DWORD_PTR
LLDBServices::GetExpression(
PCSTR exp)
{
if (exp == nullptr)
{
return 0;
}
lldb::SBFrame frame = GetCurrentFrame();
if (!frame.IsValid())
{
return 0;
}
DWORD_PTR result = 0;
lldb::SBError error;
std::string str;
// To be compatible with windbg/dbgeng, we need to emulate the default
// hex radix (because sos prints addresses and other hex values without
// the 0x) by first prepending 0x and if that fails use the actual
// undecorated expression.
str.append("0x");
str.append(exp);
result = GetExpression(frame, error, str.c_str());
if (error.Fail())
{
result = GetExpression(frame, error, exp);
}
return result;
}
void
CMArray1DDir::CreateNextNode()
{
if (itsCurrentNode != NULL)
{
return;
}
JTreeNode* root = itsTree->GetRoot();
if (itsRequestRange.first < itsDisplayRange.first)
{
itsDisplayRange.first--;
const JString expr = GetExpression(itsDisplayRange.first);
CMVarNode* node = itsLink->CreateVarNode(root, expr, expr, "");
assert (node != NULL);
itsCurrentNode = node;
root->InsertAtIndex(1, node); // move it to the top -- inserted by ctor so it will update self
ListenTo(itsTree);
}
else if (itsDisplayRange.last < itsRequestRange.last)
{
itsDisplayRange.last++;
const JString expr = GetExpression(itsDisplayRange.last);
CMVarNode* node = itsLink->CreateVarNode(root, expr, expr, "");
assert (node != NULL);
itsCurrentNode = node;
ListenTo(itsTree);
}
else
{
CreateNodesFinished();
}
}
VOID
AtomExtension(
PCSTR lpArgumentString
)
{
PRTL_ATOM_TABLE *ppat;
ATOM a;
try {
while (*lpArgumentString == ' ') {
lpArgumentString++;
}
if (*lpArgumentString && *lpArgumentString != 0xa) {
a = (ATOM)GetExpression((LPSTR)lpArgumentString);
} else {
a = 0;
}
ppat = (PRTL_ATOM_TABLE *)GetExpression(szBaseLocalAtomTable);
if (ppat != NULL) {
dprintf("\nLocal atom table ");
DumpAtomTable(ppat, a);
}
} except (EXCEPTION_EXECUTE_HANDLER) {
;
}
}
VOID
WinDbgExtensionDllInit(
PWINDBG_EXTENSION_APIS lpExtensionApis,
USHORT MajorVersion,
USHORT MinorVersion
)
{
ULONG_PTR offKeProcessorArchitecture;
ULONG Result;
ExtensionApis = *lpExtensionApis;
SavedMajorVersion = MajorVersion;
SavedMinorVersion = MinorVersion;
bDebuggingChecked = (SavedMajorVersion == 0x0c);
usProcessorArchitecture = (USHORT)-1;
offKeProcessorArchitecture = GetExpression("KeProcessorArchitecture");
if (offKeProcessorArchitecture != 0)
ReadMemory(offKeProcessorArchitecture, &usProcessorArchitecture,
sizeof(USHORT), &Result);
if (usProcessorArchitecture >= cArchitecture) {
#ifdef IA64
GetEProcessData = GetEProcessData_IA64;
#else
GetEProcessData = GetEProcessData_X86;
#endif
} else {
GetEProcessData = aGetEProcessDataFunc[usProcessorArchitecture];
}
//
// Read the user probe address from the target system.
//
// N.B. The user probe address is constant on MIPS, Alpha, and the PPC.
// On the x86, it may not be defined for the target system if it
// does not contain the code to support 3gb of user address space.
//
UserProbeAddress = GetExpression("MmUserProbeAddress");
if ((UserProbeAddress == 0) ||
(ReadMemory(UserProbeAddress,
&UserProbeAddress,
sizeof(UserProbeAddress),
&Result) == FALSE)) {
UserProbeAddress = 0x7fff0000;
}
return;
}
void AsmEnums()
{
int Value=0; //Fredrik: correct initializer in case first token is not "=" ?
NeedToken("{");
do
{
GetName(); // Get the new type Name
if (Token("="))
{
Value = GetExpression();
}
else
Value++;
// if (Pass == 1)
RedefENum(Name, Value);
//printf("- Enum %s' Value %ld\n",Name,Value);
SkipWhiteSpace();
}
while(Token(","));
NeedToken("}");
}
vector<HANDLE_OBJECT>
ObOpenObjectDirectory(
_In_ ULONG64 InputObject
)
/*++
Routine Description:
Description.
Arguments:
InputObject -
Return Value:
vector<HANDLE_OBJECT>.
--*/
{
vector<HANDLE_OBJECT> Handles;
HANDLE_OBJECT Handle = { 0 };
ExtRemoteTyped Directory;
ULONG64 ObjectDir = InputObject;
if (!ObjectDir)
{
ReadPointer(GetExpression("nt!ObpRootDirectoryObject"), &ObjectDir);
}
Directory = ExtRemoteTyped("(nt!_OBJECT_DIRECTORY *)@$extin", ObjectDir);
ObReadObject(ObjectDir, &Handle);
for (UINT i = 0; i < 37; i += 1)
{
ULONG64 Entry = Directory.Field("HashBuckets").ArrayElement(i).GetPointerTo().GetPtr();
if (!Entry) continue;
//
// ExtRemoteTypedList requires a POINTER to the first entry. Not the offset of the first entry.
//
ExtRemoteTypedList EntryList(Entry, "nt!_OBJECT_DIRECTORY_ENTRY", "ChainLink");
for (EntryList.StartHead(); EntryList.HasNode(); EntryList.Next())
{
HANDLE_OBJECT Handle = {0};
ULONG64 Object = EntryList.GetTypedNode().Field("Object").GetPtr();
ObReadObject(Object, &Handle);
Handles.push_back(Handle);
}
}
return Handles;
}
short HeaderCommands()
{
int v;
SkipWhiteSpace();
//------------------------------------
//
//------------------------------------
if (QToken("#define"))
{
SkipWhiteSpace();
GetAsmName();
strcpy(DefineNameCopy, Name);
if (NextToken("#"))
{
// Just define a script
RedefENum(DefineNameCopy, 1);
rhprint("HeaderRead: .set %s = 1\n", DefineNameCopy);
SkipWhiteSpace();
return 1;
}
// Test for strings
if (QToken("\""))
{
GetStringName(128);
RedefENumString(DefineNameCopy, Name);
printf("HeaderRead: .set %s = '%s'\n", DefineNameCopy, Name);
SkipWhiteSpace();
return 1;
}
v = GetExpression();
RedefENum(DefineNameCopy, v);
SkipWhiteSpace();
rhprint("Profile: unknown define '%s'\n", DefineNameCopy);
return 1;
}
//------------------------------------
// Line not understood, skip line
//------------------------------------
SkipLine();
return 0;
}
LPSTR
GetAddress(
LPSTR CmdBuf,
LPDWORD Address
)
{
*Address = GetExpression( CmdBuf );
return (LPSTR) pchCommand;
}
PyObject * wipe_GetExpression(PyObject * self, PyObject * args)
{
LPCSTR szExpr;
if (!PyArg_ParseTuple(args, "s", &szExpr))
{
return NULL;
}
return Py_BuildValue("k", GetExpression(szExpr));
}
HRESULT CALLBACK
max_indirection_level(PDEBUG_CLIENT4 Client, PCSTR args)
{
int value;
if (!args || strlen(args)==0)
value = 0;
else
value = (int) GetExpression(args);
set_max_indirection_level(value);
return S_OK;
}
HRESULT CALLBACK dumptree(PDEBUG_CLIENT pClient, PCSTR szArgs)
{
HRESULT hRes=S_OK;
ULONG_PTR pAddress=(ULONG_PTR) GetExpression(szArgs);
if(!pAddress)
{
dprintf("Invalid head pointer address specified: %s\n", szArgs);
return E_FAIL;
}
InOrderTraversal(pAddress);
return hRes;
}
HRESULT CALLBACK
unset(PDEBUG_CLIENT4 Client, PCSTR args)
{
if (!args || strlen(args)==0)
{
dprintf("Please see help for this command's usage\n");
return E_FAIL;
}
address_t addr = GetExpression(args);
unset_value (addr);
return S_OK;
}
//处理常数、参数、函数、以及括号表达式
std::shared_ptr<ExpressTree> Expression::atom()
{
//表示本节点
std::shared_ptr<ExpressTree> node;
//获取一个记号
Parser::token = lexer->GetToken();
//如果是终结符
switch(Parser::token.type)
{
//最高级匹配(常数、参数、函数等)并创建一个树节点
case TokenType::Const:
case TokenType::T:
node = ExpressTree::CreateNode(Parser::token);
return node;
case TokenType::Func:
//先产生本节点
node = ExpressTree::CreateNode(Parser::token);
//如果是函数则继续匹配左括号
match(TokenType::Lbracket);
//产生本节点左儿子(即函数内参数子树)
node->SetChild(Child::left,GetExpression());
//匹配右括号
match(TokenType::Rbracket);
return node;
case TokenType::Lbracket:
//匹配左括号内表达式
node = GetExpression();
//匹配右括号
match(TokenType::Rbracket);
return node;
default:
std::ostringstream out;
out << "行号:" << Parser::token.no << " 错误类型:未预期的符号";
Parser::log.push_back(out.str());
return nullptr;
}
}
HRESULT CALLBACK
shrobj_level(PDEBUG_CLIENT4 Client, PCSTR args)
{
if (!enter_command(Client))
return E_FAIL;
unsigned int level = 0;
if (args && strlen(args))
level = (unsigned int) GetExpression(args);
set_shared_objects_indirection_level(level);
leave_command();
return S_OK;
}
TExpressionPtr ExpressionParser::ParseNotParameterizedVariableExpression(StringPtrLen str) const
{
auto variable = m_variable_mgr.FindVariable(str);
if (nullptr == variable)
{
return TExpressionPtr();
}
if (variable->GetParameterCount() > 0)
{
Error("Parameters are missing during usage of variable '", variable->GetName(), "'.");
}
return variable->GetExpression()->Clone();
}
void GetStrings()
{
do
{
if (NextToken("\""))
{
GetQuoteStr(NAME_MAX); // get a bounded string
}
else
{
imm = GetExpression(); // Get the number
WriteByte(imm);
}
}
while (QToken(","));
}
LONG
GetValue (PUCHAR inString, PUCHAR *outString, BOOLEAN fSigned, ULONG bitsize)
{
ULONG value;
inString = SkipWhite(&inString);
pchCommand = inString;
value = GetExpression();
*outString = pchCommand;
if ((value > (ULONG)(1L << bitsize) - 1) &&
(!fSigned || (value < (ULONG)(-1L << (bitsize - 1)))))
error(OVERFLOW);
return ((LONG) value);
}
VOID
DumpStaticFastMutex (
IN PCHAR Name
)
/*++
Routine Description:
This function dumps the contention statistics for a fast mutex.
Arguments:
Name - Supplies a pointer to the symbol name for the fast mutex.
Return Value:
None.
--*/
{
ULONG FastMutex;
FAST_MUTEX FastMutexContents;
ULONG Result;
//
// Get the address of the fast mutex, read the fast mutex contents,
// and dump the contention data.
//
FastMutex = GetExpression(Name);
if ((FastMutex != 0) && (ReadMemory((DWORD)FastMutex,
&FastMutexContents,
sizeof(FAST_MUTEX),
&Result) != FALSE)) {
dprintf("%08lx %10u %s\n",
FastMutex,
FastMutexContents.Contention,
&Name[0]);
}
return;
}
bool ObjIeeeAscii::GetOffset(const char *buffer, eParseType ParseType)
{
if (!file)
ThrowSyntax(buffer, ParseType);
int pos =3 ;
char ch = buffer[2];
int index = 0;
if (ch != 'G')
index = ObjUtil::FromHex(buffer, &pos);
if (buffer[pos++] != ',')
ThrowSyntax(buffer, ParseType);
ObjExpression *exp = GetExpression(buffer, &pos);
CheckTerm(buffer + pos);
switch(ch)
{
case 'G':
SetStartAddress(file, exp);
break;
case 'S':
{
ObjSection *sect = GetSection(index);
if (!sect)
ThrowSyntax(buffer, ParseType);
sect->SetSize(exp);
break;
}
case 'L':
{
ObjSection *sect = GetSection(index);
if (!sect)
ThrowSyntax(buffer, ParseType);
sect->SetOffset(exp);
break;
}
default:
{
ObjSymbol *sym = FindSymbol(ch, index);
if (!sym)
ThrowSyntax(buffer, ParseType);
sym->SetOffset(exp);
break;
}
}
return false;
}
/////////////////////////////////////////////////////
// Unexposed cmd to re-initialize once targetee changed
/////////////////////////////////////////////////////
HRESULT CALLBACK
set_alignment(PDEBUG_CLIENT4 Client, PCSTR args)
{
size_t value;
if (!args || strlen(args)==0)
value = 0;
else
value = GetExpression(args);
if (value == 0)
dprintf("Current alignment is "PRINT_FORMAT_SIZE"\n", g_align);
else if (value==4 || value==8 || value==16)
g_align = value;
else
dprintf("Invalid setting for alignment "PRINT_FORMAT_SIZE"\n", value);
return S_OK;
}
static ret_code EvaluateHllExpression( hll_list * hll, int *i, int ilabel, bool is_true )
/***************************************************************************************/
{
char *lastjmp = NULL;
expr_list opndx;
char buffer[MAX_LINE_LEN*2];
DebugMsg(("EvaluateHllExpression enter\n"));
buffer[0] = NULLC;
if ( ERROR == GetExpression( hll, i, ilabel, is_true, buffer, &lastjmp, &opndx ) )
return( ERROR );
if ( buffer[0] )
WriteExprSrc( hll, buffer );
if ( hll->condlines != NULL && *hll->condlines == '\n' ) {
AsmError( SYNTAX_ERROR_IN_CONTROL_FLOW_DIRECTIVE );
return( ERROR );
}
return( NOT_ERROR );
}
VOID
WinDbgExtensionDllInit(
PWINDBG_EXTENSION_APIS lpExtensionApis,
USHORT MajorVersion,
USHORT MinorVersion
)
{
ExtensionApis = *lpExtensionApis;
SavedMajorVersion = MajorVersion;
SavedMinorVersion = MinorVersion;
//
// Try to get a pointer to afd!AfdDebug. If we can, then we know
// the target machine is running a checked AFD.SYS.
//
IsCheckedAfd = ( GetExpression( "afd!AfdDebug" ) != 0 );
return;
}
bool ParseLine(std::string line)
{
bool success = false;
if (line.find(";") != string::npos)
{
success = GetAssignment(line);
}
else
{
success = GetExpression(line);
}
if (success == 1)
{
GoodLines.push_back(line);
}
else
{
BadLines.push_back(std::string(line) + " Error: " + std::string(error));
}
return success;
}
bool GetAssignment(std::string line)
{
if (line.find(";") != string::npos)
{
//check for characters after the ;
std::string lineS = line.substr(line.find_first_of(";"), line.length() - line.find_first_of("="));
for (int i = 0; i < lineS.length(); i++)
{
if (CheckChar(lineS[i]))
{
error = "charaters after semicolon!";
return false;
}
}
line = line.substr(0, line.find_first_of(";"));
//
lineS = line.substr(0, line.find_first_of("="));
//check if line contains white space
if (lineS.find(" ") != string::npos)
{
int indexOfWhiteSpace = lineS.find_first_of(" ");
if (indexOfWhiteSpace == lineS.length() - 1)
lineS = lineS.substr(0, indexOfWhiteSpace);
else if (indexOfWhiteSpace == 0)
lineS = lineS.substr(1);
else
{
error = "incorrent space in id";
return false;
}
}
if (!CheckID(lineS))
return false;
if (!GetExpression(line.substr(line.find_first_of("=") + 1, (line.length() - line.find_first_of("=") - 1))))
return false;
return true;
}
error = "No semicolon in the assignment!";
return false;
}
/////////////////////////////////////////////////////
// Unexposed cmd to set max recursive reference depth
/////////////////////////////////////////////////////
HRESULT CALLBACK
block_size(PDEBUG_CLIENT4 Client, PCSTR args)
{
if (!enter_command(Client))
return E_FAIL;
if (!args || strlen(args)==0)
{
dprintf("0");
return E_FAIL;
}
address_t addr = GetExpression(args);
struct heap_block heap_block;
if (addr && get_heap_block_info(addr, &heap_block))
dprintf(PRINT_FORMAT_SIZE, heap_block.size);
else
dprintf("0");
leave_command();
return S_OK;
}
VOID GetNum()
{
LONG lValue;
/* Initialize */
wLongFlag = 0;
nParenCount = 0;
/* Return the number */
lValue = GetExpression();
/* Make sure we had matched parens */
if (nParenCount)
ParseError1(1013); //"Mismatched parentheses"
/* Return as the proper token */
if (wLongFlag)
token.flongval = TRUE;
token.type = NUMLIT;
token.longval = lValue;
token.val = (USHORT)lValue;
}
bool ObjIeeeAscii::Fixup(const char *buffer, eParseType ParseType)
{
if (!file || currentDataSection == NULL)
ThrowSyntax(buffer, ParseType);
int pos = 3;
if (buffer[2] != '(')
ThrowSyntax(buffer, ParseType);
ObjExpression *exp = GetExpression(buffer, &pos);
if (buffer[pos++] != ')')
ThrowSyntax(buffer, ParseType);
CheckTerm(buffer + pos);
if (exp->GetOperator() != ObjExpression::eNonExpression)
ThrowSyntax(buffer, ParseType);
if (exp->GetRight()->GetOperator() != ObjExpression::eValue)
ThrowSyntax(buffer, ParseType);
int size = exp->GetRight()->GetValue();
ObjExpression *left = exp->GetLeft();
ObjMemory *mem = factory->MakeFixup(left, size);
mem->SetDebugTags(currentTags);
currentTags = new ObjMemory::DebugTagContainer;
currentDataSection->Add(mem);
return false;
}
TExpressionPtr ExpressionParser::ParseParameterizedVariableExpression(StringPtrLen str) const
{
BracketsContent content;
auto name = content.Parse(str);
if (str.Len() == name.Len())
{
return TExpressionPtr();
}
name.Trim();
CheckQualifier(name, "Variable name");
auto variable = m_variable_mgr.FindVariable(name);
if (nullptr == variable)
{
Error("Usage of undefined variable '", name, "'.");
}
TExpressionPtrVector actual_params;
actual_params.reserve(5);
StringPtrLen param;
while (content.GetPart(param))
{
auto param_expr = ParseExpression(param);
actual_params.push_back(std::move(param_expr));
}
if (actual_params.size() != variable->GetParameterCount())
{
Error("Incorrect amount of parameters during usage of variable '", variable->GetName(),
"'. Expected amount - ", variable->GetParameterCount(), ", actual amount - ", actual_params.size(), ".");
}
return variable->GetExpression()->CloneWithSubstitution(actual_params);
}
LONG GetOperand(VOID)
{
/* Check to see if we need to descend a level */
if (curChar == L'(') {
/* Bump paren count so we can match them up */
++nParenCount;
/* Skip past the paren char */
OurGetChar();
SkipWhitespace();
/* Return the value of the computed expression for the operand */
return GetExpression();
}
/* If this isn't a number, return an error */
if (curChar != L'-' && curChar != L'~' && !iswdigit(curChar)) {
GetKwd(FALSE);
ParseError2(2237, tokenbuf);
return 0;
}
/* Get the number in the token structure */
GetNumFTB();
/* See if we need to force the result long */
if (token.flongval)
wLongFlag = TRUE;
/* Skip trailing whitespace */
SkipWhitespace();
/* Return the value */
return token.longval;
}
void returnAddressHuntJutsu(){
struct trackedBuf *curBuf;
int i = 0, bufferIndex = 0;
ULONG offset = 0, bytes = 0;
char findBufferExpression[25];
ULONG64 returnAddress = 0;
HRESULT memSearch = S_OK;
//disassembly variables
char returnInstruction[30];
unsigned char opcodeBuffer[30];
unsigned short instructionLength = 0;
dprintf("[J] started return address hunt\n");
for(i; i<6; i++){ //6, because we don't want to waste time on the eip register
curBuf = trackedBufList;
memset(findBufferExpression, 0x00, sizeof(findBufferExpression));
if(!(bytes = GetExpression(regs[i]))){
dprintf("[J] skipping %s as register - it is a null pointer\n", regs[i]);
continue;
}
StringCchPrintf(findBufferExpression, sizeof(findBufferExpression), "poi(%s)", regs[i]);
bytes = GetExpression(findBufferExpression);
//tests if a register points to a location in user controlled data
while(curBuf != NULL){
for(bufferIndex=0; bufferIndex < strlen(curBuf->bufPatt); bufferIndex++){
if(*(PULONG)((curBuf->bufPatt)+bufferIndex) == bytes){
memset(opcodeBuffer, 0x00, sizeof(opcodeBuffer));
memset(returnInstruction, 0x00, sizeof(returnInstruction));
//find the opcodes for the desired instruction
//first, for call reg
StringCchPrintf(returnInstruction, sizeof(returnInstruction), "call %s", regs[i]);
if(!(instructionLength = getInstructionBytes(returnInstruction, opcodeBuffer)))
dprintf("[J] getInstructionBytes failed for '%s'\n", returnInstruction);
if(returnAddress = searchMemory(opcodeBuffer, instructionLength)){
if(checkExecutability(returnAddress))
dprintf("[J] valid return address (call %s) found at 0x%08x\n", regs[i], returnAddress);
}
//now, for jmp reg
memset(returnInstruction, 0x00, sizeof(returnInstruction));
StringCchPrintf(returnInstruction, sizeof(returnInstruction), "jmp %s", regs[i]);
if(!(instructionLength = getInstructionBytes(returnInstruction, opcodeBuffer)))
dprintf("[J] getInstructionBytes failed for '%s'\n", returnInstruction);
if(returnAddress = searchMemory(opcodeBuffer, instructionLength)){
if(checkExecutability(returnAddress))
dprintf("[J] valid return address (jmp %s) found at 0x%08x\n", regs[i], returnAddress);
}
}
}
curBuf = curBuf->next;
}
curBuf = trackedBufList;
for(offset=0; offset<0x1000; offset+=4){
memset(findBufferExpression, 0x00, sizeof(findBufferExpression));
StringCchPrintf(findBufferExpression, sizeof(findBufferExpression), "poi(poi(%s+0x%08x))", regs[i], offset);
if(!(bytes = GetExpression(findBufferExpression)))
continue; //this is basically a replacement for the
//ddp windbg command, except more automated
//walk through the buffer to see if any dword in there matches the current
//value returned by the expression
while(curBuf != NULL){
for(bufferIndex=0; bufferIndex < strlen(curBuf->bufPatt); bufferIndex++){
if(*(PULONG)((curBuf->bufPatt)+bufferIndex) == bytes){
memset(opcodeBuffer, 0x00, sizeof(opcodeBuffer));
memset(returnInstruction, 0x00, sizeof(returnInstruction));
dprintf("[J] %s + 0x%08x points into offset 0x%x of buffer %s\n",
regs[i], offset, bufferIndex, curBuf->bufName);
//first, build the instruction to find the bytes for
//for now, we will support jmp [reg+offset] and call [reg+offset]
//first, for call [reg+offset]
StringCchPrintf(returnInstruction, sizeof(returnInstruction), "call [%s+%x]", regs[i], offset);
if(!(instructionLength = getInstructionBytes(returnInstruction, opcodeBuffer)))
dprintf("[J] getInstructionBytes failed for '%s'\n", returnInstruction);
if(returnAddress = searchMemory(opcodeBuffer, instructionLength)){
if(checkExecutability(returnAddress))
dprintf("[J] valid return address (call [%s+%x]) found at 0x%08x\n", regs[i], offset, returnAddress);
}
//now, for jmp [reg+offset]
memset(returnInstruction, 0x00, sizeof(returnInstruction));
StringCchPrintf(returnInstruction, sizeof(returnInstruction), "jmp [%s+%x]", regs[i], offset);
if(!(instructionLength = getInstructionBytes(returnInstruction, opcodeBuffer)))
dprintf("[J] getInstructionBytes failed for '%s'\n", returnInstruction);
if(returnAddress = searchMemory(opcodeBuffer, instructionLength)){
if(checkExecutability(returnAddress))
dprintf("[J] valid return address (jmp [%s+%x]) found at 0x%08x\n", regs[i], offset, returnAddress);
}
}
}
curBuf = curBuf->next;
}
curBuf = trackedBufList;
}
}
}