128

◆ ScriptEngineFunctionSpinlockUnlock()

VOID ScriptEngineFunctionSpinlockUnlock ( volatile LONG * Lock,
BOOL * HasError )

Implementation of spinlock_unlock function.

Parameters
Lock
HasError
Returns
VOID
679{
680#ifdef SCRIPT_ENGINE_USER_MODE
681
682 SpinlockUnlock(Lock);
683
684#endif // SCRIPT_ENGINE_USER_MODE
685
686#ifdef SCRIPT_ENGINE_KERNEL_MODE
687
688 if (!CheckAccessValidityAndSafety((UINT64)Lock, sizeof(LONG)))
689 {
690 *HasError = TRUE;
691 return;
692 }
693
694 SpinlockUnlock(Lock);
695
696#endif // SCRIPT_ENGINE_KERNEL_MODE
697}
VOID SpinlockUnlock(volatile LONG *Lock)
Release the lock.
Definition Spinlock.c:162

◆ ScriptEngineFunctionStrcmp()

UINT64 ScriptEngineFunctionStrcmp ( const char * Address1,
const char * Address2 )

Implementation of strcmp function.

Parameters
Address1
Address2
Returns
UINT64
1874{
1875 UINT64 Result = 0;
1876#ifdef SCRIPT_ENGINE_USER_MODE
1877 Result = strcmp(Address1, Address2);
1878#endif // SCRIPT_ENGINE_USER_MODE
1879
1880#ifdef SCRIPT_ENGINE_KERNEL_MODE
1881 Result = VmFuncVmxCompatibleStrcmp(Address1, Address2);
1882#endif // SCRIPT_ENGINE_KERNEL_MODE
1883
1884 return Result;
1885}
IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleStrcmp(const CHAR *Address1, const CHAR *Address2)
VMX-root compatible strcmp.
Definition Export.c:1006

◆ ScriptEngineFunctionStrlen()

UINT64 ScriptEngineFunctionStrlen ( const char * Address)

Implementation of strlen function.

Parameters
Address
Returns
UINT64
737{
738 UINT64 Result = 0;
739#ifdef SCRIPT_ENGINE_USER_MODE
740 Result = strlen(Address);
741#endif // SCRIPT_ENGINE_USER_MODE
742
743#ifdef SCRIPT_ENGINE_KERNEL_MODE
744 Result = VmFuncVmxCompatibleStrlen(Address);
745#endif // SCRIPT_ENGINE_KERNEL_MODE
746
747 return Result;
748}
IMPORT_EXPORT_VMM UINT32 VmFuncVmxCompatibleStrlen(const CHAR *s)
VMX-root compatible strlen.
Definition Export.c:861

◆ ScriptEngineFunctionStrncmp()

UINT64 ScriptEngineFunctionStrncmp ( const char * Address1,
const char * Address2,
size_t Num )

Implementation of strcmp function.

Parameters
Address1
Address2
Num
Returns
UINT64
1898{
1899 UINT64 Result = 0;
1900#ifdef SCRIPT_ENGINE_USER_MODE
1901 Result = strncmp(Address1, Address2, Num);
1902#endif // SCRIPT_ENGINE_USER_MODE
1903
1904#ifdef SCRIPT_ENGINE_KERNEL_MODE
1905 Result = VmFuncVmxCompatibleStrncmp(Address1, Address2, Num);
1906#endif // SCRIPT_ENGINE_KERNEL_MODE
1907
1908 return Result;
1909}
IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleStrncmp(const CHAR *Address1, const CHAR *Address2, SIZE_T Num)
VMX-root compatible strncmp.
Definition Export.c:1020

◆ ScriptEngineFunctionTestStatement()

VOID ScriptEngineFunctionTestStatement ( UINT64 Tag,
BOOLEAN ImmediateMessagePassing,
UINT64 Value )

Implementation of test_statement function.

Parameters
Tag
ImmediateMessagePassing
Value
Returns
VOID
628{
629 UNREFERENCED_PARAMETER(Tag);
630 UNREFERENCED_PARAMETER(ImmediateMessagePassing);
631 UNREFERENCED_PARAMETER(Value);
632
633#ifdef SCRIPT_ENGINE_USER_MODE
634
637
638#endif // SCRIPT_ENGINE_USER_MODE
639}
BOOLEAN g_CurrentExprEvalResultHasError
global variable to detect if there was an error in the result of script-engine statement tests
Definition globals.h:681
UINT64 g_CurrentExprEvalResult
global variable to save the result of script-engine statement tests
Definition globals.h:674

◆ ScriptEngineFunctionVirtualToPhysical()

UINT64 ScriptEngineFunctionVirtualToPhysical ( UINT64 Address)
550{
551#ifdef SCRIPT_ENGINE_USER_MODE
552
553 //
554 // There is no conversion in user-mode
555 //
556 return NULL;
557#endif // SCRIPT_ENGINE_USER_MODE
558
559#ifdef SCRIPT_ENGINE_KERNEL_MODE
560
562
563#endif // SCRIPT_ENGINE_KERNEL_MODE
564}
IMPORT_EXPORT_VMM UINT64 VirtualAddressToPhysicalAddressOnTargetProcess(_In_ PVOID VirtualAddress)

◆ ScriptEngineFunctionWcscmp()

UINT64 ScriptEngineFunctionWcscmp ( const wchar_t * Address1,
const wchar_t * Address2 )

Implementation of wcscmp function.

Parameters
Address1
Address2
Returns
UINT64
1921{
1922 UINT64 Result = 0;
1923#ifdef SCRIPT_ENGINE_USER_MODE
1924 Result = wcscmp(Address1, Address2);
1925#endif // SCRIPT_ENGINE_USER_MODE
1926
1927#ifdef SCRIPT_ENGINE_KERNEL_MODE
1928 Result = VmFuncVmxCompatibleWcscmp(Address1, Address2);
1929#endif // SCRIPT_ENGINE_KERNEL_MODE
1930
1931 return Result;
1932}
IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleWcscmp(const WCHAR *Address1, const WCHAR *Address2)
VMX-root compatible wcscmp.
Definition Export.c:1033

◆ ScriptEngineFunctionWcslen()

UINT64 ScriptEngineFunctionWcslen ( const wchar_t * Address)

Implementation of wcslen function.

Parameters
Address
Returns
UINT64
781{
782 UINT64 Result = 0;
783
784#ifdef SCRIPT_ENGINE_USER_MODE
785 Result = wcslen(Address);
786#endif // SCRIPT_ENGINE_USER_MODE
787
788#ifdef SCRIPT_ENGINE_KERNEL_MODE
789 Result = VmFuncVmxCompatibleWcslen(Address);
790#endif // SCRIPT_ENGINE_KERNEL_MODE
791
792 return Result;
793}
IMPORT_EXPORT_VMM UINT32 VmFuncVmxCompatibleWcslen(const WCHAR *s)
VMX-root compatible strlen.
Definition Export.c:873

◆ ScriptEngineFunctionWcsncmp()

UINT64 ScriptEngineFunctionWcsncmp ( const wchar_t * Address1,
const wchar_t * Address2,
size_t Num )

Implementation of wcsncmp function.

Parameters
Address1
Address2
Num
Returns
UINT64
1945{
1946 UINT64 Result = 0;
1947#ifdef SCRIPT_ENGINE_USER_MODE
1948 Result = wcsncmp(Address1, Address2, Num);
1949#endif // SCRIPT_ENGINE_USER_MODE
1950
1951#ifdef SCRIPT_ENGINE_KERNEL_MODE
1952 Result = VmFuncVmxCompatibleWcsncmp(Address1, Address2, Num);
1953#endif // SCRIPT_ENGINE_KERNEL_MODE
1954
1955 return Result;
1956}
IMPORT_EXPORT_VMM INT32 VmFuncVmxCompatibleWcsncmp(const WCHAR *Address1, const WCHAR *Address2, SIZE_T Num)
VMX-root compatible wcsncmp.
Definition Export.c:1047

◆ ScriptEngineKeywordDb()

BYTE ScriptEngineKeywordDb ( PUINT64 Address,
BOOL * HasError )

Implementation of db keyword.

Parameters
Address
HasError
Returns
BYTE
136{
137 BYTE Result = NULL_ZERO;
138
139#ifdef SCRIPT_ENGINE_KERNEL_MODE
140
141 if (!CheckAccessValidityAndSafety((UINT64)Address, sizeof(BYTE)))
142 {
143 *HasError = TRUE;
144
145 return NULL_ZERO;
146 }
147
148#endif // SCRIPT_ENGINE_KERNEL_MODE
149
150#ifdef SCRIPT_ENGINE_USER_MODE
151 Result = (BYTE)*Address;
152#endif // SCRIPT_ENGINE_USER_MODE
153
154#ifdef SCRIPT_ENGINE_KERNEL_MODE
155 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)Address, &Result, sizeof(BYTE));
156#endif // SCRIPT_ENGINE_KERNEL_MODE
157
158 return Result;
159}
#define NULL_ZERO
Definition BasicTypes.h:110

◆ ScriptEngineKeywordDbPa()

BYTE ScriptEngineKeywordDbPa ( PUINT64 Address,
BOOL * HasError )

Implementation of db keyword.

Parameters
Address
HasError
Returns
BYTE
389{
390 BYTE Result = NULL_ZERO;
391
392#ifdef SCRIPT_ENGINE_KERNEL_MODE
393
394 if (!CheckAddressPhysical((UINT64)Address))
395 {
396 *HasError = TRUE;
397
398 return NULL_ZERO;
399 }
400
401#endif // SCRIPT_ENGINE_KERNEL_MODE
402
403#ifdef SCRIPT_ENGINE_USER_MODE
404
405 ShowMessages("err, using physical address keywords (db_pa) is not possible in user-mode\n");
406 return (BYTE)NULL;
407
408#endif // SCRIPT_ENGINE_USER_MODE
409
410#ifdef SCRIPT_ENGINE_KERNEL_MODE
411 MemoryMapperReadMemorySafeByPhysicalAddress((UINT64)Address, (UINT64)&Result, sizeof(BYTE));
412#endif // SCRIPT_ENGINE_KERNEL_MODE
413
414 return Result;
415}

◆ ScriptEngineKeywordDd()

DWORD ScriptEngineKeywordDd ( PUINT64 Address,
BOOL * HasError )

Implementation of dd keyword.

Parameters
Address
HasError
Returns
DWORD
170{
171 DWORD Result = NULL_ZERO;
172
173#ifdef SCRIPT_ENGINE_KERNEL_MODE
174
175 if (!CheckAccessValidityAndSafety((UINT64)Address, sizeof(DWORD)))
176 {
177 *HasError = TRUE;
178
179 return NULL_ZERO;
180 }
181
182#endif // SCRIPT_ENGINE_KERNEL_MODE
183
184#ifdef SCRIPT_ENGINE_USER_MODE
185 Result = (DWORD)*Address;
186#endif // SCRIPT_ENGINE_USER_MODE
187
188#ifdef SCRIPT_ENGINE_KERNEL_MODE
189 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)Address, &Result, sizeof(DWORD));
190#endif // SCRIPT_ENGINE_KERNEL_MODE
191
192 return Result;
193}

◆ ScriptEngineKeywordDdPa()

DWORD ScriptEngineKeywordDdPa ( PUINT64 Address,
BOOL * HasError )

Implementation of dd keyword.

Parameters
Address
HasError
Returns
DWORD
426{
427 DWORD Result = NULL_ZERO;
428
429#ifdef SCRIPT_ENGINE_KERNEL_MODE
430
431 if (!CheckAddressPhysical((UINT64)Address))
432 {
433 *HasError = TRUE;
434
435 return NULL_ZERO;
436 }
437
438#endif // SCRIPT_ENGINE_KERNEL_MODE
439
440#ifdef SCRIPT_ENGINE_USER_MODE
441
442 ShowMessages("err, using physical address keywords (dd_pa) is not possible in user-mode\n");
443 return (DWORD)NULL;
444
445#endif // SCRIPT_ENGINE_USER_MODE
446
447#ifdef SCRIPT_ENGINE_KERNEL_MODE
448 MemoryMapperReadMemorySafeByPhysicalAddress((UINT64)Address, (UINT64)&Result, sizeof(DWORD));
449#endif // SCRIPT_ENGINE_KERNEL_MODE
450
451 return Result;
452}

◆ ScriptEngineKeywordDq()

QWORD ScriptEngineKeywordDq ( PUINT64 Address,
BOOL * HasError )

Implementation of dq keyword.

Parameters
Address
HasError
Returns
QWORD
238{
239 QWORD Result = (QWORD)NULL;
240
241#ifdef SCRIPT_ENGINE_KERNEL_MODE
242
243 if (!CheckAccessValidityAndSafety((UINT64)Address, sizeof(DWORD)))
244 {
245 *HasError = TRUE;
246
247 return (QWORD)NULL;
248 }
249
250#endif // SCRIPT_ENGINE_KERNEL_MODE
251
252#ifdef SCRIPT_ENGINE_USER_MODE
253 Result = *Address;
254#endif // SCRIPT_ENGINE_USER_MODE
255
256#ifdef SCRIPT_ENGINE_KERNEL_MODE
257 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)Address, &Result, sizeof(QWORD));
258#endif // SCRIPT_ENGINE_KERNEL_MODE
259
260 return Result;
261}

◆ ScriptEngineKeywordDqPa()

QWORD ScriptEngineKeywordDqPa ( PUINT64 Address,
BOOL * HasError )

Implementation of dq keyword.

Parameters
Address
HasError
Returns
QWORD
500{
501 QWORD Result = (QWORD)NULL;
502
503#ifdef SCRIPT_ENGINE_KERNEL_MODE
504
505 if (!CheckAddressPhysical((UINT64)Address))
506 {
507 *HasError = TRUE;
508
509 return (QWORD)NULL;
510 }
511
512#endif // SCRIPT_ENGINE_KERNEL_MODE
513
514#ifdef SCRIPT_ENGINE_USER_MODE
515
516 ShowMessages("err, using physical address keywords (dq_pa) is not possible in user-mode\n");
517 return (QWORD)NULL;
518
519#endif // SCRIPT_ENGINE_USER_MODE
520
521#ifdef SCRIPT_ENGINE_KERNEL_MODE
522 MemoryMapperReadMemorySafeByPhysicalAddress((UINT64)Address, (UINT64)&Result, sizeof(QWORD));
523#endif // SCRIPT_ENGINE_KERNEL_MODE
524
525 return Result;
526}

◆ ScriptEngineKeywordDw()

WORD ScriptEngineKeywordDw ( PUINT64 Address,
BOOL * HasError )

Implementation of dw keyword.

Parameters
Address
HasError
Returns
WORD
204{
205 WORD Result = NULL_ZERO;
206
207#ifdef SCRIPT_ENGINE_KERNEL_MODE
208
209 if (!CheckAccessValidityAndSafety((UINT64)Address, sizeof(WORD)))
210 {
211 *HasError = TRUE;
212
213 return NULL_ZERO;
214 }
215
216#endif // SCRIPT_ENGINE_KERNEL_MODE
217
218#ifdef SCRIPT_ENGINE_USER_MODE
219 Result = (WORD)*Address;
220#endif // SCRIPT_ENGINE_USER_MODE
221
222#ifdef SCRIPT_ENGINE_KERNEL_MODE
223 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)Address, &Result, sizeof(WORD));
224#endif // SCRIPT_ENGINE_KERNEL_MODE
225
226 return Result;
227}
unsigned short WORD
Definition BasicTypes.h:42

◆ ScriptEngineKeywordDwPa()

WORD ScriptEngineKeywordDwPa ( PUINT64 Address,
BOOL * HasError )

Implementation of dw keyword.

Parameters
Address
HasError
Returns
WORD
463{
464 WORD Result = NULL_ZERO;
465
466#ifdef SCRIPT_ENGINE_KERNEL_MODE
467
468 if (!CheckAddressPhysical((UINT64)Address))
469 {
470 *HasError = TRUE;
471
472 return NULL_ZERO;
473 }
474
475#endif // SCRIPT_ENGINE_KERNEL_MODE
476
477#ifdef SCRIPT_ENGINE_USER_MODE
478
479 ShowMessages("err, using physical address keywords (dw_pa) is not possible in user-mode\n");
480 return (WORD)NULL;
481
482#endif // SCRIPT_ENGINE_USER_MODE
483
484#ifdef SCRIPT_ENGINE_KERNEL_MODE
485 MemoryMapperReadMemorySafeByPhysicalAddress((UINT64)Address, (UINT64)&Result, sizeof(WORD));
486#endif // SCRIPT_ENGINE_KERNEL_MODE
487
488 return Result;
489}

◆ ScriptEngineKeywordHi()

WORD ScriptEngineKeywordHi ( PUINT64 Address,
BOOL * HasError )

Implementation of hi keyword.

Parameters
Address
HasError
Returns
WORD
68{
69 QWORD Result = NULL64_ZERO;
70
71#ifdef SCRIPT_ENGINE_KERNEL_MODE
72
73 if (!CheckAccessValidityAndSafety((UINT64)Address, sizeof(UINT64)))
74 {
75 *HasError = TRUE;
76
77 return NULL64_ZERO;
78 }
79
80#endif // SCRIPT_ENGINE_KERNEL_MODE
81
82#ifdef SCRIPT_ENGINE_USER_MODE
83 Result = *Address;
84#endif // SCRIPT_ENGINE_USER_MODE
85
86#ifdef SCRIPT_ENGINE_KERNEL_MODE
87 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)Address, &Result, sizeof(UINT64));
88#endif // SCRIPT_ENGINE_KERNEL_MODE
89
90 return HIWORD(Result);
91}
#define NULL64_ZERO
Definition BasicTypes.h:111
#define HIWORD(l)
Definition Constants.h:557

◆ ScriptEngineKeywordHiPa()

WORD ScriptEngineKeywordHiPa ( PUINT64 Address,
BOOL * HasError )

Implementation of hi keyword.

Parameters
Address
HasError
Returns
WORD
315{
316 QWORD Result = NULL64_ZERO;
317
318#ifdef SCRIPT_ENGINE_KERNEL_MODE
319
320 if (!CheckAddressPhysical((UINT64)Address))
321 {
322 *HasError = TRUE;
323
324 return NULL64_ZERO;
325 }
326
327#endif // SCRIPT_ENGINE_KERNEL_MODE
328
329#ifdef SCRIPT_ENGINE_USER_MODE
330
331 ShowMessages("err, using physical address keywords (hi_pa) is not possible in user-mode\n");
332 return (WORD)NULL;
333
334#endif // SCRIPT_ENGINE_USER_MODE
335
336#ifdef SCRIPT_ENGINE_KERNEL_MODE
337 MemoryMapperReadMemorySafeByPhysicalAddress((UINT64)Address, (UINT64)&Result, sizeof(UINT64));
338#endif // SCRIPT_ENGINE_KERNEL_MODE
339
340 return HIWORD(Result);
341}

◆ ScriptEngineKeywordLow()

WORD ScriptEngineKeywordLow ( PUINT64 Address,
BOOL * HasError )

Implementation of low keyword.

Parameters
Address
HasError
Returns
WORD
102{
103 QWORD Result = NULL64_ZERO;
104
105#ifdef SCRIPT_ENGINE_KERNEL_MODE
106
107 if (!CheckAccessValidityAndSafety((UINT64)Address, sizeof(UINT64)))
108 {
109 *HasError = TRUE;
110
111 return NULL64_ZERO;
112 }
113
114#endif // SCRIPT_ENGINE_KERNEL_MODE
115
116#ifdef SCRIPT_ENGINE_USER_MODE
117 Result = *Address;
118#endif // SCRIPT_ENGINE_USER_MODE
119
120#ifdef SCRIPT_ENGINE_KERNEL_MODE
121 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)Address, &Result, sizeof(UINT64));
122#endif // SCRIPT_ENGINE_KERNEL_MODE
123
124 return LOWORD(Result);
125}
#define LOWORD(l)
Definition Constants.h:553

◆ ScriptEngineKeywordLowPa()

WORD ScriptEngineKeywordLowPa ( PUINT64 Address,
BOOL * HasError )

Implementation of low keyword.

Parameters
Address
HasError
Returns
WORD
352{
353 QWORD Result = NULL64_ZERO;
354
355#ifdef SCRIPT_ENGINE_KERNEL_MODE
356
357 if (!CheckAddressPhysical((UINT64)Address))
358 {
359 *HasError = TRUE;
360
361 return NULL64_ZERO;
362 }
363
364#endif // SCRIPT_ENGINE_KERNEL_MODE
365
366#ifdef SCRIPT_ENGINE_USER_MODE
367
368 ShowMessages("err, using physical address keywords (low_pa) is not possible in user-mode\n");
369 return (WORD)NULL;
370
371#endif // SCRIPT_ENGINE_USER_MODE
372
373#ifdef SCRIPT_ENGINE_KERNEL_MODE
374 MemoryMapperReadMemorySafeByPhysicalAddress((UINT64)Address, (UINT64)&Result, sizeof(UINT64));
375#endif // SCRIPT_ENGINE_KERNEL_MODE
376
377 return LOWORD(Result);
378}

◆ ScriptEngineKeywordPoi()

UINT64 ScriptEngineKeywordPoi ( PUINT64 Address,
BOOL * HasError )

Implementation of poi keyword.

Parameters
Address
HasError
Returns
UINT64
34{
35 UINT64 Result = (UINT64)NULL;
36
37#ifdef SCRIPT_ENGINE_KERNEL_MODE
38
39 if (!CheckAccessValidityAndSafety((UINT64)Address, sizeof(UINT64)))
40 {
41 *HasError = TRUE;
42
43 return (UINT64)NULL;
44 }
45
46#endif // SCRIPT_ENGINE_KERNEL_MODE
47
48#ifdef SCRIPT_ENGINE_USER_MODE
49 Result = *Address;
50#endif // SCRIPT_ENGINE_USER_MODE
51
52#ifdef SCRIPT_ENGINE_KERNEL_MODE
53 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)Address, &Result, sizeof(UINT64));
54#endif // SCRIPT_ENGINE_KERNEL_MODE
55
56 return Result;
57}

◆ ScriptEngineKeywordPoiPa()

UINT64 ScriptEngineKeywordPoiPa ( PUINT64 Address,
BOOL * HasError )

Implementation of poi_pa keyword.

Parameters
Address
HasError
Returns
UINT64
278{
279 UINT64 Result = (UINT64)NULL;
280
281#ifdef SCRIPT_ENGINE_KERNEL_MODE
282
283 if (!CheckAddressPhysical((UINT64)Address))
284 {
285 *HasError = TRUE;
286
287 return (UINT64)NULL;
288 }
289
290#endif // SCRIPT_ENGINE_KERNEL_MODE
291
292#ifdef SCRIPT_ENGINE_USER_MODE
293
294 ShowMessages("err, using physical address keywords (poi_pa) is not possible in user-mode\n");
295 return (UINT64)NULL;
296
297#endif // SCRIPT_ENGINE_USER_MODE
298
299#ifdef SCRIPT_ENGINE_KERNEL_MODE
300 MemoryMapperReadMemorySafeByPhysicalAddress((UINT64)Address, (UINT64)&Result, sizeof(UINT64));
301#endif // SCRIPT_ENGINE_KERNEL_MODE
302
303 return Result;
304}

◆ ScriptEnginePseudoRegGetBuffer()

UINT64 ScriptEnginePseudoRegGetBuffer ( UINT64 * CorrespondingAction)

Implementation of $buffer pseudo-register.

Parameters
CorrespondingAction
Returns
UINT64
313{
314#ifdef SCRIPT_ENGINE_USER_MODE
315 //
316 // $buffer doesn't mean anything in user-mode
317 //
318 return (UINT64)NULL;
319#endif // SCRIPT_ENGINE_USER_MODE
320
321#ifdef SCRIPT_ENGINE_KERNEL_MODE
323#endif // SCRIPT_ENGINE_KERNEL_MODE
324}
UINT64 ScriptEngineWrapperGetAddressOfReservedBuffer(PDEBUGGER_EVENT_ACTION Action)
Get the address of reserved buffer.
Definition ScriptEngine.c:46
struct _DEBUGGER_EVENT_ACTION DEBUGGER_EVENT_ACTION
The structure of actions in HyperDbg.

◆ ScriptEnginePseudoRegGetCore()

UINT64 ScriptEnginePseudoRegGetCore ( )

Implementation of $core pseudo-register.

Returns
UINT64
43{
44#ifdef SCRIPT_ENGINE_USER_MODE
45 return (UINT64)PlatformGetCurrentProcessorNumber();
46#endif // SCRIPT_ENGINE_USER_MODE
47
48#ifdef SCRIPT_ENGINE_KERNEL_MODE
50#endif // SCRIPT_ENGINE_KERNEL_MODE
51}
ULONG PlatformCpuGetCurrentProcessorNumber(VOID)
Get the current logical processor number.
Definition PlatformCpu.c:47
UINT32 PlatformGetCurrentProcessorNumber(VOID)
Platform independent wrapper for GetCurrentProcessorNumber / sched_getcpu.
Definition platform-lib-calls.c:168

◆ ScriptEnginePseudoRegGetDate()

UINT64 ScriptEnginePseudoRegGetDate ( )

Implementation of date pseudo-register.

Returns
UINT64
408{
409#ifdef SCRIPT_ENGINE_USER_MODE
410 return NULL;
411#endif // SCRIPT_ENGINE_USER_MODE
412
413#ifdef SCRIPT_ENGINE_KERNEL_MODE
414
415 //
416 // Get the current core's date
417 //
419#endif // SCRIPT_ENGINE_KERNEL_MODE
420}
UINT64 ScriptEngineGetTargetCoreDate()
Update core's date time and return date.
Definition ScriptEngine.c:109

◆ ScriptEnginePseudoRegGetEventId()

UINT64 ScriptEnginePseudoRegGetEventId ( PACTION_BUFFER ActionBuffer)

Implementation of $id pseudo-register.

Parameters
ActionBuffer
Returns
UINT64
352{
353#ifdef SCRIPT_ENGINE_USER_MODE
354 return NULL;
355#endif // SCRIPT_ENGINE_USER_MODE
356
357#ifdef SCRIPT_ENGINE_KERNEL_MODE
358 return (ActionBuffer->Tag - DebuggerEventTagStartSeed);
359#endif // SCRIPT_ENGINE_KERNEL_MODE
360}

◆ ScriptEnginePseudoRegGetEventStage()

UINT64 ScriptEnginePseudoRegGetEventStage ( PACTION_BUFFER ActionBuffer)

Implementation of stage pseudo-register.

Parameters
ActionBuffer
Returns
UINT64
370{
371#ifdef SCRIPT_ENGINE_USER_MODE
372 return NULL;
373#endif // SCRIPT_ENGINE_USER_MODE
374
375#ifdef SCRIPT_ENGINE_KERNEL_MODE
376 return ActionBuffer->CallingStage;
377#endif // SCRIPT_ENGINE_KERNEL_MODE
378}

◆ ScriptEnginePseudoRegGetEventTag()

UINT64 ScriptEnginePseudoRegGetEventTag ( PACTION_BUFFER ActionBuffer)

Implementation of $tag pseudo-register.

Parameters
ActionBuffer
Returns
UINT64
334{
335#ifdef SCRIPT_ENGINE_USER_MODE
336 return (UINT64)NULL;
337#endif // SCRIPT_ENGINE_USER_MODE
338
339#ifdef SCRIPT_ENGINE_KERNEL_MODE
340 return ActionBuffer->Tag;
341#endif // SCRIPT_ENGINE_KERNEL_MODE
342}

◆ ScriptEnginePseudoRegGetIp()

UINT64 ScriptEnginePseudoRegGetIp ( )

Implementation of $ip pseudo-register.

Returns
UINT64
292{
293#ifdef SCRIPT_ENGINE_USER_MODE
294 //
295 // $ip doesn't have meaning in user-moderds
296 //
297 return NULL;
298#endif // SCRIPT_ENGINE_USER_MODE
299
300#ifdef SCRIPT_ENGINE_KERNEL_MODE
302#endif // SCRIPT_ENGINE_KERNEL_MODE
303}
UINT64 ScriptEngineWrapperGetInstructionPointer()
Get current ip from the debugger frame.
Definition ScriptEngine.c:21

◆ ScriptEnginePseudoRegGetPeb()

UINT64 ScriptEnginePseudoRegGetPeb ( )

Implementation of $peb pseudo-register.

Returns
UINT64
128{
129#ifdef SCRIPT_ENGINE_USER_MODE
130# ifdef _WIN32
131 //
132 // Hand-rolled structs ( may cause conflict depending on your dev env )
133 //
134 struct PROCESS_BASIC_INFORMATION
135 {
136 PVOID Reserved1;
137 PVOID PebBaseAddress;
138 PVOID Reserved2[2];
139 ULONG_PTR UniqueProcessId;
140 PVOID Reserved3;
141 };
142
143 struct PEB_LDR_DATA
144 {
145 BYTE Reserved1[8];
146 PVOID Reserved2[3];
147 LIST_ENTRY InMemoryOrderModuleList;
148 };
149
150 struct PEB
151 {
152 BYTE Reserved1[2];
154 BYTE Reserved2[1];
155 PVOID Reserved3[2];
156 struct PEB_LDR_DATA * Ldr;
157 PVOID ProcessParameters; /* PRTL_USER_PROCESS_PARAMETERS */
158 BYTE Reserved4[104];
159 PVOID Reserved5[52];
160 PVOID PostProcessInitRoutine; /* PPS_POST_PROCESS_INIT_ROUTINE */
161 BYTE Reserved6[128];
162 PVOID Reserved7[1];
164 };
165
166 struct UNICODE_STRING
167 {
170 PWSTR Buffer;
171 };
172
173 struct LDR_MODULE
174 {
175 LIST_ENTRY InLoadOrderModuleList;
176 LIST_ENTRY InMemoryOrderModuleList;
177 LIST_ENTRY InInitializationOrderModuleList;
178 PVOID BaseAddress;
179 PVOID EntryPoint;
180 ULONG SizeOfImage;
181 struct UNICODE_STRING FullDllName;
182 struct UNICODE_STRING BaseDllName;
183 ULONG Flags;
184 SHORT LoadCount;
185 SHORT TlsIndex;
186 LIST_ENTRY HashTableEntry;
187 ULONG TimeDateStamp;
188 };
189
190 enum PROCESSINFOCLASS
191 {
192 ProcessBasicInformation = 0,
193 ProcessDebugPort = 7,
194 ProcessWow64Information = 26,
195 ProcessImageFileName = 27
196 };
197
198 LPCWSTR NTDLL_NAME = L"ntdll.dll";
199 LPCSTR NTQUERYINFO_NAME = "NtQueryInformationProcess";
200
201 HMODULE NtdllMod;
202 HANDLE ThisProcess;
203 NTSTATUS NtCallRet;
204 ULONG BytesReturned;
205
206 //
207 // function pointer to house result from GetProcAddress
208 //
209 NTSTATUS(WINAPI * QueryInfoProcPtr)
210 (HANDLE, enum PROCESSINFOCLASS, PVOID, ULONG, PULONG);
211
212 struct PROCESS_BASIC_INFORMATION BasicInfo;
213 struct PEB * PebPtr;
214
215 /* retrieve pseudo-handle */
216 ThisProcess = GetCurrentProcess();
217
218 //
219 // get address to already loaded module
220 //
221 NtdllMod = LoadLibraryW(NTDLL_NAME);
222
223 //
224 // get pointer to query function
225 //
226 QueryInfoProcPtr =
227 (NTSTATUS(WINAPI *)(HANDLE, enum PROCESSINFOCLASS, PVOID, ULONG, PULONG))GetProcAddress(NtdllMod, NTQUERYINFO_NAME);
228
229 //
230 // call function on self; introspect
231 //
232 NtCallRet = QueryInfoProcPtr(ThisProcess, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), &BytesReturned);
233
234 //
235 // get peb ptr and decode some if its fields
236 //
237 PebPtr = (struct PEB *)BasicInfo.PebBaseAddress;
238
239 return (UINT64)PebPtr;
240
241# else // !_WIN32
242
243 //
244 // The PEB (Process Environment Block) is a Windows NT-specific structure
245 // maintained by the kernel for every user-mode process. It holds loader
246 // data, heap pointers, the image path, and other process-wide state that
247 // has no direct equivalent in the Linux process model.
248 //
249 // TODO: investigate whether a meaningful substitute exists on Linux
250 // (e.g. /proc/self/maps, dl_iterate_phdr, or a custom auxv walk)
251 // and implement it here if HyperDbg user-mode on Linux ever needs $peb.
252 //
253 return 0;
254
255# endif // _WIN32
256
257#endif // SCRIPT_ENGINE_USER_MODE
258
259#ifdef SCRIPT_ENGINE_KERNEL_MODE
260
261 //
262 // PEB doesn't make sense in kernel-mode
263 //
264 return NULL64_ZERO;
265#endif // SCRIPT_ENGINE_KERNEL_MODE
266}
struct _PEB PEB
PEB 64-bit.
struct _PEB_LDR_DATA PEB_LDR_DATA
PEB LDR Data.
unsigned short USHORT
Definition BasicTypes.h:30
short SHORT
Definition BasicTypes.h:27
struct _UNICODE_STRING UNICODE_STRING
ULONG Reserved6
Definition UserAccess.h:65
PPEB_LDR_DATA Ldr
Definition UserAccess.h:60
BYTE Reserved2[1]
Definition UserAccess.h:58
BYTE BeingDebugged
Definition UserAccess.h:57
ULONG SessionId
Definition UserAccess.h:74
PRTL_USER_PROCESS_PARAMETERS ProcessParameters
Definition UserAccess.h:61
PVOID Reserved5
Definition UserAccess.h:64
PVOID Reserved3[2]
Definition UserAccess.h:59
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine
Definition UserAccess.h:71
PVOID Reserved7
Definition UserAccess.h:66
PVOID Reserved4[3]
Definition UserAccess.h:62
BYTE Reserved1[2]
Definition UserAccess.h:56
USHORT Length
Definition casting.cpp:26
USHORT MaximumLength
Definition casting.cpp:27
PWSTR Buffer
Definition casting.cpp:28

◆ ScriptEnginePseudoRegGetPid()

UINT64 ScriptEnginePseudoRegGetPid ( )

Implementation of $pid pseudo-register.

Returns
UINT64
60{
61#ifdef SCRIPT_ENGINE_USER_MODE
62 return (UINT64)PlatformGetCurrentProcessId();
63#endif // SCRIPT_ENGINE_USER_MODE
64
65#ifdef SCRIPT_ENGINE_KERNEL_MODE
67#endif // SCRIPT_ENGINE_KERNEL_MODE
68}
HANDLE PlatformProcessGetCurrentProcessId(VOID)
Get the current process ID.
Definition PlatformProcess.c:47
UINT32 PlatformGetCurrentProcessId(VOID)
Platform independent wrapper for GetCurrentProcessId / getpid.
Definition platform-lib-calls.c:185

◆ ScriptEnginePseudoRegGetPname()

CHAR * ScriptEnginePseudoRegGetPname ( )

Implementation of $pname pseudo-register.

Returns
CHAR*
77{
78#ifdef SCRIPT_ENGINE_USER_MODE
80#endif // SCRIPT_ENGINE_USER_MODE
81
82#ifdef SCRIPT_ENGINE_KERNEL_MODE
84#endif // SCRIPT_ENGINE_KERNEL_MODE
85}
PVOID PlatformProcessGetCurrentProcess(VOID)
Get the current process (PEPROCESS).
Definition PlatformProcess.c:70
PCHAR CommonGetProcessNameFromProcessControlBlock(PEPROCESS Eprocess)
Get process name by eprocess.
Definition Common.c:48
CHAR * PlatformGetCurrentProcessName(VOID)
Platform independent wrapper to get the current process name.
Definition platform-lib-calls.c:202

◆ ScriptEnginePseudoRegGetProc()

UINT64 ScriptEnginePseudoRegGetProc ( )

Implementation of $proc pseudo-register.

Returns
UINT64
94{
95#ifdef SCRIPT_ENGINE_USER_MODE
96 return (UINT64)NULL;
97#endif // SCRIPT_ENGINE_USER_MODE
98
99#ifdef SCRIPT_ENGINE_KERNEL_MODE
100 return (UINT64)PlatformProcessGetCurrentProcess();
101#endif // SCRIPT_ENGINE_KERNEL_MODE
102}

◆ ScriptEnginePseudoRegGetTeb()

UINT64 ScriptEnginePseudoRegGetTeb ( )

Implementation of $teb pseudo-register.

Returns
UINT64
275{
276#ifdef SCRIPT_ENGINE_USER_MODE
277 return (UINT64)NULL;
278#endif // SCRIPT_ENGINE_USER_MODE
279
280#ifdef SCRIPT_ENGINE_KERNEL_MODE
281 return (UINT64)PlatformProcessGetCurrentThreadTeb();
282#endif // SCRIPT_ENGINE_KERNEL_MODE
283}
PVOID PlatformProcessGetCurrentThreadTeb(VOID)
Get the TEB (Thread Environment Block) of the current thread.
Definition PlatformProcess.c:116

◆ ScriptEnginePseudoRegGetThread()

UINT64 ScriptEnginePseudoRegGetThread ( )

Implementation of $thread pseudo-register.

Returns
UINT64
111{
112#ifdef SCRIPT_ENGINE_USER_MODE
113 return (UINT64)NULL;
114#endif // SCRIPT_ENGINE_USER_MODE
115
116#ifdef SCRIPT_ENGINE_KERNEL_MODE
117 return (UINT64)PlatformProcessGetCurrentThread();
118#endif // SCRIPT_ENGINE_KERNEL_MODE
119}
PVOID PlatformProcessGetCurrentThread(VOID)
Get the current thread (PETHREAD).
Definition PlatformProcess.c:93

◆ ScriptEnginePseudoRegGetTid()

UINT64 ScriptEnginePseudoRegGetTid ( )

Implementation of $tid pseudo-register.

Returns
UINT64
26{
27#ifdef SCRIPT_ENGINE_USER_MODE
28 return (UINT64)PlatformGetCurrentThreadId();
29#endif // SCRIPT_ENGINE_USER_MODE
30
31#ifdef SCRIPT_ENGINE_KERNEL_MODE
32 return (UINT64)PlatformProcessGetCurrentThreadId();
33#endif // SCRIPT_ENGINE_KERNEL_MODE
34}
HANDLE PlatformProcessGetCurrentThreadId(VOID)
Get the current thread ID.
Definition PlatformProcess.c:24
UINT32 PlatformGetCurrentThreadId(VOID)
Platform independent wrapper for GetCurrentThreadId / gettid.
Definition platform-lib-calls.c:151

◆ ScriptEnginePseudoRegGetTime()

UINT64 ScriptEnginePseudoRegGetTime ( )

Implementation of time pseudo-register.

Returns
UINT64
387{
388#ifdef SCRIPT_ENGINE_USER_MODE
389 return NULL;
390#endif // SCRIPT_ENGINE_USER_MODE
391
392#ifdef SCRIPT_ENGINE_KERNEL_MODE
393
394 //
395 // Get the current core's time
396 //
398#endif // SCRIPT_ENGINE_KERNEL_MODE
399}
UINT64 ScriptEngineGetTargetCoreTime()
Update core's date time and return time.
Definition ScriptEngine.c:87

◆ SetRegValueUsingSymbol()

BOOLEAN SetRegValueUsingSymbol ( PGUEST_REGS GuestRegs,
PSYMBOL Symbol,
UINT64 Value )

Set the register value.

Parameters
GuestRegs
Symbol
Value
ActionBuffer
Returns
BOOLEAN
2036{
2037#if defined(SCRIPT_ENGINE_USER_MODE) && defined(HYPERDBG_LIBHYPERDBG)
2039 return SetRegValue(GuestRegs, (UINT32)Symbol->Value, Value);
2040 else
2041 return SetRegValueHwdbg((UINT64 *)GuestRegs, (UINT32)Symbol->Value, Value);
2042#else
2043 return SetRegValue(GuestRegs, (UINT32)Symbol->Value, Value);
2044#endif // defined(SCRIPT_ENGINE_USER_MODE) && defined(HYPERDBG_LIBHYPERDBG)
2045}
BOOLEAN SetRegValue(PGUEST_REGS GuestRegs, UINT32 RegisterId, UINT64 Value)
Set the register value.
Definition Regs.c:1003
BOOLEAN SetRegValueHwdbg(UINT64 *Regs, UINT32 RegisterId, UINT64 Value)
Set the register value for hardware debugging.
Definition Regs.c:987
BOOLEAN g_HwdbgInstanceInfoIsValid
Shows whether the instance info is valid (received) or not.
Definition globals.h:697
long long unsigned Value
Definition ScriptEngineCommonDefinitions.h:9