script-engine-wrapper.cpp File Reference

Interpret general fields. More...

#include "pch.h"

Classes
struct	_ALLOCATED_MEMORY_FOR_SCRIPT_ENGINE_CASTING

Typedefs
typedef struct _ALLOCATED_MEMORY_FOR_SCRIPT_ENGINE_CASTING	ALLOCATED_MEMORY_FOR_SCRIPT_ENGINE_CASTING
typedef struct _ALLOCATED_MEMORY_FOR_SCRIPT_ENGINE_CASTING *	PALLOCATED_MEMORY_FOR_SCRIPT_ENGINE_CASTING

Functions
UINT64	ScriptEngineConvertNameToAddressWrapper (const char *FunctionOrVariableName, PBOOLEAN WasFound)
	ScriptEngineConvertNameToAddress wrapper.
UINT32	ScriptEngineLoadFileSymbolWrapper (UINT64 BaseAddress, const char *PdbFileName, const char *CustomModuleName)
	ScriptEngineLoadFileSymbol wrapper.
VOID	ScriptEngineSetTextMessageCallbackWrapper (PVOID Handler)
	ScriptEngineSetTextMessageCallback wrapper.
UINT32	ScriptEngineUnloadAllSymbolsWrapper ()
	ScriptEngineUnloadAllSymbols wrapper.
UINT32	ScriptEngineUnloadModuleSymbolWrapper (char *ModuleName)
	ScriptEngineUnloadModuleSymbol wrapper.
UINT32	ScriptEngineSearchSymbolForMaskWrapper (const char *SearchMask)
	ScriptEngineSearchSymbolForMask wrapper.
BOOLEAN	ScriptEngineGetFieldOffsetWrapper (CHAR *TypeName, CHAR *FieldName, UINT32 *FieldOffset)
	ScriptEngineGetFieldOffset wrapper.
BOOLEAN	ScriptEngineGetDataTypeSizeWrapper (CHAR *TypeName, UINT64 *TypeSize)
	ScriptEngineGetDataTypeSize wrapper.
BOOLEAN	ScriptEngineCreateSymbolTableForDisassemblerWrapper (void *CallbackFunction)
	ScriptEngineCreateSymbolTableForDisassembler wrapper.
BOOLEAN	ScriptEngineConvertFileToPdbPathWrapper (const char *LocalFilePath, char *ResultPath)
	ScriptEngineConvertFileToPdbPath wrapper.
BOOLEAN	ScriptEngineSymbolInitLoadWrapper (PMODULE_SYMBOL_DETAIL BufferToStoreDetails, UINT32 StoredLength, BOOLEAN DownloadIfAvailable, const char *SymbolPath, BOOLEAN IsSilentLoad)
	ScriptEngineSymbolInitLoad wrapper.
BOOLEAN	ScriptEngineShowDataBasedOnSymbolTypesWrapper (const char *TypeName, UINT64 Address, BOOLEAN IsStruct, PVOID BufferAddress, const char *AdditionalParameters)
	ScriptEngineShowDataBasedOnSymbolTypes wrapper.
VOID	ScriptEngineSymbolAbortLoadingWrapper ()
	SymbolAbortLoading wrapper.
BOOLEAN	ScriptEngineConvertFileToPdbFileAndGuidAndAgeDetailsWrapper (const char *LocalFilePath, char *PdbFilePath, char *GuidAndAgeDetails, BOOLEAN Is32BitModule)
	ScriptEngineConvertFileToPdbFileAndGuidAndAgeDetails wrapper.
PVOID	ScriptEngineParseWrapper (char *Expr, BOOLEAN ShowErrorMessageIfAny)
	ScriptEngineParse wrapper.
VOID	PrintSymbolBufferWrapper (PVOID SymbolBuffer)
	PrintSymbolBuffer wrapper.
VOID	ScriptEngineEvalWrapper (PGUEST_REGS GuestRegs, string Expr)
	Script engine evaluation wrapper.
BOOLEAN	ScriptAutomaticStatementsTestWrapper (const string &Expr, UINT64 ExpectationValue, BOOLEAN ExceptError)
	massive tests for script engine statements
PVOID	AllocateStructForCasting (PALLOCATED_MEMORY_FOR_SCRIPT_ENGINE_CASTING AllocationsForCastings)
	allocate memory and build structure for casting
VOID	ScriptEngineWrapperTestParser (const string &Expr)
	test parser
UINT64	ScriptEngineEvalUInt64StyleExpressionWrapper (const string &Expr, PBOOLEAN HasError)
	In the local debugging (VMI mode) environment, this function computes the expressions.
UINT64	ScriptEngineWrapperGetHead (PVOID SymbolBuffer)
	wrapper for getting head
UINT32	ScriptEngineWrapperGetSize (PVOID SymbolBuffer)
	wrapper for getting size
UINT32	ScriptEngineWrapperGetPointer (PVOID SymbolBuffer)
	wrapper for getting pointer
VOID	ScriptEngineWrapperRemoveSymbolBuffer (PVOID SymbolBuffer)
	wrapper for removing symbol buffer
BOOLEAN	ScriptEngineFuncNumberOfOperands (UINT64 FuncType, UINT32 *NumberOfGetOperands, UINT32 *NumberOfSetOperands)
	wrapper for getting operand count

Variables
UINT64 *	g_ScriptGlobalVariables
	Holder of script engines global variables.
UINT64 *	g_ScriptLocalVariables
	Holder of local variables for script engine.
UINT64 *	g_ScriptTempVariables
	Holder of temp variables for script engine.
UINT64	g_CurrentExprEvalResult
	global variable to save the result of script-engine statement tests
BOOLEAN	g_CurrentExprEvalResultHasError
	global variable to detect if there was an error in the result of script-engine statement tests

Detailed Description

Interpret general fields.

Author

M.H. Gholamrezaei (mh@hy.nosp@m.perd.nosp@m.bg.or.nosp@m.g)

Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)

Version

0.1

Date

2020-10-25

Copyright

This project is released under the GNU Public License v3.

Typedef Documentation

ALLOCATED_MEMORY_FOR_SCRIPT_ENGINE_CASTING

typedef struct _ALLOCATED_MEMORY_FOR_SCRIPT_ENGINE_CASTING ALLOCATED_MEMORY_FOR_SCRIPT_ENGINE_CASTING

PALLOCATED_MEMORY_FOR_SCRIPT_ENGINE_CASTING

typedef struct _ALLOCATED_MEMORY_FOR_SCRIPT_ENGINE_CASTING * PALLOCATED_MEMORY_FOR_SCRIPT_ENGINE_CASTING

Function Documentation

AllocateStructForCasting()

PVOID AllocateStructForCasting

(

PALLOCATED_MEMORY_FOR_SCRIPT_ENGINE_CASTING

AllocationsForCastings

)

allocate memory and build structure for casting

Parameters

AllocationsForCastings

Memory details for future deallocations

Returns

PVOID

{
    typedef struct _UNICODE_STRING
    {
        UINT16 Length;        // +0x000
        UINT16 MaximumLength; // +0x002
        PWSTR  Buffer;        // +0x004
    } UNICODE_STRING, *PUNICODE_STRING;
 
    typedef struct _STUPID_STRUCT1
    {
        UINT32          Flag32;      // +0x000
        UINT64          Flag64;      // +0x004
        PVOID           Context;     // +0x00c
        PUNICODE_STRING StringValue; // +0x014
    } STUPID_STRUCT1, *PSTUPID_STRUCT1;
 
    typedef struct _STUPID_STRUCT2
    {
        UINT32          Sina32;        // +0x000
        UINT64          Sina64;        // +0x004
        PVOID           AghaaSina;     // +0x00c
        PUNICODE_STRING UnicodeStr;    // +0x014
        PSTUPID_STRUCT1 StupidStruct1; // +0x01c
 
    } STUPID_STRUCT2, *PSTUPID_STRUCT2;
 
    //
    // Allocate UNICODE_STRING 1
    //
    WCHAR           MyString1[40]   = L"Hi come from stupid struct 1!";
    UINT32          SizeOfMyString1 = (UINT32)wcslen(MyString1) * sizeof(WCHAR) + 2;
    PUNICODE_STRING UnicodeStr1     = (PUNICODE_STRING)malloc(sizeof(UNICODE_STRING));
 
    if (UnicodeStr1 == NULL)
    {
        return NULL;
    }
 
    AllocationsForCastings->Buff1 = (CHAR *)UnicodeStr1;
    WCHAR * Buff1                 = (WCHAR *)malloc(SizeOfMyString1);
 
    if (Buff1 == NULL)
    {
        free(UnicodeStr1);
        return NULL;
    }
 
    AllocationsForCastings->Buff2 = (CHAR *)Buff1;
    RtlZeroMemory(Buff1, SizeOfMyString1);
    UnicodeStr1->Buffer = Buff1;
    UnicodeStr1->Length = UnicodeStr1->MaximumLength = SizeOfMyString1;
    memcpy(UnicodeStr1->Buffer, MyString1, SizeOfMyString1);
 
    //
    // Allocate UNICODE_STRING 2
    //
    WCHAR           MyString2[40]   = L"Goodbye I'm at stupid struct 2!";
    UINT32          SizeOfMyString2 = (UINT32)wcslen(MyString2) * sizeof(WCHAR) + 2;
    PUNICODE_STRING UnicodeStr2     = (PUNICODE_STRING)malloc(sizeof(UNICODE_STRING));
 
    if (UnicodeStr2 == NULL)
    {
        free(UnicodeStr1);
        free(Buff1);
 
        return NULL;
    }
 
    AllocationsForCastings->Buff3 = (CHAR *)UnicodeStr2;
    WCHAR * Buff2                 = (WCHAR *)malloc(SizeOfMyString2);
 
    if (Buff2 == NULL)
    {
        free(UnicodeStr1);
        free(Buff1);
        free(UnicodeStr2);
 
        return NULL;
    }
 
    AllocationsForCastings->Buff4 = (CHAR *)Buff2;
    RtlZeroMemory(Buff2, SizeOfMyString2);
    UnicodeStr2->Buffer = Buff2;
    UnicodeStr2->Length = UnicodeStr2->MaximumLength = SizeOfMyString2;
    memcpy(UnicodeStr2->Buffer, MyString2, SizeOfMyString2);
 
    //
    // Allocate STUPID_STRUCT1
    //
    PSTUPID_STRUCT1 StupidStruct1 = (PSTUPID_STRUCT1)malloc(sizeof(STUPID_STRUCT1));
 
    if (StupidStruct1 == NULL)
    {
        free(UnicodeStr1);
        free(Buff1);
        free(UnicodeStr2);
        free(Buff2);
 
        return NULL;
    }
 
    AllocationsForCastings->Buff5 = (CHAR *)StupidStruct1;
    StupidStruct1->Flag32         = 0x3232;
    StupidStruct1->Flag64         = 0x6464;
    StupidStruct1->Context        = (PVOID)0x85;
    StupidStruct1->StringValue    = UnicodeStr1;
 
    //
    // Allocate STUPID_STRUCT2
    //
    PSTUPID_STRUCT2 StupidStruct2 = (PSTUPID_STRUCT2)malloc(sizeof(STUPID_STRUCT2));
 
    if (StupidStruct2 == NULL)
    {
        free(UnicodeStr1);
        free(Buff1);
        free(UnicodeStr2);
        free(Buff2);
        free(StupidStruct1);
 
        return NULL;
    }
 
    AllocationsForCastings->Buff6 = (CHAR *)StupidStruct2;
 
    StupidStruct2->Sina32        = 0x32;
    StupidStruct2->Sina64        = 0x64;
    StupidStruct2->AghaaSina     = (PVOID)0x55;
    StupidStruct2->UnicodeStr    = UnicodeStr2;
    StupidStruct2->StupidStruct1 = StupidStruct1;
 
    //_CrtDbgBreak();
    return StupidStruct2;
}

PrintSymbolBufferWrapper()

VOID PrintSymbolBufferWrapper

(

PVOID

SymbolBuffer

)

PrintSymbolBuffer wrapper.

Print symbol buffer wrapper

Parameters

SymbolBuffer

Returns

PVOID

{
    PrintSymbolBuffer(SymbolBuffer);
}

ScriptAutomaticStatementsTestWrapper()

BOOLEAN ScriptAutomaticStatementsTestWrapper	(	const string &	Expr,
		UINT64	ExpectationValue,
		BOOLEAN	ExceptError )

massive tests for script engine statements

Parameters

Expr	The expression to test
ExpectationValue	What value this statements expects (not used if ExceptError is TRUE)
ExceptError	True if the statement expects an error

Returns

BOOLEAN whether the test was successful or not

{
    //
    // Set the global variable indicator of test_statement to 0
    //
    g_CurrentExprEvalResult = 0;
 
    //
    // Call the test parser
    //
    ScriptEngineWrapperTestParser(Expr);
 
    //
    // Check the global variable to see the results
    //
    if (g_CurrentExprEvalResultHasError && ExceptError)
    {
        return TRUE;
    }
    else if (ExpectationValue == g_CurrentExprEvalResult)
    {
        return TRUE;
    }
 
    return FALSE;
}

ScriptEngineConvertFileToPdbFileAndGuidAndAgeDetailsWrapper()

BOOLEAN ScriptEngineConvertFileToPdbFileAndGuidAndAgeDetailsWrapper	(	const char *	LocalFilePath,
		char *	PdbFilePath,
		char *	GuidAndAgeDetails,
		BOOLEAN	Is32BitModule )

ScriptEngineConvertFileToPdbFileAndGuidAndAgeDetails wrapper.

Parameters

LocalFilePath
PdbFilePath
GuidAndAgeDetails
Is32BitModule

Returns

BOOLEAN

{
    return ScriptEngineConvertFileToPdbFileAndGuidAndAgeDetails(LocalFilePath, PdbFilePath, GuidAndAgeDetails, Is32BitModule);
}

ScriptEngineConvertFileToPdbPathWrapper()

BOOLEAN ScriptEngineConvertFileToPdbPathWrapper	(	const char *	LocalFilePath,
		char *	ResultPath )

ScriptEngineConvertFileToPdbPath wrapper.

Parameters

LocalFilePath
ResultPath

Returns

BOOLEAN

{
    return ScriptEngineConvertFileToPdbPath(LocalFilePath, ResultPath);
}

ScriptEngineConvertNameToAddressWrapper()

UINT64 ScriptEngineConvertNameToAddressWrapper	(	const char *	FunctionOrVariableName,
		PBOOLEAN	WasFound )

ScriptEngineConvertNameToAddress wrapper.

Parameters

FunctionName
WasFound

Returns

UINT64

{
    return ScriptEngineConvertNameToAddress(FunctionOrVariableName, WasFound);
}

ScriptEngineCreateSymbolTableForDisassemblerWrapper()

BOOLEAN ScriptEngineCreateSymbolTableForDisassemblerWrapper

(

void *

CallbackFunction

)

ScriptEngineCreateSymbolTableForDisassembler wrapper.

Parameters

CallbackFunction

Returns

BOOLEAN

{
    return ScriptEngineCreateSymbolTableForDisassembler(CallbackFunction);
}

ScriptEngineEvalUInt64StyleExpressionWrapper()

UINT64 ScriptEngineEvalUInt64StyleExpressionWrapper	(	const string &	Expr,
		PBOOLEAN	HasError )

In the local debugging (VMI mode) environment, this function computes the expressions.

for example, if the user u ExAllocatePoolWithTag+0x10 this will evaluate the expr

Parameters

Expr
HasError

Returns

UINT64

{
    //
    // In VMI-mode we'll form all registers as zero
    //
    GUEST_REGS GuestRegs = {0};
 
    ScriptEngineEvalWrapper(&GuestRegs, Expr);
 
    //
    // Set the results and return the value
    //
    *HasError = g_CurrentExprEvalResultHasError;
    return g_CurrentExprEvalResult;
}

ScriptEngineEvalWrapper()

VOID ScriptEngineEvalWrapper	(	PGUEST_REGS	GuestRegs,
		string	Expr )

Script engine evaluation wrapper.

Parameters

GuestRegs
Expr

Returns

VOID

{
    SCRIPT_ENGINE_VARIABLES_LIST VariablesList = {0};
 
    //
    // Allocate global variables holder
    //
    if (!g_ScriptGlobalVariables)
    {
        g_ScriptGlobalVariables = (UINT64 *)malloc(MAX_VAR_COUNT * sizeof(UINT64));
 
        if (g_ScriptGlobalVariables == NULL)
        {
            ShowMessages("err, could not allocate memory for user-mode global variables");
 
            return;
        }
 
        RtlZeroMemory(g_ScriptGlobalVariables, MAX_VAR_COUNT * sizeof(UINT64));
    }
 
    //
    // Allocate local variables holder, actually in reality each core should
    // have its own set of local variables but as we never run multi-core scripts
    // in user-mode, thus, it's okay to just have one buffer for local variables
    //
    if (!g_ScriptLocalVariables)
    {
        g_ScriptLocalVariables = (UINT64 *)malloc(MAX_VAR_COUNT * sizeof(UINT64));
 
        if (g_ScriptLocalVariables == NULL)
        {
            free(g_ScriptGlobalVariables);
 
            ShowMessages("err, could not allocate memory for user-mode local variables");
 
            return;
        }
 
        RtlZeroMemory(g_ScriptLocalVariables, MAX_VAR_COUNT * sizeof(UINT64));
    }
 
    //
    // Allocate temp variables holder, actually in reality each core should
    // have its own set of temp variables but as we never run multi-core scripts
    // in user-mode, thus, it's okay to just have one buffer for temp variables
    //
    if (!g_ScriptTempVariables)
    {
        g_ScriptTempVariables = (UINT64 *)malloc(MAX_TEMP_COUNT * sizeof(UINT64));
 
        if (g_ScriptTempVariables == NULL)
        {
            free(g_ScriptGlobalVariables);
            free(g_ScriptLocalVariables);
 
            ShowMessages("err, could not allocate memory for user-mode temp variables");
 
            return;
        }
 
        RtlZeroMemory(g_ScriptTempVariables, MAX_TEMP_COUNT * sizeof(UINT64));
    }
 
    //
    // Run Parser
    //
    PSYMBOL_BUFFER CodeBuffer = (PSYMBOL_BUFFER)ScriptEngineParse((char *)Expr.c_str());
 
#ifdef _SCRIPT_ENGINE_CODEEXEC_DBG_EN
    //
    // Print symbol buffer
    //
    PrintSymbolBuffer((PVOID)CodeBuffer);
#endif
 
    ACTION_BUFFER ActionBuffer = {0};
    SYMBOL        ErrorSymbol  = {0};
 
    //
    // Making symbol buffer
    //
 
    PSYMBOL_BUFFER StackBuffer = (PSYMBOL_BUFFER)malloc(sizeof(SYMBOL_BUFFER));
    if (StackBuffer == NULL)
    {
        free(g_ScriptGlobalVariables);
        free(g_ScriptLocalVariables);
 
        ShowMessages("err, could not allocate memory for user-mode stack buffer");
 
        return;
    }
    StackBuffer->Pointer = 0;
    StackBuffer->Size    = 0;
    StackBuffer->Message = NULL;
    StackBuffer->Head    = (PSYMBOL)malloc(MAX_STACK_BUFFER_COUNT * sizeof(SYMBOL));
    if (StackBuffer->Head == NULL)
    {
        free(g_ScriptGlobalVariables);
        free(g_ScriptLocalVariables);
        free(StackBuffer);
        ShowMessages("err, could not allocate memory for user-mode stack buffer");
 
        return;
    }
    RtlZeroMemory(StackBuffer->Head, MAX_STACK_BUFFER_COUNT * sizeof(SYMBOL));
 
    UINT64 StackIndx     = 0;
    UINT64 StackBaseIndx = 0;
    UINT64 EXECUTENUMBER = 0;
    UINT64 ReturnValue   = 0;
    RtlZeroMemory(g_ScriptTempVariables, MAX_TEMP_COUNT * sizeof(UINT64));
    RtlZeroMemory(g_ScriptLocalVariables, MAX_VAR_COUNT * sizeof(UINT64));
 
    if (CodeBuffer->Message == NULL)
    {
#ifdef _SCRIPT_ENGINE_CODEEXEC_DBG_EN
        printf("\nScriptEngineExecute:\n");
#endif
        UINT64 i = 0;
        for (; i < CodeBuffer->Pointer;)
        {
            //
            // Fill the action buffer but as we're in user-mode here
            // then there is nothing to fill
            //
            ActionBuffer.Context                   = NULL;
            ActionBuffer.CurrentAction             = NULL;
            ActionBuffer.ImmediatelySendTheResults = FALSE;
            ActionBuffer.Tag                       = NULL;
 
            //
            // Fill the variables list for this run
            //
            VariablesList.TempList            = g_ScriptTempVariables;
            VariablesList.GlobalVariablesList = g_ScriptGlobalVariables;
            VariablesList.LocalVariablesList  = g_ScriptLocalVariables;
 
#ifdef _SCRIPT_ENGINE_CODEEXEC_DBG_EN
            printf("Address = %lld, StackIndx = %lld, StackBaseIndx = %lld\n", i, StackIndx, StackBaseIndx);
            PSYMBOL Operator = (PSYMBOL)((unsigned long long)CodeBuffer->Head +
                                         (unsigned long long)(i * sizeof(SYMBOL)));
            printf("Function = %s\n", FunctionNames[Operator->Value]);
            printf("Stack Buffer:\n");
            for (UINT64 j = 0; j < StackIndx; j++)
            {
                PSYMBOL StackSymbol = (PSYMBOL)((unsigned long long)StackBuffer->Head +
                                                (unsigned long long)(j * sizeof(SYMBOL)));
 
                printf("StackIndx = %lld, Value = %lld", j, StackSymbol->Value);
 
                if (StackSymbol->Type == SYMBOL_RETURN_ADDRESS_TYPE)
                {
                    printf(", Type = SYMBOL_RETURN_ADDRESS_TYPE");
                }
 
                if (j == StackBaseIndx)
                {
                    printf("   <===== StackBaseIndx");
                }
                printf("\n");
            }
            printf("\n");
#endif
 
            //
            // If has error, show error message and abort
            //
            if (ScriptEngineExecute(GuestRegs,
                                    &ActionBuffer,
                                    &VariablesList,
                                    CodeBuffer,
                                    &i,
                                    StackBuffer,
                                    &StackIndx,
                                    &StackBaseIndx,
                                    &ErrorSymbol,
                                    &ReturnValue) == TRUE)
            {
                ShowMessages("err, ScriptEngineExecute, function = %s\n",
                             FunctionNames[ErrorSymbol.Value]);
                g_CurrentExprEvalResultHasError = TRUE;
                g_CurrentExprEvalResult         = NULL;
                break;
            }
            else if (StackIndx >= MAX_STACK_BUFFER_COUNT)
            {
                ShowMessages("err, stack buffer overflow\n");
                g_CurrentExprEvalResultHasError = TRUE;
                g_CurrentExprEvalResult         = NULL;
                break;
            }
            else if (EXECUTENUMBER >= MAX_EXECUTION_COUNT)
            {
                ShowMessages("err, exceeding the max execution count\n");
                g_CurrentExprEvalResultHasError = TRUE;
                g_CurrentExprEvalResult         = NULL;
                break;
            }
 
            EXECUTENUMBER++;
        }
#ifdef _SCRIPT_ENGINE_CODEEXEC_DBG_EN
        printf("Address = %lld, StackIndx = %lld, StackBaseIndx = %lld\n", i, StackIndx, StackBaseIndx);
#endif
    }
    else
    {
        ShowMessages("%s\n", CodeBuffer->Message);
    }
 
    RemoveSymbolBuffer(CodeBuffer);
 
    return;
}

ScriptEngineFuncNumberOfOperands()

BOOLEAN ScriptEngineFuncNumberOfOperands	(	UINT64	FuncType,
		UINT32 *	NumberOfGetOperands,
		UINT32 *	NumberOfSetOperands )

wrapper for getting operand count

Parameters

FuncType
NumberOfGetOperands
NumberOfSetOperands

Returns

BOOLEAN

{
    return FuncGetNumberOfOperands(FuncType, NumberOfGetOperands, NumberOfSetOperands);
}

ScriptEngineGetDataTypeSizeWrapper()

BOOLEAN ScriptEngineGetDataTypeSizeWrapper	(	CHAR *	TypeName,
		UINT64 *	TypeSize )

ScriptEngineGetDataTypeSize wrapper.

Parameters

TypeName
TypeSize

Returns

BOOLEAN

{
    return ScriptEngineGetDataTypeSize(TypeName, TypeSize);
}

ScriptEngineGetFieldOffsetWrapper()

BOOLEAN ScriptEngineGetFieldOffsetWrapper	(	CHAR *	TypeName,
		CHAR *	FieldName,
		UINT32 *	FieldOffset )

ScriptEngineGetFieldOffset wrapper.

Parameters

TypeName
FieldName
FieldOffset

Returns

BOOLEAN

{
    return ScriptEngineGetFieldOffset(TypeName, FieldName, FieldOffset);
}

ScriptEngineLoadFileSymbolWrapper()

UINT32 ScriptEngineLoadFileSymbolWrapper	(	UINT64	BaseAddress,
		const char *	PdbFileName,
		const char *	CustomModuleName )

ScriptEngineLoadFileSymbol wrapper.

Parameters

BaseAddress
FileName

Returns

UINT32

{
    return ScriptEngineLoadFileSymbol(BaseAddress, PdbFileName, CustomModuleName);
}

ScriptEngineParseWrapper()

PVOID ScriptEngineParseWrapper	(	char *	Expr,
		BOOLEAN	ShowErrorMessageIfAny )

ScriptEngineParse wrapper.

Parameters

Expr
ShowErrorMessageIfAny

Returns

PVOID

{
    PSYMBOL_BUFFER SymbolBuffer;
    SymbolBuffer = (PSYMBOL_BUFFER)ScriptEngineParse(Expr);
 
    //
    // Check if there is an error or not
    //
    if (SymbolBuffer->Message == NULL)
    {
        return SymbolBuffer;
    }
    else
    {
        //
        // Show error message and free the buffer
        //
        if (ShowErrorMessageIfAny)
        {
            ShowMessages("%s\n", SymbolBuffer->Message);
        }
        ScriptEngineWrapperRemoveSymbolBuffer(SymbolBuffer);
        return NULL;
    }
}

ScriptEngineSearchSymbolForMaskWrapper()

UINT32 ScriptEngineSearchSymbolForMaskWrapper

(

const char *

SearchMask

)

ScriptEngineSearchSymbolForMask wrapper.

Parameters

SearchMask

Returns

UINT32

{
    return ScriptEngineSearchSymbolForMask(SearchMask);
}

ScriptEngineSetTextMessageCallbackWrapper()

VOID ScriptEngineSetTextMessageCallbackWrapper

(

PVOID

Handler

)

ScriptEngineSetTextMessageCallback wrapper.

Parameters

Handler

Returns

VOID

{
    return ScriptEngineSetTextMessageCallback(Handler);
}

ScriptEngineShowDataBasedOnSymbolTypesWrapper()

BOOLEAN ScriptEngineShowDataBasedOnSymbolTypesWrapper	(	const char *	TypeName,
		UINT64	Address,
		BOOLEAN	IsStruct,
		PVOID	BufferAddress,
		const char *	AdditionalParameters )

ScriptEngineShowDataBasedOnSymbolTypes wrapper.

Parameters

TypeName
Address
IsStruct
BufferAddress
AdditionalParameters

Returns

BOOLEAN

{
    return ScriptEngineShowDataBasedOnSymbolTypes(TypeName, Address, IsStruct, BufferAddress, AdditionalParameters);
}

ScriptEngineSymbolAbortLoadingWrapper()

VOID ScriptEngineSymbolAbortLoadingWrapper

(

)

SymbolAbortLoading wrapper.

Returns

VOID

{
    return ScriptEngineSymbolAbortLoading();
}

ScriptEngineSymbolInitLoadWrapper()

BOOLEAN ScriptEngineSymbolInitLoadWrapper	(	PMODULE_SYMBOL_DETAIL	BufferToStoreDetails,
		UINT32	StoredLength,
		BOOLEAN	DownloadIfAvailable,
		const char *	SymbolPath,
		BOOLEAN	IsSilentLoad )

ScriptEngineSymbolInitLoad wrapper.

Parameters

ScriptEngineSymbolInitLoad
StoredLength
DownloadIfAvailable
SymbolPath
IsSilentLoad

Returns

BOOLEAN

{
    return ScriptEngineSymbolInitLoad(BufferToStoreDetails, StoredLength, DownloadIfAvailable, SymbolPath, IsSilentLoad);
}

ScriptEngineUnloadAllSymbolsWrapper()

UINT32 ScriptEngineUnloadAllSymbolsWrapper

(

)

ScriptEngineUnloadAllSymbols wrapper.

Returns

UINT32

{
    return ScriptEngineUnloadAllSymbols();
}

ScriptEngineUnloadModuleSymbolWrapper()

UINT32 ScriptEngineUnloadModuleSymbolWrapper

(

char *

ModuleName

)

ScriptEngineUnloadModuleSymbol wrapper.

Parameters

ModuleName

Returns

UINT32

{
    return ScriptEngineUnloadModuleSymbol(ModuleName);
}

ScriptEngineWrapperGetHead()

UINT64 ScriptEngineWrapperGetHead

(

PVOID

SymbolBuffer

)

wrapper for getting head

Parameters

SymbolBuffer

Returns

UINT64

{
    return (UINT64)((PSYMBOL_BUFFER)SymbolBuffer)->Head;
}

ScriptEngineWrapperGetPointer()

UINT32 ScriptEngineWrapperGetPointer

(

PVOID

SymbolBuffer

)

wrapper for getting pointer

Parameters

SymbolBuffer

Returns

UINT32

{
    return (UINT32)((PSYMBOL_BUFFER)SymbolBuffer)->Pointer;
}

ScriptEngineWrapperGetSize()

UINT32 ScriptEngineWrapperGetSize

(

PVOID

SymbolBuffer

)

wrapper for getting size

Parameters

SymbolBuffer

Returns

UINT32

{
    UINT32 Size =
        (UINT32)((PSYMBOL_BUFFER)SymbolBuffer)->Pointer * sizeof(SYMBOL);
    return Size;
}

ScriptEngineWrapperRemoveSymbolBuffer()

VOID ScriptEngineWrapperRemoveSymbolBuffer

(

PVOID

SymbolBuffer

)

wrapper for removing symbol buffer

Parameters

SymbolBuffer

Returns

UINT32

{
    RemoveSymbolBuffer((PSYMBOL_BUFFER)SymbolBuffer);
}

ScriptEngineWrapperTestParser()

VOID ScriptEngineWrapperTestParser

(

const string &

Expr

)

test parser

Parameters

Expr

Returns

VOID

{
    ALLOCATED_MEMORY_FOR_SCRIPT_ENGINE_CASTING AllocationsForCastings = {0};
 
    typedef struct _TEST_STRUCT
    {
        UINT64 Var1;
        UINT64 Var2;
        UINT64 Var3;
        UINT64 Var4;
    } TEST_STRUCT, *PTEST_STRUCT;
 
    PTEST_STRUCT TestStruct = (PTEST_STRUCT)malloc(sizeof(TEST_STRUCT));
 
    if (TestStruct == NULL)
    {
        return;
    }
 
    RtlZeroMemory(TestStruct, sizeof(TEST_STRUCT));
 
    TestStruct->Var1 = 0x41414141;
    TestStruct->Var3 = 0x4242424242424242;
 
    GUEST_REGS GuestRegs = {0};
 
    char    test[] = "Hello world !";
    wchar_t testw[] =
        L"A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 "
        L"9 a b c d e f g h i j k l m n o p q r s t u v w x y z";
 
    char * RspReg = (char *)malloc(0x100);
 
    if (RspReg == NULL)
    {
        ShowMessages("err, unable to allocate stack for script engine tests");
        free(TestStruct);
        return;
    }
 
    memcpy(RspReg, testw, sizeof(testw));
 
    GuestRegs.rax = 0x1;
    GuestRegs.rcx = (UINT64)AllocateStructForCasting(&AllocationsForCastings); // TestStruct
    GuestRegs.rdx = 0x3;
    GuestRegs.rbx = 0x4;
    GuestRegs.rsp = (UINT64)RspReg + 0x50;
    GuestRegs.rbp = 0x6;
    GuestRegs.rsi = 0x7;
    GuestRegs.rdi = 0x8;
    GuestRegs.r8  = 0x9;
    GuestRegs.r9  = 0xa;
    GuestRegs.r10 = 0xb;
    GuestRegs.r11 = 0xc;
    GuestRegs.r12 = 0xd;
    GuestRegs.r13 = 0xe;
    GuestRegs.r14 = (UINT64)testw;
    GuestRegs.r15 = (UINT64)test;
 
    ScriptEngineEvalWrapper(&GuestRegs, Expr);
 
    free(RspReg);
    free(TestStruct);
    free(AllocationsForCastings.Buff1);
    free(AllocationsForCastings.Buff2);
    free(AllocationsForCastings.Buff3);
    free(AllocationsForCastings.Buff4);
    free(AllocationsForCastings.Buff5);
    free(AllocationsForCastings.Buff6);
}

Variable Documentation

g_CurrentExprEvalResult

UINT64 g_CurrentExprEvalResult

extern

global variable to save the result of script-engine statement tests

g_CurrentExprEvalResultHasError

BOOLEAN g_CurrentExprEvalResultHasError

extern

global variable to detect if there was an error in the result of script-engine statement tests

g_ScriptGlobalVariables

UINT64* g_ScriptGlobalVariables

extern

Holder of script engines global variables.

Holder of script engines global variables.

g_ScriptLocalVariables

UINT64* g_ScriptLocalVariables

extern

Holder of local variables for script engine.

g_ScriptTempVariables

UINT64* g_ScriptTempVariables

extern

Holder of temp variables for script engine.