HyperDbg Debugger
Loading...
Searching...
No Matches
Classes | Typedefs | Functions
casting.cpp File Reference

casting functions queries for script engine More...

#include "pch.h"

Classes

struct  _UNICODE_STRING
 
struct  _STUPID_STRUCT1
 
struct  _STUPID_STRUCT2
 

Typedefs

typedef struct _UNICODE_STRING UNICODE_STRING
 
typedef struct _UNICODE_STRINGPUNICODE_STRING
 
typedef struct _STUPID_STRUCT1 STUPID_STRUCT1
 
typedef struct _STUPID_STRUCT1PSTUPID_STRUCT1
 
typedef struct _STUPID_STRUCT2 STUPID_STRUCT2
 
typedef struct _STUPID_STRUCT2PSTUPID_STRUCT2
 

Functions

BOOLEAN SymCastingQueryForFiledsAndTypes (const char *StructName, const char *FiledOfStructName, PBOOLEAN IsStructNamePointerOrNot, PBOOLEAN IsFiledOfStructNamePointerOrNot, char **NewStructOrTypeName, UINT32 *OffsetOfFieldFromTop, UINT32 *SizeOfField)
 This function returns the needed details for making support for the casting in the script engine.
 
BOOLEAN SymQuerySizeof (const char *StructNameOrTypeName, UINT32 *SizeOfField)
 This function returns the sizeof of the structure.
 
int main ()
 

Detailed Description

casting functions queries for script engine

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2022-02-04
Copyright
This project is released under the GNU Public License v3.

Typedef Documentation

◆ PSTUPID_STRUCT1

typedef struct _STUPID_STRUCT1 * PSTUPID_STRUCT1

◆ PSTUPID_STRUCT2

typedef struct _STUPID_STRUCT2 * PSTUPID_STRUCT2

◆ PUNICODE_STRING

typedef struct _UNICODE_STRING * PUNICODE_STRING

◆ STUPID_STRUCT1

typedef struct _STUPID_STRUCT1 STUPID_STRUCT1

◆ STUPID_STRUCT2

typedef struct _STUPID_STRUCT2 STUPID_STRUCT2

◆ UNICODE_STRING

typedef struct _UNICODE_STRING UNICODE_STRING

Function Documentation

◆ main()

int main ( )
287{
288 UINT32 SizeofResult = 0;
289
290 //
291 // Test sizeof operator
292 //
293
294 if (SymQuerySizeof("PUNICODE_STRING", &SizeofResult))
295 {
296 printf("result of sizeof(PUNICODE_STRING) is : 0x%x\n", SizeofResult);
297 }
298
299 if (SymQuerySizeof("SOME_UNKNOWN_STRUCT", &SizeofResult))
300 {
301 printf("result of sizeof(SOME_UNKNOWN_STRUCT) is : 0x%x\n", SizeofResult);
302 }
303 else
304 {
305 printf("SOME_UNKNOWN_STRUCT is not found\n");
306 }
307
308 printf("\n\n\n");
309
310 //
311 // ********* Test casting *********
312 //
313
314 /*
315
316
317 Local var @ 0x95fa18df58 Type AllocateStructForCasting::__l2::_STUPID_STRUCT2*
318 0x00000260`d065ee30
319
320 +0x000 Sina32 : 0x32
321 +0x008 Sina64 : 0x64
322 +0x010 AghaaSina : 0x00000000`00000055 Void
323 +0x018 UnicodeStr : 0x00000260`d065ec70 AllocateStructForCasting::__l2::_UNICODE_STRING
324 +0x000 Length : 0x40
325 +0x002 MaximumLength : 0x40
326 +0x008 Buffer : 0x00000260`d065ecf0 "Goodbye I'm at stupid struct 2!"
327 +0x020 StupidStruct1 : 0x00000260`d065eda0 AllocateStructForCasting::__l2::_STUPID_STRUCT1
328 +0x000 Flag32 : 0x3232
329 +0x008 Flag64 : 0x6464
330 +0x010 Context : 0x00000000`00000085 Void
331 +0x018 StringValue : 0x00000260`d065eb50 AllocateStructForCasting::__l2::_UNICODE_STRING
332 +0x000 Length : 0x3c
333 +0x002 MaximumLength : 0x3c
334 +0x008 Buffer : 0x00000260`d065ebd0 "Hi come from stupid struct 1!"
335
336
337 my_var = cast<PSTUPID_STRUCT2>(@rcx)->Sina32;
338 // my_var = 0x32
339
340 my_var = cast<PSTUPID_STRUCT2>(@rcx)->Sina64;
341 // my_var = 0x64
342
343 my_var = cast<PSTUPID_STRUCT2>(@rcx)->AghaaSina;
344 // my_var = 0x55
345
346 my_var = cast<PSTUPID_STRUCT2>(@rcx).Unknownnnnnn;
347 // Error because Unknownnnnnn not found
348
349 my_var = cast<PSTUPID_STRUCT2>(@rcx)->Unknownnnnnn;
350 // Error because Unknownnnnnn not found
351
352 my_var = cast<PSTUPID_STRUCT2>(@rcx).Sina32;
353 // Error because PSTUPID_STRUCT2 is pointer, should use '->'
354
355 my_var = cast<PSTUPID_STRUCT2>(*@rcx).Sina32;
356 // Error because PSTUPID_STRUCT2 is pointer, should use '->'
357
358 my_var = cast<STUPID_STRUCT2>(*@rcx).Sina32;
359 // my_var = 0x32
360
361 my_var = cast<STUPID_STRUCT2>(*@rcx).Sina64;
362 // my_var = 0x64
363
364 my_var = cast<STUPID_STRUCT2>(*@rcx).AghaaSina;
365 // my_var = 0x55
366
367 my_var = cast<STUPID_STRUCT2>(*@rcx).UnicodeStr->MaximumLength;
368 // my_var = 0x40
369
370 my_var = cast<PSTUPID_STRUCT2>(@rcx)->UnicodeStr->MaximumLength;
371 // my_var = 0x40
372
373 my_var = cast<PSTUPID_STRUCT2>(@rcx)->StupidStruct1->Flag32;
374 // my_var = 0x3232
375
376 my_var = cast<PSTUPID_STRUCT2>(@rcx)->StupidStruct1->Flag64;
377 // my_var = 0x6464
378
379 my_var = cast<STUPID_STRUCT2>(*@rcx).StupidStruct1->StringValue->MaximumLength;
380 // my_var = 0x3c
381
382 printf("Result is : %ws\n", cast<PSTUPID_STRUCT2>(@rcx)->UnicodeStr->Buffer );
383 // Result is : Goodbye I'm at stupid struct 2!"
384
385 printf("Result is : %ws\n", cast<PSTUPID_STRUCT2>(@rcx)->StupidStruct1->StringValue->Buffer );
386 // Result is : Goodbye I'm at stupid struct 2!"
387
388 */
389
390 BOOLEAN IsStructPointerOrNot = FALSE;
391 BOOLEAN IsFieldPointerOrNot = FALSE;
392 UINT32 OffsetOfFieldFromTop = NULL;
393 UINT32 SizeOfField = NULL;
394 CHAR * NewStructOrTypeName = (CHAR *)malloc(100);
395
396 if (SymCastingQueryForFiledsAndTypes(
397 "STUPID_STRUCT2",
398 "UnicodeStr",
399 &IsStructPointerOrNot,
400 &IsFieldPointerOrNot,
401 &NewStructOrTypeName,
402 &OffsetOfFieldFromTop,
403 &SizeOfField))
404 {
405 printf("is the structure itself pointer or not: %s\n",
406 IsStructPointerOrNot ? "yes" : "no");
407 printf("is the field of structure itself pointer or not: %s\n",
408 IsFieldPointerOrNot ? "yes" : "no");
409 printf("offset of field from top : %x\n", OffsetOfFieldFromTop);
410 printf("size of field : %x\n", SizeOfField);
411 }
412
413 free(NewStructOrTypeName);
414}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
CHAR
char CHAR
Definition BasicTypes.h:31
NewStructOrTypeName
_In_ const char _Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ char ** NewStructOrTypeName
Definition HyperDbgSymImports.h:67
SizeOfField
_Out_ UINT32 * SizeOfField
Definition HyperDbgSymImports.h:61
OffsetOfFieldFromTop
_In_ const char _Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ char _Out_ UINT32 * OffsetOfFieldFromTop
Definition HyperDbgSymImports.h:68
SymCastingQueryForFiledsAndTypes
BOOLEAN SymCastingQueryForFiledsAndTypes(const char *StructName, const char *FiledOfStructName, PBOOLEAN IsStructNamePointerOrNot, PBOOLEAN IsFiledOfStructNamePointerOrNot, char **NewStructOrTypeName, UINT32 *OffsetOfFieldFromTop, UINT32 *SizeOfField)
This function returns the needed details for making support for the casting in the script engine.
Definition casting.cpp:72
SymQuerySizeof
BOOLEAN SymQuerySizeof(const char *StructNameOrTypeName, UINT32 *SizeOfField)
This function returns the sizeof of the structure.
Definition casting.cpp:248
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530

◆ SymCastingQueryForFiledsAndTypes()

BOOLEAN SymCastingQueryForFiledsAndTypes ( const char * StructName,
const char * FiledOfStructName,
PBOOLEAN IsStructNamePointerOrNot,
PBOOLEAN IsFiledOfStructNamePointerOrNot,
char ** NewStructOrTypeName,
UINT32 * OffsetOfFieldFromTop,
UINT32 * SizeOfField )

This function returns the needed details for making support for the casting in the script engine.

Parameters
StructNameTop-level name of struct to perform the look up on this struct
FiledOfStructNameThe field name (a field of struct)
IsStructNamePointerOrNotShows whether the field specified in FiledOfStructName is a pointer or not
IsFiledOfStructNamePointerOrNotShows whether the field specified in FiledOfStructName is a pointer or not
NewStructOrTypeNameReturns the type (structure name) of the FiledOfStructName for future (next '->' or '.' )
OffsetOfFieldFromTopThe start position of this field from the top of structure
SizeOfFieldThe exact size of the target field
Returns
BOOLEAN if the StructName or the FiledOfStructName not found or there was any error it returns FALSE (in that case script engine should throw an error to the user) otherwise return TRUE which means the script engine can safely use the details
79{
80 BOOLEAN IsPointer = FALSE;
81 BOOLEAN IsTheStructItselfAPointer = FALSE;
82 UINT32 TempOffsetOfFieldFromTop = 0;
83 UINT32 TempSizeOfField = 0;
84
85 if (strcmp(StructName, "STUPID_STRUCT1") == 0 ||
86 strcmp(StructName, "PSTUPID_STRUCT1") == 0)
87 {
88 if (strcmp(StructName, "PSTUPID_STRUCT1") == 0)
89 {
90 IsTheStructItselfAPointer = TRUE;
91 }
92
93 if (strcmp(FiledOfStructName, "Flag32") == 0)
94 {
95 IsPointer = FALSE;
96 TempOffsetOfFieldFromTop = 0x0;
97 TempSizeOfField = 0x4;
98 strcpy(*NewStructOrTypeName, "UINT32");
99 }
100 else if (strcmp(FiledOfStructName, "Flag64") == 0)
101 {
102 IsPointer = FALSE;
103 TempOffsetOfFieldFromTop = 0x4;
104 TempSizeOfField = 0x8;
105 strcpy(*NewStructOrTypeName, "UINT64");
106 }
107 else if (strcmp(FiledOfStructName, "Context") == 0)
108 {
109 IsPointer = TRUE;
110 TempOffsetOfFieldFromTop = 0xc;
111 TempSizeOfField = 0x8;
112 strcpy(*NewStructOrTypeName, "PVOID");
113 }
114 else if (strcmp(FiledOfStructName, "StringValue") == 0)
115 {
116 IsPointer = TRUE;
117 TempOffsetOfFieldFromTop = 0x14;
118 TempSizeOfField = 0x8;
119 strcpy(*NewStructOrTypeName, "PUNICODE_STRING");
120 }
121 else
122 {
123 //
124 // Unknown Field
125 //
126 return FALSE;
127 }
128 }
129 else if (strcmp(StructName, "STUPID_STRUCT2") == 0 ||
130 strcmp(StructName, "PSTUPID_STRUCT2") == 0)
131 {
132 if (strcmp(StructName, "PSTUPID_STRUCT2") == 0)
133 {
134 IsTheStructItselfAPointer = TRUE;
135 }
136
137 if (strcmp(FiledOfStructName, "Sina32") == 0)
138 {
139 IsPointer = FALSE;
140 TempOffsetOfFieldFromTop = 0x0;
141 TempSizeOfField = 0x4;
142 strcpy(*NewStructOrTypeName, "UINT32");
143 }
144 else if (strcmp(FiledOfStructName, "Sina64") == 0)
145 {
146 IsPointer = FALSE;
147 TempOffsetOfFieldFromTop = 0x4;
148 TempSizeOfField = 0x8;
149 strcpy(*NewStructOrTypeName, "UINT64");
150 }
151 else if (strcmp(FiledOfStructName, "AghaaSina") == 0)
152 {
153 IsPointer = TRUE;
154 TempOffsetOfFieldFromTop = 0xc;
155 TempSizeOfField = 0x8;
156 strcpy(*NewStructOrTypeName, "PVOID");
157 }
158 else if (strcmp(FiledOfStructName, "UnicodeStr") == 0)
159 {
160 IsPointer = TRUE;
161 TempOffsetOfFieldFromTop = 0x14;
162 TempSizeOfField = 0x8;
163 strcpy(*NewStructOrTypeName, "PUNICODE_STRING");
164 }
165 else if (strcmp(FiledOfStructName, "StupidStruct1") == 0)
166 {
167 IsPointer = TRUE;
168 TempOffsetOfFieldFromTop = 0x1c;
169 TempSizeOfField = 0x8;
170 strcpy(*NewStructOrTypeName, "PSTUPID_STRUCT1");
171 }
172 else
173 {
174 //
175 // Unknown Field
176 //
177 return FALSE;
178 }
179 }
180 else if (strcmp(StructName, "UNICODE_STRING") == 0 ||
181 strcmp(StructName, "PUNICODE_STRING") == 0)
182 {
183 if (strcmp(StructName, "PUNICODE_STRING") == 0)
184 {
185 IsTheStructItselfAPointer = TRUE;
186 }
187
188 if (strcmp(FiledOfStructName, "Length") == 0)
189 {
190 IsPointer = FALSE;
191 TempOffsetOfFieldFromTop = 0x0;
192 TempSizeOfField = 0x2;
193 strcpy(*NewStructOrTypeName, "USHORT");
194 }
195 else if (strcmp(FiledOfStructName, "MaximumLength") == 0)
196 {
197 IsPointer = FALSE;
198 TempOffsetOfFieldFromTop = 0x2;
199 TempSizeOfField = 0x2;
200 strcpy(*NewStructOrTypeName, "USHORT");
201 }
202 else if (strcmp(FiledOfStructName, "Buffer") == 0)
203 {
204 IsPointer = TRUE;
205 TempOffsetOfFieldFromTop = 0x4;
206 TempSizeOfField = 0x8;
207 strcpy(*NewStructOrTypeName, "PWSTR");
208 }
209 else
210 {
211 //
212 // Unknown Field
213 //
214 return FALSE;
215 }
216 }
217 else
218 {
219 //
220 // Unknown Structure
221 //
222 return FALSE;
223 }
224
225 //
226 // Apply the needed information
227 //
228 *OffsetOfFieldFromTop = TempOffsetOfFieldFromTop;
229 *SizeOfField = TempSizeOfField;
230 *IsFiledOfStructNamePointerOrNot = IsPointer;
231 *IsStructNamePointerOrNot = IsTheStructItselfAPointer;
232
233 return TRUE;
234}
TRUE
#define TRUE
Definition BasicTypes.h:55
IsFiledOfStructNamePointerOrNot
_In_ const char _Out_ PBOOLEAN _Out_ PBOOLEAN IsFiledOfStructNamePointerOrNot
Definition HyperDbgSymImports.h:66
IsStructNamePointerOrNot
_In_ const char _Out_ PBOOLEAN IsStructNamePointerOrNot
Definition HyperDbgSymImports.h:65
FiledOfStructName
_In_ const char * FiledOfStructName
Definition HyperDbgSymImports.h:64

◆ SymQuerySizeof()

BOOLEAN SymQuerySizeof ( const char * StructNameOrTypeName,
UINT32 * SizeOfField )

This function returns the sizeof of the structure.

Parameters
StructNameOrTypeNameTop-level name of struct
SizeOfFieldResult of the sizeof
Returns
BOOLEAN if the StructNameOrTypeName not found or there was any error it returns FALSE (in that case script engine should throw an error to the user) otherwise return TRUE which means the script engine can safely use the details
249{
250 if (strcmp(StructNameOrTypeName, "STUPID_STRUCT1") == 0)
251 {
252 *SizeOfField = sizeof(STUPID_STRUCT1);
253 }
254 else if (strcmp(StructNameOrTypeName, "STUPID_STRUCT2") == 0)
255 {
256 *SizeOfField = sizeof(STUPID_STRUCT2);
257 }
258 else if (strcmp(StructNameOrTypeName, "UNICODE_STRING") == 0)
259 {
260 *SizeOfField = sizeof(UNICODE_STRING);
261 }
262 else if (strcmp(StructNameOrTypeName, "PSTUPID_STRUCT1") == 0)
263 {
264 *SizeOfField = sizeof(PSTUPID_STRUCT1);
265 }
266 else if (strcmp(StructNameOrTypeName, "PSTUPID_STRUCT2") == 0)
267 {
268 *SizeOfField = sizeof(PSTUPID_STRUCT2);
269 }
270 else if (strcmp(StructNameOrTypeName, "PUNICODE_STRING") == 0)
271 {
272 *SizeOfField = sizeof(PUNICODE_STRING);
273 }
274 else
275 {
276 //
277 // Unknown Structure
278 //
279 return FALSE;
280 }
281
282 return TRUE;
283}
STUPID_STRUCT1
struct _STUPID_STRUCT1 STUPID_STRUCT1
PSTUPID_STRUCT2
struct _STUPID_STRUCT2 * PSTUPID_STRUCT2
PSTUPID_STRUCT1
struct _STUPID_STRUCT1 * PSTUPID_STRUCT1
PUNICODE_STRING
struct _UNICODE_STRING * PUNICODE_STRING
UNICODE_STRING
struct _UNICODE_STRING UNICODE_STRING
STUPID_STRUCT2
struct _STUPID_STRUCT2 STUPID_STRUCT2