Repository: 0ffffffffh/Api-Break-for-x64dbg Branch: beta-development Commit: 280f6e179aa9 Files: 152 Total size: 944.6 KB Directory structure: gitextract_x3y7uekt/ ├── .gitignore ├── README.md ├── x64dbgApiBreak/ │ ├── mapperscripts/ │ │ ├── base/ │ │ │ └── base.abtf │ │ └── main.abtf │ ├── res.aps │ ├── res.rc │ ├── resource.h │ ├── src/ │ │ ├── apibreak.cpp │ │ ├── callfind.cpp │ │ ├── dynapidetect.cpp │ │ ├── hlprs.cpp │ │ ├── incl/ │ │ │ ├── apibreak.h │ │ │ ├── corelib.h │ │ │ ├── defs.h │ │ │ ├── dlgs/ │ │ │ │ ├── ApiCallMapForm.hpp │ │ │ │ ├── MainForm.hpp │ │ │ │ └── SettingsForm.hpp │ │ │ ├── hlp.h │ │ │ ├── instparse.h │ │ │ ├── pluginsdk/ │ │ │ │ ├── DeviceNameResolver/ │ │ │ │ │ ├── DeviceNameResolver.h │ │ │ │ │ ├── DeviceNameResolver_x64.a │ │ │ │ │ ├── DeviceNameResolver_x64.lib │ │ │ │ │ ├── DeviceNameResolver_x86.a │ │ │ │ │ └── DeviceNameResolver_x86.lib │ │ │ │ ├── TitanEngine/ │ │ │ │ │ ├── TitanEngine.h │ │ │ │ │ ├── TitanEngine_x64.a │ │ │ │ │ ├── TitanEngine_x64.lib │ │ │ │ │ ├── TitanEngine_x86.a │ │ │ │ │ └── TitanEngine_x86.lib │ │ │ │ ├── XEDParse/ │ │ │ │ │ ├── XEDParse.h │ │ │ │ │ ├── XEDParse_x64.a │ │ │ │ │ ├── XEDParse_x64.lib │ │ │ │ │ ├── XEDParse_x86.a │ │ │ │ │ └── XEDParse_x86.lib │ │ │ │ ├── _dbgfunctions.h │ │ │ │ ├── _plugin_types.h │ │ │ │ ├── _plugins.h │ │ │ │ ├── _scriptapi.h │ │ │ │ ├── _scriptapi_argument.h │ │ │ │ ├── _scriptapi_assembler.h │ │ │ │ ├── _scriptapi_bookmark.h │ │ │ │ ├── _scriptapi_comment.h │ │ │ │ ├── _scriptapi_debug.h │ │ │ │ ├── _scriptapi_flag.h │ │ │ │ ├── _scriptapi_function.h │ │ │ │ ├── _scriptapi_gui.h │ │ │ │ ├── _scriptapi_label.h │ │ │ │ ├── _scriptapi_memory.h │ │ │ │ ├── _scriptapi_misc.h │ │ │ │ ├── _scriptapi_module.h │ │ │ │ ├── _scriptapi_pattern.h │ │ │ │ ├── _scriptapi_register.h │ │ │ │ ├── _scriptapi_stack.h │ │ │ │ ├── _scriptapi_symbol.h │ │ │ │ ├── bridgegraph.h │ │ │ │ ├── bridgelist.h │ │ │ │ ├── bridgemain.h │ │ │ │ ├── capstone/ │ │ │ │ │ ├── arm.h │ │ │ │ │ ├── arm64.h │ │ │ │ │ ├── capstone.h │ │ │ │ │ ├── capstone_x64.lib │ │ │ │ │ ├── capstone_x86.lib │ │ │ │ │ ├── m68k.h │ │ │ │ │ ├── mips.h │ │ │ │ │ ├── platform.h │ │ │ │ │ ├── ppc.h │ │ │ │ │ ├── sparc.h │ │ │ │ │ ├── systemz.h │ │ │ │ │ ├── x86.h │ │ │ │ │ └── xcore.h │ │ │ │ ├── dbghelp/ │ │ │ │ │ ├── dbghelp.h │ │ │ │ │ ├── dbghelp_x64.a │ │ │ │ │ ├── dbghelp_x64.lib │ │ │ │ │ ├── dbghelp_x86.a │ │ │ │ │ └── dbghelp_x86.lib │ │ │ │ ├── jansson/ │ │ │ │ │ ├── jansson.h │ │ │ │ │ ├── jansson_config.h │ │ │ │ │ ├── jansson_x64.a │ │ │ │ │ ├── jansson_x64.lib │ │ │ │ │ ├── jansson_x64dbg.h │ │ │ │ │ ├── jansson_x86.a │ │ │ │ │ └── jansson_x86.lib │ │ │ │ ├── lz4/ │ │ │ │ │ ├── lz4.h │ │ │ │ │ ├── lz4_x64.a │ │ │ │ │ ├── lz4_x64.lib │ │ │ │ │ ├── lz4_x86.a │ │ │ │ │ ├── lz4_x86.lib │ │ │ │ │ ├── lz4file.h │ │ │ │ │ └── lz4hc.h │ │ │ │ ├── x32bridge.lib │ │ │ │ ├── x32dbg.lib │ │ │ │ ├── x64bridge.lib │ │ │ │ ├── x64dbg.lib │ │ │ │ └── yara/ │ │ │ │ ├── yara/ │ │ │ │ │ ├── ahocorasick.h │ │ │ │ │ ├── arena.h │ │ │ │ │ ├── atoms.h │ │ │ │ │ ├── compiler.h │ │ │ │ │ ├── dotnet.h │ │ │ │ │ ├── elf.h │ │ │ │ │ ├── endian.h │ │ │ │ │ ├── error.h │ │ │ │ │ ├── exec.h │ │ │ │ │ ├── exefiles.h │ │ │ │ │ ├── filemap.h │ │ │ │ │ ├── globals.h │ │ │ │ │ ├── hash.h │ │ │ │ │ ├── hex_lexer.h │ │ │ │ │ ├── integers.h │ │ │ │ │ ├── lexer.h │ │ │ │ │ ├── libyara.h │ │ │ │ │ ├── limits.h │ │ │ │ │ ├── mem.h │ │ │ │ │ ├── modules.h │ │ │ │ │ ├── object.h │ │ │ │ │ ├── parser.h │ │ │ │ │ ├── pe.h │ │ │ │ │ ├── pe_utils.h │ │ │ │ │ ├── proc.h │ │ │ │ │ ├── re.h │ │ │ │ │ ├── re_lexer.h │ │ │ │ │ ├── rules.h │ │ │ │ │ ├── scan.h │ │ │ │ │ ├── sizedstr.h │ │ │ │ │ ├── stream.h │ │ │ │ │ ├── strutils.h │ │ │ │ │ ├── threading.h │ │ │ │ │ ├── types.h │ │ │ │ │ └── utils.h │ │ │ │ ├── yara.h │ │ │ │ ├── yara_x64.lib │ │ │ │ └── yara_x86.lib │ │ │ ├── qpc.hpp │ │ │ ├── rtf.h │ │ │ ├── settings.h │ │ │ ├── structmemmap.h │ │ │ ├── ui/ │ │ │ │ ├── ctrl/ │ │ │ │ │ ├── uicheckbox.hpp │ │ │ │ │ ├── uicombobox.hpp │ │ │ │ │ └── uicontrolbase.hpp │ │ │ │ ├── ui.h │ │ │ │ └── uiwrapper.hpp │ │ │ └── util.h │ │ ├── instparse.cpp │ │ ├── plugin.cpp │ │ ├── rtf.cpp │ │ ├── settings.cpp │ │ ├── structmemmap.cpp │ │ ├── syslib.cpp │ │ ├── ui/ │ │ │ └── ui.cpp │ │ └── util.cpp │ ├── x64dbgApiBreak.vcxproj │ └── x64dbgApiBreak.vcxproj.filters └── x64dbgApiBreak.sln ================================================ FILE CONTENTS ================================================ ================================================ FILE: .gitignore ================================================ bin/ Release/ Debug/ x64/ .vs/ *.sdf *.opensdf *.suo *.vcxproj.user *.VC.*db *.bat *.cmd ================================================ FILE: README.md ================================================ # Api Break for x64dbg Api Break is a [x64dbg](http://www.x64dbg.com) plugin which is aimed to set breakpoints Win32/64 API calls easly. ![ab1](https://raw.githubusercontent.com/0ffffffffh/0ffffffffh.github.io/master/apibreakaction.gif "Breakpoint on callers") ![ab2](https://user-images.githubusercontent.com/437161/34647882-eb65aadc-f39f-11e7-8c14-f1cc3254d0f0.png "Struct and API call mapper") ####**Features** * API function entry breakpoint (AEB) * Breakpoint at API callers (BAC) * Auto-populating modules and their API functions used by the process. #### **API Function Entry Breakpoint (AEB)** It can be useful when the code does obfuscated or indirect api calls or something similar conditions. This mode is automatically (naturally) handles all API calls for the entire module. Also, this mode gives an option to jump automatically to the API caller when the API entry breakpoint hit. It exposes the original caller using single step callstack backtracing. #### **Breakpoint at API callers (BAC)** In technically, this mode is much more flexible and customizable. It does scan dynamically for API calls in specified module or address range. For now, it scans only process's code range. But other features are planned for future development. If you have any idea, let me know what ideas you have about it. #####**In-Development features** - Dynamically loaded API detection which is made by using [GetProcAddress](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683212%28v=vs.85%29.aspx) (*About 45% implemented*) #####**Planning features** - User specified code range scan for **BAC** - User specified module scan for **BAC** - User option to listing all linked modules and APIs of process regardless of IAT. ================================================ FILE: x64dbgApiBreak/mapperscripts/base/base.abtf ================================================ maptype HelloType { int val; } ================================================ FILE: x64dbgApiBreak/mapperscripts/main.abtf ================================================ /* ################################################################# WARNING: This mapper script format is still in the design phase. And it may change until the final release. Hence, the scripts that are written based on the draft phase may not work in subsequent versions of ApiBreak plugin. For now, this description of the script format is quite messy. I can make it better if I have more free time. ################################################################# [1 - Builtin Primitive Types] int : System default size integer uint : System default size unsigned integer char : Ansi Char wchar : Wide char byte : 1 byte (8 bit) singed integer ubyte : 1 byte (8 bit) unsigned integer short : 2 byte (16 bit) signed integer ushort : 2 byte (16 bit) unsigned integer long : 4 byte (32 bit) signed integer ulong : 4 byte (32 bit) unsigned integer long64 : 8 byte (64 bit) signed integer ulong64 : 8 byte (64 bit) unsigned integer [2 - Special Primitive Types] string : ANSI char sequence wstring : WIDE char sequence pointer : Untyped generic system sized pointer archex : Architecture depended hexadecimal value [3 - Builtin Aliases] BYTE : alias for ubyte WORD : alias for ushort DWORD : alias for ulong QWORD : alias for ulong64 [4 - User defined aliases] Users also can define their own aliases alias [ALIAS_TYPE_NAME] [OWN_ALIAS_IDENTIFIER_FOR_TYPE] for example; alias ulong u32_t [4 - Including different script sources] Users can write their api and type definition into multiple file or source And they can include these scripts in their own script file for later usage. They can include scripts from the another local directory or the internet web address. @incl [FILEPATH] or [URL] for example; @incl 'anotherdirectory/myscript.abtf' @incl 'http://myserver.com/scripts/main.abtf' [5 - API function signature declaration] fnsign {RETTYPE} [ModuleName]![ApiFunctionName]({[ARGUMENT_TYPE] argName1, ...}) for example: Here is TerminateProcess function definition in C style prototype BOOL WINAPI TerminateProcess( _In_ HANDLE hProcess, _In_ UINT uExitCode ); And this is mapper signature definition alias int BOOL //for BOOL typedef. u remember that 'alias' thing? fnsign BOOL kernel32.dll!TerminateProcess(pointer hprocess, uint exitCode) or without return type example. void GdiplusShutdown( __in ULONG_PTR token ); fnsign Gdiplus.dll!GdiplusShutdown(pointer token) [6 - Type struct definition] maptype [TYPE_IDENTITY] { [FIELD_TYPE1] [fieldName1], ... another fields if you have } for example maptype mytype { int x; wstring str; } now you can use mytype as declared type as you want. using in api function signature arg, alias or NOTE: Currently, nested types are not fully supported. (But I will completely.) */ @incl 'base/base.abtf' /* 'HelloType' defined in base/base.abtf as user type structure */ alias HelloType MyHelloType fnsign pointer kernel32.dll!CreateFileW(wstring fileName, DWORD desiredAccess, DWORD shareMode, pointer secAttrib, DWORD creationDisp, DWORD flagAttrib, out pointer templFile) ================================================ FILE: x64dbgApiBreak/src/apibreak.cpp ================================================ #include #include #include #include #include #include #include using namespace Script::Module; using namespace Script::Symbol; using namespace Script::Debug; using namespace Script::Register; modlist AbpModuleList; unordered_map AbpBreakpointList; INTERNAL bool AbiDetectAPIsUsingByGetProcAddress(); INTERNAL int AbiSearchCallersForAFI(duint codeBase, duint codeSize, ApiFunctionInfo *afi); INTERNAL ModuleInfo * AbiGetCurrentModuleInfo(); FORWARDED BOOL AbfNeedsReload; void AbpReleaseBreakpointResources() { unordered_map::iterator it; if (AbpBreakpointList.size() == 0) return; while (AbpBreakpointList.size() > 0) { it = AbpBreakpointList.begin(); if (it->second->cbctx != NULL) FREEOBJECT(it->second->cbctx); FREEOBJECT(it->second); AbpBreakpointList.erase(it); } } PBREAKPOINT_INFO AbpLookupBreakpoint(duint addr) { unordered_map::iterator iter; iter = AbpBreakpointList.find(addr); if (iter == AbpBreakpointList.end()) return FALSE; return iter->second; } bool AbpRegisterBreakpoint(duint addr, DWORD options, BpCallbackContext *cbctx) { PBREAKPOINT_INFO pbi; if (AbpBreakpointList.find(addr) != AbpBreakpointList.end()) return false; pbi = ALLOCOBJECT(BREAKPOINT_INFO); if (!pbi) return false; pbi->addr = addr; pbi->options = options; pbi->hitCount = 0; pbi->cbctx = cbctx; cbctx->ownerBreakpoint = pbi; AbpBreakpointList.insert({ addr,pbi }); return true; } bool AbpDeregisterBreakpoint(duint addr) { unordered_map::iterator iter; iter = AbpBreakpointList.find(addr); if (iter == AbpBreakpointList.end()) return false; if (iter->second->cbctx != NULL) FREEOBJECT(iter->second->cbctx); FREEOBJECT(iter->second); AbpBreakpointList.erase(iter); return true; } ModuleApiInfo *AbpSearchModuleApiInfo(const char *name) { for (modlist::iterator n = AbpModuleList.begin(); n != AbpModuleList.end(); n++) { if (!strcmp((*n)->name, name)) return *n; } return NULL; } ApiFunctionInfo *AbpSearchApiFunctionInfo(ModuleApiInfo *moduleInfo, const char *func) { apilist::iterator iter; string sfunc(func); if (!moduleInfo) return NULL; iter = moduleInfo->apiList->find(sfunc); if (iter != moduleInfo->apiList->end()) return iter->second; return NULL; } void AbpLinkApiExportsToModule(ListInfo *moduleList) { ModuleInfo *module = NULL; for (modlist::iterator n = AbpModuleList.begin(); n != AbpModuleList.end(); n++) { module = static_cast(moduleList->data); for (int i = 0;i < moduleList->count;i++) { if (!strcmp(module->name, (*n)->name)) { (*n)->baseAddr = module->base; break; } module++; } } } bool AbpDeregisterModule(ModuleApiInfo *mai) { apilist::iterator apit; modlist::iterator modit; ApiFunctionInfo *afi; if (!mai) return false; for (apit = mai->apiList->begin(); apit != mai->apiList->end(); apit++) { afi = apit->second; if (afi->callInfo.calls) FREEOBJECT(afi->callInfo.calls); FREEOBJECT(afi); } mai->listCount = 0; mai->apiList->clear(); delete mai->apiList; for (modit = AbpModuleList.begin(); modit != AbpModuleList.end(); modit++) { if ((*modit) == mai) break; } AbpModuleList.erase(modit); FREEOBJECT(mai); return true; } bool AbpRegisterApi(SymbolInfo *sym, ApiFunctionInfo **pafi) { ModuleApiInfo *mai = NULL; ApiFunctionInfo *afi = NULL; BOOL afiExist = FALSE; if (pafi) *pafi = NULL; CharLowerA(sym->mod); mai = AbpSearchModuleApiInfo(sym->mod); if (!mai) { mai = ALLOCOBJECT(ModuleApiInfo); if (!mai) return false; strcpy(mai->name, sym->mod); mai->baseAddr = 0; mai->apiList = new apilist(); AbpModuleList.push_back(mai); } if ((afi = AbpSearchApiFunctionInfo(mai, sym->name))) { afiExist = TRUE; } if (!afiExist) { afi = ALLOCOBJECT(ApiFunctionInfo); if (!afi) return false; strcpy(afi->name, sym->name); mai->apiList->insert({ string(sym->name), afi }); mai->listCount++; } afi->rva = sym->rva; afi->ownerModule = mai; if (pafi) *pafi = afi; return true; } INTERNAL_EXPORT ApiFunctionInfo *AbiGetAfi(const char *module, const char *afiName) { ModuleApiInfo *mai = NULL; ApiFunctionInfo *afi = NULL; mai = AbpSearchModuleApiInfo(module); if (!mai) return NULL; return AbpSearchApiFunctionInfo(mai, afiName); } bool AbpNeedsReloadModuleAPIs() { ModuleInfo mod; if (!AbGetDebuggedModuleInfo(&mod)) return false; return strcmp(mod.name, AbiGetCurrentModuleInfo()->name) != 0; } duint AbpGetPEDataOfMainModule2(ModuleInfo *mi, duint type, int sectIndex) { return (duint)GetPE32Data(mi->path, sectIndex, type); } duint AbpGetPEDataOfMainModule(duint type, int sectIndex) { ModuleInfo mainModule; if (!AbGetDebuggedModuleInfo(&mainModule)) return 0; return AbpGetPEDataOfMainModule2(&mainModule, type, sectIndex); } INTERNAL_EXPORT bool AbiRegisterDynamicApi(const char *module, const char *api, duint mod, duint apiAddr, duint apiRva) { SymbolInfo sym; ApiFunctionInfo *afi = NULL; DBGPRINT("Registering dynaload api %s(%p) : %s(%p)", module, mod, api, apiAddr); memset(&sym, 0, sizeof(SymbolInfo)); strcpy(sym.mod, module); strcpy(sym.name, api); sym.rva = apiRva; sym.type = Import; if (AbpRegisterApi(&sym, &afi)) { DBGPRINT("registered!"); if (afi->ownerModule->baseAddr == 0) afi->ownerModule->baseAddr = mod; return true; } return false; } INTERNAL_EXPORT int AbiGetMainModuleCodeSections(ModuleSectionInfo **msi) { ModuleInfo mainModule; DWORD flags; ModuleSectionInfo *sectList = NULL; int sectCount = 0; *msi = NULL; if (!AbGetDebuggedModuleInfo(&mainModule)) return 0; for (int i = 0;i < mainModule.sectionCount;i++) { flags = AbpGetPEDataOfMainModule2(&mainModule, UE_SECTIONFLAGS, i); if (flags & IMAGE_SCN_CNT_CODE) { sectCount++; sectList = RESIZEOBJECTLIST(ModuleSectionInfo, sectList, sectCount); sectList[sectCount-1].addr = mainModule.base + AbpGetPEDataOfMainModule2(&mainModule, UE_SECTIONVIRTUALOFFSET, i); sectList[sectCount-1].size = AbpGetPEDataOfMainModule2(&mainModule, UE_SECTIONVIRTUALSIZE, i); } } *msi = sectList; return sectCount; } void AbDebuggerRun() { Script::Debug::Run(); } void AbDebuggerPause() { Script::Debug::Pause(); } void AbDebuggerWaitUntilPaused() { _plugin_waituntilpaused(); } bool AbCmdExecFormat(const char *format, ...) { bool success = false; char *buffer; va_list va; va_start(va, format); if (HlpPrintFormatBufferExA(&buffer, format, va) > 0) { success = DbgCmdExecDirect(buffer); FREESTRING(buffer); } va_end(va); return success; } bool AbGetDebuggedImageName(char *buffer) { ModuleInfo mod; if (!AbGetDebuggedModuleInfo(&mod)) return false; strcpy(buffer, mod.name); return true; } bool AbGetDebuggedModuleInfo(ModuleInfo *modInfo) { duint mainModAddr; mainModAddr = AbGetDebuggedImageBase(); if (!mainModAddr) return false; return InfoFromAddr(mainModAddr, modInfo); } bool AbGetDebuggedModulePath(char *pathBuf, int bufLen) { ModuleInfo mod; int dn; if (!pathBuf) return false; if (!AbGetDebuggedModuleInfo(&mod)) return false; dn = strlen(mod.path); if (dn > bufLen) return false; strcpy(pathBuf, mod.path); while (pathBuf[--dn] != '\\') pathBuf[dn] = 0; return true; } duint AbGetDebuggedImageBase() { duint base = GetMainModuleBase(); if (base) return base; base = (duint)GetDebuggedFileBaseAddress(); if (!base) base = (duint)GetDebuggedDLLBaseAddress(); return base; } bool AbHasDebuggingProcess() { ModuleInfo mi; if (DbgIsDebugging()) { return AbGetDebuggedModuleInfo(&mi); } return false; } void AbReleaseModuleResources() { while (AbpModuleList.size() > 0) { AbpDeregisterModule((*AbpModuleList.begin())); } } bool AbLoadAvailableModuleAPIs(bool onlyImportsByExe) { DECL_QPREF; ListInfo moduleList = { 0 }; ListInfo functionSymbolList = { 0 }; bool modListOk = false, symListOk = false; bool success = false; SymbolInfo *sym = NULL; ModuleApiInfo *mai = NULL; ApiFunctionInfo *afi = NULL; if (!AbfNeedsReload) return true; QPERF_BEGIN(); DBGPRINT("loading module list"); //First, detect dynamically loaded apis. //And mark the loaded api export as an imported by exe if (Script::Module::GetList(&moduleList)) { if (moduleList.data != NULL) modListOk = true; } DBGPRINT("%d module loaded.", moduleList.count); QPERF_TIME("module list load"); DBGPRINT("loading symbol list"); if (Script::Symbol::GetList(&functionSymbolList)) { if (functionSymbolList.data != NULL) symListOk = true; } if (!modListOk || !symListOk) goto cleanAndExit; sym = static_cast(functionSymbolList.data); QPERF_TIME("Symbol list load"); DBGPRINT("%d symbol loaded.", functionSymbolList.count); for (int i = 0;i < functionSymbolList.count;i++) { if (onlyImportsByExe) { if (sym->type == Import && HlpEndsWithA(sym->mod, ".exe",FALSE, 4)) { //Executables provides psoude module import data //for now we reserve api registration slot if (AbpRegisterApi(sym, &afi)) mai = afi->ownerModule; } else if (sym->type == Export && !HlpEndsWithA(sym->mod,".exe",FALSE, 4)) { //Ok. we walkin on the real export modules now. //try to get AFI if there is exist a reserved for psoude import data afi = AbpSearchApiFunctionInfo(mai, sym->name); //If exist make a real registration for exist slot if (afi != NULL) { AbpRegisterApi(sym, NULL); } } } else { if (sym->type == Export && !HlpEndsWithA(sym->mod, ".exe", FALSE, 4)) { AbpRegisterApi(sym,NULL); } } sym++; } DBGPRINT("api registration done"); QPERF_TIME("Api search and registration"); if (AbpModuleList.size() == 0 ) { MessageBoxA(AbHwndDlgHandle, "The ApiBreak could not load any imports from the being debugged image.\r\n" "Because, imports are treated as export or could not load imports correctly by the x64dbg. (Its a x64dbg Bug)\r\n" "Please update your x64dbg to latest version.", "WARNING", MB_OK | MB_ICONWARNING); success = false; goto cleanAndExit; } if (onlyImportsByExe) AbpDeregisterModule(mai); AbpLinkApiExportsToModule(&moduleList); QPERF_TIME("Linking export to module"); success = true; DBGPRINT("%d module found.", AbpModuleList.size()); if (AbGetSettings()->exposeDynamicApiLoads) { AbiDetectAPIsUsingByGetProcAddress(); QPERF_TIME("Detection GetProcAddress"); } else DBGPRINT("dynamic api detection disabled!"); AbfNeedsReload = FALSE; cleanAndExit: QPERF_DUMP(); if (symListOk) BridgeFree(functionSymbolList.data); if (modListOk) BridgeFree(moduleList.data); return success; } int AbEnumModuleNames(APIMODULE_ENUM_PROC enumProc, void *user) { ModuleApiInfo *mai; for (modlist::iterator n = AbpModuleList.begin(); n != AbpModuleList.end(); n++) { mai = *n; enumProc(mai->name, user); } return (int)AbpModuleList.size(); } void AbEnumApiFunctionNames(APIMODULE_ENUM_PROC enumProc, const char *moduleName, void *user) { ModuleApiInfo *mai = NULL; mai = AbpSearchModuleApiInfo(moduleName); if (!mai) return; for (apilist::iterator n = mai->apiList->begin(); n != mai->apiList->end(); n++) enumProc(n->second->name, user); } bool AbpReturnToCaller(duint callerIp, duint csp) { RegisterEnum cspReg, cipReg; #ifdef _WIN64 cspReg = RegisterEnum::RSP; cipReg = RegisterEnum::RIP; #else cspReg = RegisterEnum::ESP; cipReg = RegisterEnum::EIP; #endif #if _DEBUG DBGPRINT("Old CIP: %p, New CIP: %p", Get(cipReg), callerIp); DBGPRINT("Current CSP: %p, Ctx CSP: %p, New CSP: %p", Get(cspReg), csp, csp + sizeof(duint)); #endif //pop stack if (!Set(cspReg, csp + sizeof(duint))) return false; //set the previous caller address to the Instruction pointer return Set(cipReg, callerIp); } void AbpCallback0(__BpCallbackContext *bpx) { return; } #include void AbpBacktrackingBreakpointCallback(__BpCallbackContext *bpx) { duint callerIp; DECL_QPREF; switch (bpx->bp->type) { case bp_normal: case bp_memory: case bp_dll: break; default: return; } DBGPRINT("Backtracing to the caller"); QPERF_BEGIN(); callerIp = UtlGetCallerAddress(&bpx->regContext); QPERF_TIME("UtlGetCallerAddress"); if (callerIp > 0) { if (AbpReturnToCaller(callerIp, bpx->regContext.regcontext.csp)) { bpx->regContext.regcontext.csp += sizeof(duint); bpx->regContext.regcontext.cip = callerIp; } else DBGPRINT("Cant return to caller"); QPERF_TIME("AbpReturnToCaller"); GuiDisasmAt(callerIp, callerIp); GuiStackDumpAt(bpx->regContext.regcontext.csp, bpx->regContext.regcontext.csp); QPERF_TIME("AbCmdExecFormat"); } QPERF_DUMP(); } bool AbSetAPIBreakpointOnCallers(const char *module, const char *apiFunction) { duint addr; return AbSetBreakpointEx( module, apiFunction, &addr, BPO_BACKTRACK, (AB_BREAKPOINT_CALLBACK)AbpBacktrackingBreakpointCallback, NULL ); } bool AbSetAPIBreakpoint(const char *module, const char *apiFunction, duint *funcAddr) { return AbSetBreakpointEx(module, apiFunction, funcAddr, BPO_NONE, (AB_BREAKPOINT_CALLBACK)AbpCallback0,NULL); } bool AbSetInstructionBreakpoint(duint instrAddr, AB_BREAKPOINT_CALLBACK callback, void *user, bool singleShot) { DWORD opt = BPO_NONE; if (singleShot) opt |= BPO_SINGLESHOT; return AbSetBreakpointEx(NULL, NULL, &instrAddr, opt, callback, user); } bool AbSetBreakpointEx(const char *module, const char *apiFunction, duint *funcAddr, DWORD bpo, AB_BREAKPOINT_CALLBACK bpCallback, void *user) { bool bpSet; ApiFunctionInfo *afi = NULL; BpCallbackContext *cbctx = NULL; duint bpAddr = 0; bool isNonApiBp; isNonApiBp = module == NULL && apiFunction == NULL; if (!isNonApiBp) { afi = AbiGetAfi(module, apiFunction); if (!afi) return false; bpAddr = afi->ownerModule->baseAddr + afi->rva; } else { if (*funcAddr == NULL) return false; bpAddr = *funcAddr; } if (bpCallback != NULL) { cbctx = ALLOCOBJECT(BpCallbackContext); if (!cbctx) return false; cbctx->bpAddr = bpAddr; cbctx->callback = bpCallback; cbctx->afi = afi; cbctx->user = user; } if (bpo & BPO_SINGLESHOT) bpSet = AbCmdExecFormat("bp %p, abss, ss", bpAddr); else bpSet = SetBreakpoint(bpAddr); if (!bpSet) { FREEOBJECT(cbctx); return false; } if (!AbpRegisterBreakpoint(bpAddr, bpo, cbctx)) { FREEOBJECT(cbctx); } if (!isNonApiBp) { if (bpSet && funcAddr != NULL) *funcAddr = afi->ownerModule->baseAddr + afi->rva; } return bpSet; } bool AbDeleteBreakpoint(duint addr) { PBREAKPOINT_INFO pbi; bool deleteOk; pbi = AbpLookupBreakpoint(addr); if (!pbi) return false; //Single shoot breakpoints will be deleted automatically after hit if (!(pbi->options & BPO_SINGLESHOT)) deleteOk = DeleteBreakpoint(addr); else deleteOk = true; //yep its already deleted if (deleteOk) { AbpDeregisterBreakpoint(addr); } return deleteOk; } ================================================ FILE: x64dbgApiBreak/src/callfind.cpp ================================================ #include INTERNAL duint AbiGetCallDestinationAddress(BASIC_INSTRUCTION_INFO *inst); INTERNAL void AbiCacheInstruction(duint addr, BASIC_INSTRUCTION_INFO *inst); INTERNAL void AbiEmptyInstructionCache(); bool AbpInsertCallList(ApiFunctionInfo *afi,duint callAddr) { duint *tmp; duint *calls; int index=0, callsSize = 0; calls = afi->callInfo.calls; index = afi->callInfo.callCount; callsSize = afi->callInfo.callListSize; if (!calls) { callsSize = 20; calls = (duint *)AbMemoryAlloc(callsSize * sizeof(duint)); if (!calls) return false; } else if (index - 1 >= callsSize) { tmp = (duint *)AbMemoryRealloc(calls, (callsSize + 10) * sizeof(duint)); if (!tmp) { DBGPRINT("realloc fail"); return false; } calls = tmp; callsSize += 10; } *(calls + index) = callAddr; index++; afi->callInfo.calls = calls; afi->callInfo.callCount = index; afi->callInfo.callListSize = callsSize; DBGPRINT("Call or jump found on 0x%p", callAddr); return true; } INTERNAL_EXPORT bool AbiIsIndirectCall(duint code, ApiFunctionInfo *afi, duint *indirectRef) { BASIC_INSTRUCTION_INFO destInst; duint apiAddr; DbgDisasmFastAt(code, &destInst); //We looking for only jmp. Eliminate other conditional jumps if (!destInst.call && destInst.branch && HlpBeginsWithA(destInst.instruction, "jmp", FALSE, 3)) { apiAddr = AbiGetCallDestinationAddress(&destInst); if (apiAddr == afi->ownerModule->baseAddr + afi->rva) { if (indirectRef) *indirectRef = code; DBGPRINT("Indirect call (Tramboline) found for %s at 0x%p", afi->name, code); return true; } } return false; } FORWARDED int AbiSearchCallersForAFI(duint codeBase, duint codeSize, ApiFunctionInfo *afi) { #define RETURN(s) { result = s; goto oneWayExit; } duint code,codeEnd; BASIC_INSTRUCTION_INFO inst; duint callAddr,indirectReferencedAddress = 0; int failInsert=0; int result = CSR_FAILED; code = codeBase; codeEnd = code + codeSize; AbiEmptyInstructionCache(); for (;code < codeEnd;) { DbgDisasmFastAt(code, &inst); if (inst.call || inst.branch) { callAddr = AbiGetCallDestinationAddress(&inst); if (!inst.call && inst.branch) //is it jmp? { //Is it an indirectly referenced call? if (code == indirectReferencedAddress) { DBGPRINT("%s is indirectly referenced and bp wont be set for %p", afi->name, code); code += inst.size; continue; } } //Gotcha! if (afi->ownerModule->baseAddr + afi->rva == callAddr) failInsert += (int)!AbpInsertCallList(afi, code); else if (inst.call && AbiIsIndirectCall(callAddr, afi,&indirectReferencedAddress)) failInsert += (int)!AbpInsertCallList(afi, code); } else AbiCacheInstruction(code, &inst); code += inst.size; } if (afi->callInfo.callCount > 0) { if (failInsert > 0) result = CSR_PARTIAL_SUCCESS; else result = CSR_COMPLETELY_SUCCESS; } return result; #undef RETURN } ================================================ FILE: x64dbgApiBreak/src/dynapidetect.cpp ================================================ #include #include #include #include #include #include using namespace Script::Module; using namespace Script::Misc; using namespace std; INTERNAL ApiFunctionInfo *AbiGetAfi(const char *module, const char *afiName); INTERNAL int AbiGetMainModuleCodeSections(ModuleSectionInfo **msi); INTERNAL bool AbiRegisterDynamicApi(const char *module, const char *api, duint mod, duint apiAddr, duint apiRva); INTERNAL bool AbiIsIndirectCall(duint code, ApiFunctionInfo *afi, duint *indirectRef); #define ALIGNTO_PAGE(x) ( ((x)/0x1000+1) * 0x1000 ) typedef unordered_map *> ondemand_api_list; HANDLE AbpDeferListSyncMutant; ondemand_api_list AbpDeferList; #define SYNCH_BEGIN WaitForSingleObject(AbpDeferListSyncMutant,INFINITE) #define SYNCH_END ReleaseMutex(AbpDeferListSyncMutant) /* On x64 calling convention (fastcall) parameters are passed in order left to right the first four parameters are passed in order RCX, RDX, R8, and R9 GetProcAddress call on Amd64 MOV RCX, MODULEHANDLE LEA RDX, HARDCODED_API_STRING CALL GetProcAddress */ /* On x86 architecture, the WIN32 apis uses the stdcall convention So in this convention, parameters are passed in order right to left and they are passed (pushed) through the stack GetProcAddress call on x86 PUSH MODULEHANDLE PUSH HARDCODED_API_STRING CALL GetProcAddress or they may use the stack pointer to passing arguments instead of direct stack pushing SUB ESP, 8 MOV [ESP+4], HARDCODED_API_STRING MOV [ESP],MODULEHANDLE CALL GetProcAddress */ typedef struct { BASIC_INSTRUCTION_INFO inst; duint addr; }CachedInst; #define ABP_CACHED_DISASM_SIZE 20 CachedInst AbpCachedDisasmedInstructions[ABP_CACHED_DISASM_SIZE]; int AbpDisasmedCacheIndex = 0; CachedInst *AbpGetCachedInst(int index) { if (index < 0 || index >= AbpDisasmedCacheIndex) return NULL; return &AbpCachedDisasmedInstructions[index]; } INTERNAL_EXPORT void AbiEmptyInstructionCache() { memset(AbpCachedDisasmedInstructions, 0, sizeof(CachedInst) * ABP_CACHED_DISASM_SIZE); AbpDisasmedCacheIndex = 0; } INTERNAL_EXPORT void AbiCacheInstruction(duint addr, BASIC_INSTRUCTION_INFO *inst) { CachedInst *slot; bool moveUp = AbpDisasmedCacheIndex >= ABP_CACHED_DISASM_SIZE; if (!moveUp) { slot = &AbpCachedDisasmedInstructions[AbpDisasmedCacheIndex]; AbpDisasmedCacheIndex++; } else { memmove( AbpCachedDisasmedInstructions, AbpCachedDisasmedInstructions + 1, sizeof(CachedInst) * (ABP_CACHED_DISASM_SIZE - 1) ); slot = &AbpCachedDisasmedInstructions[ABP_CACHED_DISASM_SIZE - 1]; } memcpy(&slot->inst, inst, sizeof(BASIC_INSTRUCTION_INFO)); slot->addr = addr; } bool AbpRegisterDeferredAPIRegistration(const char *module, const char *api) { string smod(module); ondemand_api_list::iterator it; vector *apiList; char *apiString; it = AbpDeferList.find(smod); if (it == AbpDeferList.end()) { apiList = new vector(); SYNCH_BEGIN; AbpDeferList.insert({ smod,apiList }); SYNCH_END; } else apiList = it->second; apiString = HlpCloneStringA((LPSTR)api); if (!apiString) return false; apiList->push_back(apiString); return true; } INTERNAL_EXPORT duint AbpGetActualDataAddress(BASIC_INSTRUCTION_INFO *inst) { if ((inst->type & TYPE_ADDR) || (inst->type & TYPE_VALUE)) return inst->value.value; else if (inst->type == TYPE_MEMORY) return inst->memory.value; return 0; } bool AbpReadStringFromInstructionSourceAddress(BASIC_INSTRUCTION_INFO *inst, char *nameBuf) { duint addr = AbpGetActualDataAddress(inst); if (!addr || addr < 0x1000) { DBGPRINT("String memory not valid!"); return false; } if (!DbgGetStringAt(addr, nameBuf)) { DBGPRINT("String read error from 0x%p",addr); return false; } //if string begins with 'L' //that hints to the string source is a wide string if (*nameBuf == 'L') { HlpTrimChar(nameBuf, 'L', HLP_TRIM_LEFT); } HlpRemoveQuotations(nameBuf); return true; } bool AbpGetApiStringFromProcLoader(short argNumber, char *nameBuf) { CachedInst *inst; InstInfo loadinst; RegId compVal=RegNone; int cacheIndex; #ifdef _WIN64 switch (argNumber) { case 1: compVal = Cx; break; case 2: compVal = Dx; break; case 3: compVal = r8; break; case 4: compVal = r9; break; } #else argNumber--; #endif cacheIndex = AbpDisasmedCacheIndex; while (--cacheIndex >= 0) { inst = AbpGetCachedInst(cacheIndex); if (AbParseInstruction(&inst->inst, &loadinst)) { if (loadinst.size == 64 && loadinst.mem_access == MA_READ) { switch (loadinst.op) { case OP_MOV: case OP_LEA: { if (compVal == loadinst.reg) { if (AbpReadStringFromInstructionSourceAddress(&inst->inst, nameBuf)) return true; return false; } } break; } } else if (loadinst.size == 32) { switch (loadinst.op) { case OP_MOV: case OP_LEA: { if (loadinst.reg == ImmMem && loadinst.mem_access == MA_WRITE && loadinst.memory_info.base == Sp) { if (loadinst.memory_info.disp == (argNumber * 4)) { if (AbpReadStringFromInstructionSourceAddress(&inst->inst, nameBuf)) return true; return false; } } } break; case OP_PUSH: { if (!argNumber) { if (AbpReadStringFromInstructionSourceAddress(&inst->inst, nameBuf)) return true; return false; } else argNumber--; } break; } } } } return false; } bool AbpExposeStringArgument(short argNumber, char *buf) { return AbpGetApiStringFromProcLoader(argNumber, buf); } bool AbpIsValidApi(const char *module, const char *function, duint *rva) { PBYTE mod = NULL; PIMAGE_NT_HEADERS ntHdr; PIMAGE_DOS_HEADER dosHdr; PIMAGE_EXPORT_DIRECTORY ped; DWORD moduleSize, exportTableVa; HANDLE moduleFile, mapping; char *exportName; ULONG *addressOfNameStrings, *addressOfFunctions; WORD *addressOfOrd; duint imageBase; bool valid = false; char path[3][MAX_PATH]; GetSystemDirectoryA(path[0], MAX_PATH); GetWindowsDirectoryA(path[1], MAX_PATH); AbGetDebuggedModulePath(path[2], MAX_PATH); for (int i=0;i<3;i++) { sprintf(path[i] + strlen(path[i]), "\\%s", module); moduleFile = CreateFileA( path[i], GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if (moduleFile != INVALID_HANDLE_VALUE) break; } if (moduleFile == INVALID_HANDLE_VALUE) return false; moduleSize = GetFileSize(moduleFile, NULL); mapping = CreateFileMappingA(moduleFile, NULL, PAGE_READONLY, 0, ALIGNTO_PAGE(moduleSize), NULL); if (!mapping) { CloseHandle(moduleFile); return false; } mod = (PBYTE)MapViewOfFile(mapping, FILE_MAP_READ, 0, 0, (SIZE_T)moduleSize); if (!mod) { CloseHandle(mapping); CloseHandle(moduleFile); return false; } dosHdr = (PIMAGE_DOS_HEADER)mod; if (dosHdr->e_magic != IMAGE_DOS_SIGNATURE) goto fail; ntHdr = (PIMAGE_NT_HEADERS)(mod + dosHdr->e_lfanew); if (ntHdr->Signature != IMAGE_NT_SIGNATURE) goto fail; imageBase = ntHdr->OptionalHeader.ImageBase; if (imageBase != (duint)mod) imageBase = (duint)mod; exportTableVa = ntHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; ped = (PIMAGE_EXPORT_DIRECTORY)(exportTableVa + imageBase); addressOfNameStrings = (ULONG *)(ped->AddressOfNames + imageBase); for (DWORD i = 0;i < ped->NumberOfNames;i++) { exportName = (char *)(imageBase + addressOfNameStrings[i]); if (!strcmp(exportName, function)) { if (rva != NULL) { addressOfFunctions = (ULONG *)(ped->AddressOfFunctions + imageBase); addressOfOrd = (WORD *)(ped->AddressOfNameOrdinals + imageBase); *rva = (duint)(addressOfFunctions[addressOfOrd[i]]); } valid = true; break; } } fail: UnmapViewOfFile(mod); CloseHandle(mapping); CloseHandle(moduleFile); return valid; } INTERNAL_EXPORT duint AbiGetCallDestinationAddress(BASIC_INSTRUCTION_INFO *inst) { duint callAddr = 0; duint msize; if ((inst->type & TYPE_ADDR) || (inst->type & TYPE_VALUE)) callAddr = inst->value.value; else if (inst->type == TYPE_MEMORY) { msize = inst->memory.size; //Some process injects some chunk of data to the code section for some reason. //And the disassembler interprets them as instruction sequences //For example call fword ptr [mem]. And that memory size will be 6 bytes //Any read attempt on 32 bit machine the memory.value gets overflowed. if (!(msize == size_byte || msize == size_word || msize == size_dword || msize == size_qword)) { return 0; } DbgMemRead(inst->memory.value, &callAddr, msize); } return callAddr; } bool AbpIsAPICall2(duint code, ApiFunctionInfo *afi, BASIC_INSTRUCTION_INFO *inst, bool cacheInstruction) { duint callAddr; if (inst->call && inst->branch) { callAddr = AbiGetCallDestinationAddress(inst); if (callAddr == afi->ownerModule->baseAddr + afi->rva) { DBGPRINT("'%s' call found at %p",afi->name, code); return true; } else { if (AbiIsIndirectCall(callAddr, afi, NULL)) return true; } } if (cacheInstruction) AbiCacheInstruction(code, inst); return false; } bool AbpIsAPICall(duint code, ApiFunctionInfo *afi, BASIC_INSTRUCTION_INFO *inst) { return AbpIsAPICall2(code, afi, inst, true); } #define NEXT_INSTR_ADDR(code, inst) (*code) += (inst)->size bool AbpIsLoadLibraryXXXCall(ApiFunctionInfo **afiList, int afiCount,duint codeAddr, BASIC_INSTRUCTION_INFO *inst, bool cacheInstruction) { for (int i = 0;i < afiCount;i++) { if (AbpIsAPICall2(codeAddr, afiList[i], inst, false)) { return true; } } if (cacheInstruction) AbiCacheInstruction(codeAddr, inst); return false; } bool AbpRegisterAPI(char *module, char *api) { duint funcAddr, modAddr, rva; funcAddr = RemoteGetProcAddress(module, api); //Is module already loaded? if (funcAddr) { modAddr = DbgModBaseFromName(module); rva = funcAddr - modAddr; AbiRegisterDynamicApi(module, api, modAddr, funcAddr, rva); return true; } if (!AbpIsValidApi(module, api,NULL)) { DBGPRINT("Not valid api"); return false; } return AbpRegisterDeferredAPIRegistration(module, api); } INTERNAL_EXPORT void AbiRaiseDeferredLoader(const char *dllName, duint base) { duint funcAddr; ondemand_api_list::iterator modIter; vector *apiList; modIter = AbpDeferList.find(string(dllName)); if (modIter == AbpDeferList.end()) return; apiList = modIter->second; DBGPRINT("Deferred api's are now registering."); for (vector::iterator it = apiList->begin(); it != apiList->end(); it++) { //TODO: Find a way to get remote proc address in DLLLOAD callback //Probably returns null ? funcAddr = Script::Misc::RemoteGetProcAddress(dllName, *it); if (!funcAddr) { //And also it may returns null funcAddr = (duint)ImporterGetRemoteAPIAddressEx(dllName, *it); if (!funcAddr) { duint rva=0; //worst case! //We know the loaded dll's base address. //So if I can read rva of the API from the export table //I can calculate the real API address in the memory. //Its a bit slower but it works. if (AbpIsValidApi(dllName, *it, &rva)) { funcAddr = base + rva; } } } if (funcAddr > 0) { AbiRegisterDynamicApi(dllName, *it, base,funcAddr,funcAddr-base); } } SYNCH_BEGIN; //TODO : Remove loaded modules from list SYNCH_END; //REMOVE waiting mod info } //loaderApi can be LoadLibraryA LoadLibraryW LoadLibraryExA LoadLibraryExW INTERNAL_EXPORT bool AbiDetectAPIsUsingByGetProcAddress() { const char *ldrVariants[6] = { "LoadLibraryA", "LoadLibraryW", "LoadLibraryExA", "LoadLibraryExW", "GetModuleHandleA", "GetModuleHandleW"}; BASIC_INSTRUCTION_INFO inst; ModuleSectionInfo *codeSects; ApiFunctionInfo *procafi=NULL; ApiFunctionInfo *libafis[6] = { 0 }; int ldrVariantCount = 0,procLdrCount=0; int totalFoundApi = 0,sectCount; int ldrVariantLimit; bool skip; duint code, end; DBGPRINT("Threadid: %x", GetCurrentThreadId()); char moduleName[128], apiFuncName[128]; procafi = AbiGetAfi("kernel32.dll", "GetProcAddress"); if (AbGetSettings()->includeGetModuleHandle) ldrVariantLimit = 6; else ldrVariantLimit = 4; for (int i = 0;i < ldrVariantLimit;i++) { if ((libafis[ldrVariantCount] = AbiGetAfi("kernel32.dll", ldrVariants[i])) != NULL) ldrVariantCount++; } if (!ldrVariantCount || !procafi) { DBGPRINT("This process does not use any runtime module and api loading."); return false; } sectCount = AbiGetMainModuleCodeSections(&codeSects); if (!sectCount) return false; for (int cnx = 0;cnx < sectCount;cnx++) { code = codeSects[cnx].addr; end = code + codeSects[cnx].size; DBGPRINT("Scanning range %p - %p of %d. section", code, end,cnx+1); while (code < end) { DbgDisasmFastAt(code, &inst); if (AbpIsLoadLibraryXXXCall(libafis, ldrVariantCount, code, &inst, true)) { memset(moduleName, 0, sizeof(moduleName)); skip = !AbpExposeStringArgument(1, moduleName); AbiEmptyInstructionCache(); if (skip) { NEXT_INSTR_ADDR(&code, &inst); continue; } if (!HlpEndsWithA(moduleName, ".dll", FALSE, 4)) strcat(moduleName, ".dll"); procLdrCount = 0; while (1) { NEXT_INSTR_ADDR(&code, &inst); DbgDisasmFastAt(code, &inst); if (!strncmp(inst.instruction, "ret", 3)) { if (!procLdrCount) DBGPRINT("GetProcAddress is not called after LoadLibraryXXX"); //else its ok. there is no more getprocaddress calls for the module DBGPRINT("%d API load found in single module", procLdrCount); NEXT_INSTR_ADDR(&code, &inst); break; } if (AbpIsAPICall(code, procafi, &inst)) { memset(apiFuncName, 0, sizeof(apiFuncName)); if (AbpExposeStringArgument(2, apiFuncName)) { DBGPRINT("Found: %s : %s", moduleName, apiFuncName); totalFoundApi++; procLdrCount++; AbiEmptyInstructionCache(); if (!AbpRegisterAPI(moduleName, apiFuncName)) DBGPRINT("Not load, not registered or not valid: %s:%s", moduleName, apiFuncName); } } else if (AbpIsLoadLibraryXXXCall(libafis, ldrVariantCount, code, &inst, false)) { if (!procLdrCount) { //We dont skip to next instruction address //cuz, It will be our new loadlibrary reference. DBGPRINT("Consecutive loadlibrary calls :/"); } else { DBGPRINT("%d API load found in single module", procLdrCount); } break; } } } else NEXT_INSTR_ADDR(&code, &inst); } } if (totalFoundApi>0) DBGPRINT("%d dynamic API(s) found!", totalFoundApi); DBGPRINT("Dynamic scan finished"); AbMemoryFree(codeSects); return true; } INTERNAL_EXPORT void AbiReleaseDeferredResources() { for (ondemand_api_list::iterator it = AbpDeferList.begin(); it != AbpDeferList.end(); it++) { for (vector::iterator vit = it->second->begin(); vit != it->second->end(); vit++) { FREEOBJECT(*vit); } delete it->second; } AbpDeferList.clear(); } INTERNAL_EXPORT void AbiInitDynapi() { AbpDeferListSyncMutant = CreateMutexA(NULL, FALSE, NULL); } INTERNAL_EXPORT void AbiUninitDynapi() { CloseHandle(AbpDeferListSyncMutant); } ================================================ FILE: x64dbgApiBreak/src/hlprs.cpp ================================================ #include #include void HlpDebugPrint(const char *format, ...) { va_list vl; char content[0x500] = { 0 }; va_start(vl, format); _vsnprintf(content, sizeof(content), format, vl); va_end(vl); _plugin_logputs(content); #ifdef _DEBUG OutputDebugStringA(content); #endif } LPSTR HlpCloneStringA(LPCSTR str) { LPSTR clone; int len; if (!str) return NULL; len = (int)strlen(str); clone = ALLOCSTRINGA(len); if (!clone) return NULL; memcpy(clone, str, len + 1); return clone; } LPWSTR HlpAnsiToWideString(LPCSTR str) { ULONG slen; LPWSTR wstr; if (!str) return NULL; slen = lstrlenA((LPCSTR)str); wstr = (LPWSTR)ALLOCSTRINGW(slen); if (!wstr) return NULL; if (MultiByteToWideChar(CP_ACP, MB_COMPOSITE, str, slen, wstr, slen) == slen) return wstr; FREESTRING(wstr); return NULL; } LPSTR HlpWideToAnsiString(LPCWSTR str) { ULONG slen; LPSTR astr; if (!str) return NULL; slen = lstrlenW((LPCWSTR)str); astr = (LPSTR)ALLOCSTRINGA(slen); if (!astr) return NULL; if (WideCharToMultiByte(CP_ACP, WC_COMPOSITECHECK, str, slen, astr, slen, NULL, NULL) == slen) return astr; FREESTRING(astr); return NULL; } bool HlpTrimChar(LPSTR str, CHAR chr, int option) { char *p; int len; bool hasEndChr = false; if (!str) return false; if (!option) return false; p = (char *)str; len = (int)strlen(str); if (option & HLP_TRIM_RIGHT) hasEndChr = *(p + (len - 1)) == chr; if (*p == chr && (option & HLP_TRIM_LEFT)) { len -= hasEndChr ? 2 : 1; memmove(p, p + 1, len); *(p + len) = 0; return true; } else if (hasEndChr) { *(p + (len - 1)) = 0; return true; } return false; } #include bool HlpReplaceStringW(LPWSTR string, ULONG stringMaxSize, LPCWSTR find, LPCWSTR replace) { bool result = false; ULONG fCount=0, foundIndex=0; LONG findLen, replLen, strLen, copyLen; LPWSTR px; LONG shiftDelta; PDMA dma; BYTE *memSrc, *memDst; if (!DmaCreateAdapter(sizeof(ULONG), 20, &dma)) return false; findLen = wcslen(find); replLen = wcslen(replace); strLen = wcslen(string); shiftDelta = replLen - findLen; px = string - 1; while(1) { px = wcsstr(px + 1, find); if (!px) break; foundIndex = px - string; if (fCount) foundIndex += fCount * shiftDelta; DmaWrite(dma, DMA_AUTO_OFFSET, sizeof(ULONG), &foundIndex); fCount++; } if (!fCount) goto exit; if (shiftDelta > 0) { if (strLen + (shiftDelta * fCount) > stringMaxSize) goto exit; } for (ULONG i = 0;i < fCount;i++) { DmaReadTypeAlignedSequence(dma, i, 1, &foundIndex); memSrc = (BYTE *)((foundIndex + findLen) * sizeof(WCHAR)); memDst = (BYTE *)((foundIndex + replLen) * sizeof(WCHAR)); memSrc += (duint)string; memDst += (duint)string; copyLen = (strLen - ((LPWSTR)memSrc - string)) * sizeof(WCHAR); memmove(memDst, memSrc, copyLen); if (shiftDelta < 0) { //That's a reducing of the string. We need to null-term new end of the string *((LPWSTR)(memSrc + copyLen - sizeof(WCHAR) * abs(shiftDelta))) = L'\0'; } memcpy(string + foundIndex, replace, sizeof(WCHAR) * replLen); strLen += shiftDelta; } result = true; exit: DmaDestroyAdapter(dma); return result; } bool HlpReplaceStringA(LPSTR string, ULONG stringMaxSize, LPCSTR find, LPCSTR replace) { bool result; LPWSTR stringW; LPWSTR findW, replaceW; LPSTR resultA; stringW = HlpAnsiToWideString(string); findW = HlpAnsiToWideString(find); replaceW = HlpAnsiToWideString(replace); result = HlpReplaceStringW(stringW, stringMaxSize, findW, replaceW); FREESTRING(findW); FREESTRING(replaceW); resultA = HlpWideToAnsiString(stringW); FREESTRING(stringW); strcpy(string, resultA); FREESTRING(resultA); return result; } bool HlpBeginsWithA(LPCSTR look, LPCSTR find,BOOL caseSens, LONG findLen) { bool result; LPWSTR lookW = HlpAnsiToWideString(look); LPWSTR findW = HlpAnsiToWideString(find); result = HlpBeginsWithW(lookW, findW, caseSens, findLen); FREESTRING(lookW); FREESTRING(findW); return result; } bool HlpBeginsWithW(LPCWSTR look, LPCWSTR find, BOOL caseSens, LONG findLen) { int lookLen; if (!look || !find) return false; if (findLen <= 0) return false; lookLen = (int)wcslen(look); if (lookLen < findLen) return false; if (caseSens) return wcsncmp(look, find, findLen) == 0; return _wcsnicmp(look, find, findLen) == 0; } bool HlpEndsWithA(LPCSTR look, LPCSTR find, BOOL caseSens, LONG findLen) { bool result; LPWSTR lookW = HlpAnsiToWideString(look); LPWSTR findW = HlpAnsiToWideString(find); result = HlpEndsWithW(lookW, findW, caseSens, findLen); FREESTRING(lookW); FREESTRING(findW); return result; } bool HlpEndsWithW(LPCWSTR look, LPCWSTR find, BOOL caseSens, LONG findLen) { int lookLen; if (!look || !find) return false; if (findLen <= 0) return false; lookLen = (int)wcslen(look); if (lookLen < findLen) return false; look += lookLen - findLen; if (caseSens) return wcscmp(look, find) == 0; return _wcsicmp(look, find) == 0; } LONG HlpPrintFormatBufferExA(LPSTR *buffer, LPCSTR format, va_list vl) { int reqLen = 0; reqLen = _vsnprintf(NULL, NULL, format, vl); *buffer = ALLOCSTRINGA(reqLen); if (*buffer == NULL) return false; _vsnprintf(*buffer, reqLen + 1, format, vl); return reqLen; } LONG HlpPrintFormatBufferA(LPSTR *buffer, LPCSTR format, ...) { va_list vl; int reqLen; va_start(vl, format); reqLen = HlpPrintFormatBufferExA(buffer, format, vl); va_end(vl); return reqLen; } LONG HlpPrintFormatBufferExW(LPWSTR *buffer, LPCWSTR format, va_list vl) { int reqLen = 0; reqLen = _vsnwprintf(NULL, NULL, format, vl); *buffer = ALLOCSTRINGW(reqLen); if (*buffer == NULL) return false; _vsnwprintf(*buffer, reqLen + 1, format, vl); return reqLen; } LONG HlpPrintFormatBufferW(LPWSTR *buffer, LPCWSTR format, ...) { va_list vl; int reqLen; va_start(vl, format); reqLen = HlpPrintFormatBufferExW(buffer, format, vl); va_end(vl); return reqLen; } LONG HlpConcateStringFormatA(LPSTR buffer, LONG bufLen, LPCSTR format, ...) { LONG currLen, remain,needLen; va_list vl; currLen = strlen(buffer); remain = (bufLen-1) - currLen; va_start(vl, format); needLen = _vsnprintf(NULL, NULL, format, vl); if (remain < needLen) return 0; vsprintf(buffer + currLen, format, vl); va_end(vl); return needLen; } LONG HlpPathFromFilenameA(LPSTR fileName, LPSTR path, LONG pathBufSize, CHAR sep) { char c; LONG pathLen = 0,i=0; LPSTR pathPtr = path; while ((c = *(fileName + i)) != 0) { if (c == sep) pathLen = i; i++; if (i >= pathBufSize) return 0; *pathPtr++ = c; } if (pathLen == 0 && i > 0) return i; pathLen++; path[pathLen] = 0; return pathLen; } LONG HlpPathFromFilenameW(LPWSTR fileName, LPWSTR path, LONG pathBufSize, WCHAR sep) { wchar_t c; LONG pathLen = 0, i = 0; LPWSTR pathPtr = path; while ((c = *(fileName + i)) != 0) { if (c == sep) pathLen = i; i++; if (i >= pathBufSize) return 0; *pathPtr++ = c; } if (pathLen == 0 && i > 0) return i; pathLen++; path[pathLen] = 0; return pathLen; } ================================================ FILE: x64dbgApiBreak/src/incl/apibreak.h ================================================ #ifndef __APIBREAK_H__ #define __APIBREAK_H__ //Disable shitty paranoid warnings #pragma warning(disable:4091) #pragma warning(disable:4800) #pragma warning(disable:4244) #pragma warning(disable:4267) #pragma warning(disable:4390) #define _CRT_SECURE_NO_WARNINGS #define CSR_FAILED 0 #define CSR_COMPLETELY_SUCCESS 1 #define CSR_PARTIAL_SUCCESS 2 #include #include #include #include #include #include #include #include #include using namespace std; #define _T(t) __##t struct __ModuleApiInfo; struct __BpCallbackContext; typedef struct { _T(ModuleApiInfo *) ownerModule; struct { duint * calls; int callCount; int callListSize; }callInfo; duint rva; char name[MAX_LABEL_SIZE]; }ApiFunctionInfo; typedef unordered_map< std::string, ApiFunctionInfo *, std::tr1::hash> apilist; typedef struct __ModuleApiInfo { duint baseAddr; duint listCount; apilist* apiList; char name[MAX_MODULE_SIZE]; }ModuleApiInfo; typedef vector modlist; typedef void(*APIMODULE_ENUM_PROC)(LPCSTR,void *); typedef void(*AB_BREAKPOINT_CALLBACK)(struct __BpCallbackContext *); struct __BREAKPOINT_INFO; typedef struct __BpCallbackContext { duint bpAddr; BRIDGEBP * bp; REGDUMP regContext; AB_BREAKPOINT_CALLBACK callback; ApiFunctionInfo *afi; struct __BREAKPOINT_INFO *ownerBreakpoint; void * user; }BpCallbackContext; typedef struct __BREAKPOINT_INFO { duint addr; duint hitCount; DWORD options; DWORD status; BpCallbackContext* cbctx; }*PBREAKPOINT_INFO, BREAKPOINT_INFO; #define BPS_NONE 0x00000000 #define BPS_EXECUTING_HANDLER 0x00000001 #define BPS_EXECUTING_CALLBACK 0x00000002 #define BPO_NONE 0 #define BPO_BACKTRACK 1 #define BPO_SINGLESHOT 2 void AbDebuggerRun(); void AbDebuggerPause(); void AbDebuggerWaitUntilPaused(); bool AbCmdExecFormat(const char *format, ...); bool AbGetDebuggedImageName(char *buffer); bool AbGetDebuggedModuleInfo(Script::Module::ModuleInfo *modInfo); bool AbGetDebuggedModulePath(char *pathBuf, int bufLen); duint AbGetDebuggedImageBase(); bool AbHasDebuggingProcess(); void AbReleaseModuleResources(); bool AbLoadAvailableModuleAPIs(bool onlyImportsByExe); int AbEnumModuleNames(APIMODULE_ENUM_PROC enumProc, void *user); void AbEnumApiFunctionNames(APIMODULE_ENUM_PROC enumProc, const char *moduleName, void *user); bool AbSetAPIBreakpointOnCallers(const char *module, const char *apiFunction); bool AbSetAPIBreakpoint(const char *module, const char *apiFunction, duint *funcAddr); bool AbSetInstructionBreakpoint(duint instrAddr, AB_BREAKPOINT_CALLBACK callback, void *user, bool singleShot); bool AbSetBreakpointEx(const char *module, const char *apiFunction, duint *funcAddr, DWORD bpo, AB_BREAKPOINT_CALLBACK bpCallback, void *user); bool AbDeleteBreakpoint(duint addr); void AbpReleaseBreakpointResources(); PBREAKPOINT_INFO AbpLookupBreakpoint(duint addr); bool AbpRegisterBreakpoint(duint addr, DWORD options, BpCallbackContext *cbctx); bool AbpDeregisterBreakpoint(duint addr); #endif // !__APIBREAK_H__ ================================================ FILE: x64dbgApiBreak/src/incl/corelib.h ================================================ #ifndef __CORELIB_H_ #define __CORELIB_H_ #include #include #ifdef _WIN64 #pragma comment(lib, "pluginsdk/x64dbg.lib") #pragma comment(lib, "pluginsdk/x64bridge.lib") #pragma comment(lib, "pluginsdk/TitanEngine/TitanEngine_x64.lib") #else #pragma comment(lib, "pluginsdk/x32dbg.lib") #pragma comment(lib, "pluginsdk/x32bridge.lib") #pragma comment(lib, "pluginsdk/TitanEngine/TitanEngine_x86.lib") #endif bool AbMemReadGuaranteed(duint va, void *dest, duint size); #define TRACK_MEMORY_ALLOCATIONS #ifdef TRACK_MEMORY_ALLOCATIONS void *AbMemoryAlloc_DBG(int size,const char *file, const char *func, const int line); void *AbMemoryRealloc_DBG(void *memPtr, int newSize, const char *file, const char *func, const int line); void AbMemoryFree_DBG(void *memPtr); void AbTrackMemory_DBG(void *memPtr); #define AbMemoryAlloc(size) AbMemoryAlloc_DBG((size), __FILE__, __FUNCTION__,__LINE__) #define AbMemoryRealloc(memPtr, newSize) AbMemoryRealloc_DBG((memPtr),(newSize),__FILE__, __FUNCTION__,__LINE__) #define AbMemoryFree(memPtr) AbMemoryFree_DBG((memPtr)) #define AbTrackMemory(memPtr) AbTrackMemory_DBG((memPtr)) #ifdef __cplusplus void *operator new(size_t size, char *func, char *file, int line); //this just for compiler warning. it will forward to standart delete call void operator delete(void *memory, char *func, char *file, int line); void operator delete(void *memory); #define new new(__FUNCTION__, __FILE__, __LINE__) #endif #else #define AbMemoryAlloc(size) _AbMemoryAlloc((size)) #define AbMemoryRealloc(memPtr, newSize) _AbMemoryRealloc((memPtr),(newSize)) #define AbMemoryFree(memPtr) _AbMemoryFree((memPtr)) #define AbTrackMemory(memPtr) #endif void *_AbMemoryAlloc(int size); void *_AbMemoryRealloc(void *memPtr, int newSize); void _AbMemoryFree(void *memPtr); void AbRevealPossibleMemoryLeaks(); void AbReleaseAllSystemResources(bool isInShutdown); BOOL AbRaiseSystemError(const char *errorDesc, int errCode, const char *func, const int line); FORWARDED int AbPluginHandle; FORWARDED HWND AbHwndDlgHandle; FORWARDED int AbMenuHandle; FORWARDED int AbMenuDisasmHandle; FORWARDED int AbMenuDumpHandle; FORWARDED int AbMenuStackHandle; FORWARDED HMODULE AbPluginModule; #endif // !__CORELIB_H_ ================================================ FILE: x64dbgApiBreak/src/incl/defs.h ================================================ #ifndef __DEFS_H_ #define __DEFS_H_ #include #define FORWARDED extern #define INTERNAL_EXPORT FORWARDED #define INTERNAL typedef unsigned char uchar; #define DBG_LIBEXPORT extern "C" __declspec(dllexport) #if _DEBUG #define DBGPRINT(s,...) HlpDebugPrint("ApiBreak: " s "\n",##__VA_ARGS__) #define DBGPRINT2(s,...) HlpDebugPrint("ApiBreak: %s\n",##__VA_ARGS__) #define _DBGPRINT(s,...) HlpDebugPrint(s,##__VA_ARGS__) #else #define DBGPRINT(s,...) #define DBGPRINT2(s,...) #define _DBGPRINT(s,...) #endif #define RAISEGLOBALERROR(errString) AbRaiseSystemError(errString, 0,__FUNCTION__,__LINE__) #define BIGERROR(msg) DBGPRINT(msg); \ __debugbreak() #define NOTIMPLEMENTED() HlpDebugPrint(__FUNCTION__ " not implemented yet") #define ALLOCOBJECT(type) (type *)AbMemoryAlloc(sizeof(type)) #define FREEOBJECT(ob) AbMemoryFree((ob)) #define RESIZEOBJECTLIST(type, obj, newSize) (type *)AbMemoryRealloc((obj),sizeof(type) * (newSize)) #define ALLOCSTRINGW(size) (LPWSTR)AbMemoryAlloc(sizeof(WCHAR) * ((size)+1)) #define ALLOCSTRINGA(size) (LPSTR)AbMemoryAlloc(sizeof(CHAR) * ((size)+1)) #define FREESTRING(str) AbMemoryFree((void *)(str)) #if _DEBUG #define DBGBREAK __debugbreak #else #define DBGBREAK #endif #define _stringfy(x) #x #define AB_VERSION_MAJOR 0 #define AB_VERSION_MINOR 5 #define AB_VERSION_BUILD 39 #if _WIN64 #define AB_PLATFORM "x64" #define PLATFORM_SIZE 64 #else #define AB_PLATFORM "x86" #define PLATFORM_SIZE 32 #endif #define AB_PHASE "BETA" #define AB_APPNAME "Api Break (" AB_PHASE ")" #define AB_APPTITLE AB_APPNAME " - " AB_PLATFORM #define AB_VERSION_STRING(maj,min,build) _stringfy(maj) "." _stringfy(min) " Build: " _stringfy(build) #define AB_VERSTR AB_VERSION_STRING(AB_VERSION_MAJOR,AB_VERSION_MINOR,AB_VERSION_BUILD) #define AB_BUILD_TIME __DATE__ " " __TIME__ #endif // !__DEFS_H_ ================================================ FILE: x64dbgApiBreak/src/incl/dlgs/ApiCallMapForm.hpp ================================================ #ifndef __APICALLMAPFORM_HPP_ #define __APICALLMAPFORM_HPP_ #include #include #include #include class ApiCallMapForm : public UiWrapper { private: UiControlBase *txtMapCallResultContent; LPSTR mapContent; LONG lengthOfMapContent; LONG lastReadOffset; static DWORD CALLBACK EditStreamCallback( _In_ DWORD_PTR dwCookie, _In_ LPBYTE pbBuff, _In_ LONG cb, _In_ LONG *pcb ) { LONG remainLen,readLen; ApiCallMapForm *_this = (ApiCallMapForm *)dwCookie; remainLen = _this->lengthOfMapContent - _this->lastReadOffset; if (!remainLen) { *pcb = 0; return 0; } if (remainLen > cb) readLen = cb; else readLen = remainLen; memcpy(pbBuff, (BYTE *)(_this->mapContent + _this->lastReadOffset), readLen); _this->lastReadOffset += readLen; *pcb = readLen; return 0; } public: ApiCallMapForm(LPSTR callMapContent) : UiWrapper(IDD_APICALLMAP, true) { lastReadOffset = 0; mapContent = callMapContent; lengthOfMapContent = strlen(mapContent); } void OnLoaded() { this->txtMapCallResultContent->SendControlMsg(EM_SETSEL, (WPARAM)-1, (LPARAM)-1); } void OnClose() { if (mapContent) FREESTRING(mapContent); } void OnCommand(WPARAM wp, LPARAM lp) { switch (LOWORD(wp)) { case IDC_MAPDLG_BTNCONT: AbDebuggerRun(); Close(); break; } } void OnInit() { EDITSTREAM es; es.dwCookie = (DWORD_PTR)this; es.dwError = 0; es.pfnCallback = EditStreamCallback; this->txtMapCallResultContent = GetControlById(IDC_RTXTAPIMAPCONTENT); this->txtMapCallResultContent->SendControlMsg(EM_STREAMIN, SF_RTF | SFF_PLAINRTF,(LPARAM)&es); //this->txtMapCallResultContent->SetStringA(mapContent); } bool ShowDialog() { return UiWrapper::ShowDialog(true); } }; #endif //__MAINFORM_HPP_ ================================================ FILE: x64dbgApiBreak/src/incl/dlgs/MainForm.hpp ================================================ #ifndef __MAINFORM_HPP_ #define __MAINFORM_HPP_ #include #include #include #define ST_SUCCESS RGB(0x0,0xae,0x0) #define ST_FAIL RGB(0xce,0x0,0x0) #define ST_INFO RGB(0x0,0x0,0xff) #define ST_WARN RGB(0xff,0x4f,0) #define SETSTATUS(t,x,...) this->lblStatus->DrawStringFormatA(1,1,t,"Status: " ## x, __VA_ARGS__) #define _SETSTATUS(t,x,...) _this->lblStatus->DrawStringFormatA(1,1,t,"Status: " ## x, __VA_ARGS__) class MainForm : public UiWrapper { private: UiComboBox *cbModules, *cbApis; UiControlBase *chkUseXref, *lblStatus; void InvalidateApiFunctionList() { char modName[256] = { 0 }; if (!cbModules->GetSelectedIndexTextA(modName)) return; this->cbApis->Clear(); AbEnumApiFunctionNames((APIMODULE_ENUM_PROC)ApiFunctionEnumerator, modName, this); } void SetBP() { char moduleName[256] = { 0 }; char funcName[256] = { 0 }; duint apiAddr; bool isSet; bool bpOnXrefs = false; GetControlTextA(IDC_CBAPIFUNC, funcName, sizeof(funcName)); GetControlTextA(IDC_CBMODULELIST, moduleName, sizeof(moduleName)); bpOnXrefs = (bool)chkUseXref->SendControlMsg(BM_GETCHECK, NULL, NULL); if (bpOnXrefs) { isSet = AbSetAPIBreakpointOnCallers(moduleName, funcName); if (isSet) SETSTATUS(ST_SUCCESS,"Api breakpoint set"); else SETSTATUS(ST_FAIL,"Bp could not be set"); } else { isSet = AbSetAPIBreakpoint(moduleName, funcName, &apiAddr); if (isSet) SETSTATUS(ST_SUCCESS,"Breakpoint is set"); else SETSTATUS(ST_FAIL,"The bp could not be set"); } } static void ModuleEnumerator(LPCSTR modName,void *user) { MainForm *_this = reinterpret_cast(user); _this->cbModules->AddItemA(modName); } static void ApiFunctionEnumerator(LPCSTR funcName, void *user) { MainForm *_this = reinterpret_cast(user); _this->cbApis->AddItemA(funcName); } static int WINAPI ApiLoadWorker(void *arg) { char processName[MAX_MODULE_SIZE] = { 0 }; MainForm *_this = static_cast(arg); int modCount = 0; if (!AbLoadAvailableModuleAPIs(true)) { _this->MsgBoxError("Could not be loaded","error"); return 0; } modCount = AbEnumModuleNames((APIMODULE_ENUM_PROC)ModuleEnumerator, _this); if (modCount > 0) { AbGetDebuggedImageName(processName); _this->SetControlTextFormatA(IDC_GRPMOD, "Imported modules && APIs by \"%s\"", processName); _this->EnableControl(IDC_BTNSETBP); _SETSTATUS(ST_INFO,"%d module(s) loaded",modCount); } return 0; } public : MainForm() : UiWrapper(IDD_MAIN,true) { } void OnCommand(WPARAM wp, LPARAM lp) { switch (LOWORD(wp)) { case IDC_BTNSETBP: SetBP(); break; case IDC_CBMODULELIST: { if (HIWORD(wp) == CBN_SELCHANGE) { InvalidateApiFunctionList(); } } break; case IDC_CHKBPONXREFS: { } break; } UiWrapper::OnCommand(wp, lp); } void OnInit() { SetWindowTitleA(AB_APPTITLE); this->cbModules = GetControlById(IDC_CBMODULELIST); this->cbApis = GetControlById(IDC_CBAPIFUNC); this->chkUseXref = GetControlById(IDC_CHKBPONXREFS); this->lblStatus = GetControlById(IDC_LBLSTATUS); this->lblStatus->EnableOwnerDraw(); DisableControl(IDC_BTNSETBP); SETSTATUS(ST_INFO,"Loading modules"); if (AbHasDebuggingProcess()) QueueUserWorkItem((LPTHREAD_START_ROUTINE)ApiLoadWorker, this, WT_EXECUTEDEFAULT); else SETSTATUS(ST_WARN,"There is no debug process"); } bool ShowDialog() { return UiWrapper::ShowDialog(true); } }; #endif //__MAINFORM_HPP_ ================================================ FILE: x64dbgApiBreak/src/incl/dlgs/SettingsForm.hpp ================================================ #ifndef __SETTINGSFORM_HPP_ #define __SETTINGSFORM_HPP_ #include #include #include #include class SettingsForm : public UiWrapper { private: UiCheckBox *chkDetectDynLdr, *chkInclGetModHandle, *chkAutoload,*chkMapCallctx; UiControlBase *txtScripts; void FillGui() { Settings *settings = AbGetSettings(); this->chkDetectDynLdr->SetState(settings->exposeDynamicApiLoads); this->chkInclGetModHandle->SetState(settings->includeGetModuleHandle); this->chkAutoload->SetState(settings->autoLoadData); this->chkMapCallctx->SetState(settings->mapCallContext); if (settings->mainScripts != NULL) { HlpReplaceStringA(settings->mainScripts, MAX_SETTING_SIZE, ";", "\r\n"); this->txtScripts->SetStringA(settings->mainScripts); } } void GetFromGUI() { Settings *setting = AbGetSettings(); setting->exposeDynamicApiLoads = this->chkDetectDynLdr->GetState(); setting->includeGetModuleHandle = this->chkInclGetModHandle->GetState(); setting->autoLoadData = this->chkAutoload->GetState(); setting->mapCallContext = this->chkMapCallctx->GetState(); txtScripts->GetStringA(&setting->mainScripts, MAX_SETTING_SIZE); HlpReplaceStringA(setting->mainScripts, MAX_SETTING_SIZE, "\r\n", ";"); } bool LoadSettings() { if (AbSettingsLoad()) { FillGui(); return true; } return false; } bool SaveSettings() { GetFromGUI(); return AbSettingsSave(); } public: SettingsForm() : UiWrapper(IDD_SETTINGS, true) { } void OnCommand(WPARAM wp, LPARAM lp) { switch (LOWORD(wp)) { case IDC_BTNSAVESETTINGS: SaveSettings(); //fall trough case IDC_BTNDISCARDSETTINGS: Close(); break; case IDC_CHKDETECTDYNLDR: { if (HIWORD(wp) == BN_CLICKED) { bool state = this->chkDetectDynLdr->GetState(); this->chkInclGetModHandle->SetState(state); this->chkInclGetModHandle->SetEnableState(state); } break; } } UiWrapper::OnCommand(wp, lp); } void OnInit() { SetWindowTitleA(AB_APPTITLE); this->chkDetectDynLdr = GetControlById(IDC_CHKDETECTDYNLDR); this->chkInclGetModHandle = GetControlById(IDC_CHKINSPGETMODULEHANDLE); this->chkAutoload = GetControlById(IDC_CHKAUTOLOAD); this->chkMapCallctx = GetControlById(IDC_CHKMAPCALLCTX); this->txtScripts = GetControlById(IDC_TXTMAINSCRIPTS); LoadSettings(); } bool ShowDialog() { return UiWrapper::ShowDialog(true); } }; #endif //__SETTINGSFORM_HPP_ ================================================ FILE: x64dbgApiBreak/src/incl/hlp.h ================================================ #ifndef __HELPER_H_ #define __HELPER_H_ #include #define HLP_TRIM_LEFT 1 #define HLP_TRIM_RIGHT 2 #define HLP_TRIM_BOTH (HLP_TRIM_LEFT | HLP_TRIM_RIGHT) void HlpDebugPrint(const char *format, ...); LPSTR HlpCloneStringA(LPCSTR str); LPWSTR HlpAnsiToWideString(LPCSTR str); LPSTR HlpWideToAnsiString(LPCWSTR str); bool HlpTrimChar(LPSTR str, CHAR chr, int option); #define HlpRemoveQuotations(str) HlpTrimChar(str, '\"', HLP_TRIM_BOTH) bool HlpReplaceStringW(LPWSTR string, ULONG stringMaxSize, LPCWSTR find, LPCWSTR replace); bool HlpReplaceStringA(LPSTR string, ULONG stringMaxSize, LPCSTR find, LPCSTR replace); bool HlpBeginsWithA(LPCSTR look, LPCSTR find, BOOL caseSens, LONG findLen); bool HlpBeginsWithW(LPCWSTR look, LPCWSTR find, BOOL caseSens, LONG findLen); bool HlpEndsWithA(LPCSTR look, LPCSTR find, BOOL caseSens, LONG findLen); bool HlpEndsWithW(LPCWSTR look, LPCWSTR find, BOOL caseSens, LONG findLen); LONG HlpPrintFormatBufferExA(LPSTR *buffer, LPCSTR format, va_list vl); LONG HlpPrintFormatBufferA(LPSTR *buffer, LPCSTR format, ...); LONG HlpPrintFormatBufferExW(LPWSTR *buffer, LPCWSTR format, va_list vl); LONG HlpPrintFormatBufferW(LPWSTR *buffer, LPCWSTR format, ...); LONG HlpConcateStringFormatA(LPSTR buffer, LONG bufLen, LPCSTR format, ...); LONG HlpPathFromFilenameA(LPSTR fileName, LPSTR path, LONG pathBufSize, CHAR sep); LONG HlpPathFromFilenameW(LPWSTR fileName, LPWSTR path, LONG pathBufSize, WCHAR sep); #endif // !__HELPER_H_ ================================================ FILE: x64dbgApiBreak/src/incl/instparse.h ================================================ #ifndef __INSTPARSE_H__ #define __INSTPARSE_H__ #include typedef struct { uchar size; uchar op; char reg; uchar reg_oper; uchar mem_access; duint imm; struct { uchar base; uchar index; uchar scale; int disp; }memory_info; }InstInfo; #define MA_NONE 0 #define MA_READ 1 #define MA_WRITE 2 #define OP_MOV 1 #define OP_LEA 2 #define OP_PUSH 3 #define ORD_OP 0 #define ORD_DREG 1 #define ORD_SREG 2 #define ORD_DONE 3 #define GET_REGSIZE(pfx) (pfx == 'r' ? 64 : pfx == 'e' ? 32 : 8) typedef enum { RegNone = -1, Ax, Bx, Cx, Dx, Si, Di, Bp, Sp, r8, r9, r10, r11, r12, r13, r14, r15, ImmMem }RegId; bool AbParseInstruction(BASIC_INSTRUCTION_INFO *inst, InstInfo *linst); #endif // !__INSTPARSE_H__ ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/DeviceNameResolver/DeviceNameResolver.h ================================================ #ifndef _DEVICENAMERESOLVER_H #define _DEVICENAMERESOLVER_H #include #ifdef __cplusplus extern "C" { #endif __declspec(dllexport) bool DevicePathToPathW(const wchar_t* szDevicePath, wchar_t* szPath, size_t nSizeInChars); __declspec(dllexport) bool DevicePathToPathA(const char* szDevicePath, char* szPath, size_t nSizeInChars); __declspec(dllexport) bool DevicePathFromFileHandleW(HANDLE hFile, wchar_t* szDevicePath, size_t nSizeInChars); __declspec(dllexport) bool DevicePathFromFileHandleA(HANDLE hFile, char* szDevicePath, size_t nSizeInChars); __declspec(dllexport) bool PathFromFileHandleW(HANDLE hFile, wchar_t* szPath, size_t nSizeInChars); __declspec(dllexport) bool PathFromFileHandleA(HANDLE hFile, char* szPath, size_t nSizeInChars); #ifdef __cplusplus } #endif #endif // _DEVICENAMERESOLVER_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/TitanEngine/TitanEngine.h ================================================ #ifndef TITANENGINE #define TITANENGINE #define TITCALL #if _MSC_VER > 1000 #pragma once #endif #include #include #pragma pack(push, 1) // Global.Constant.Structure.Declaration: // Engine.External: #define UE_STRUCT_PE32STRUCT 1 #define UE_STRUCT_PE64STRUCT 2 #define UE_STRUCT_PESTRUCT 3 #define UE_STRUCT_IMPORTENUMDATA 4 #define UE_STRUCT_THREAD_ITEM_DATA 5 #define UE_STRUCT_LIBRARY_ITEM_DATA 6 #define UE_STRUCT_LIBRARY_ITEM_DATAW 7 #define UE_STRUCT_PROCESS_ITEM_DATA 8 #define UE_STRUCT_HANDLERARRAY 9 #define UE_STRUCT_PLUGININFORMATION 10 #define UE_STRUCT_HOOK_ENTRY 11 #define UE_STRUCT_FILE_STATUS_INFO 12 #define UE_STRUCT_FILE_FIX_INFO 13 #define UE_STRUCT_X87FPUREGISTER 14 #define UE_STRUCT_X87FPU 15 #define UE_STRUCT_TITAN_ENGINE_CONTEXT 16 #define UE_ACCESS_READ 0 #define UE_ACCESS_WRITE 1 #define UE_ACCESS_ALL 2 #define UE_HIDE_PEBONLY 0 #define UE_HIDE_BASIC 1 #define UE_PLUGIN_CALL_REASON_PREDEBUG 1 #define UE_PLUGIN_CALL_REASON_EXCEPTION 2 #define UE_PLUGIN_CALL_REASON_POSTDEBUG 3 #define UE_PLUGIN_CALL_REASON_UNHANDLEDEXCEPTION 4 #define TEE_HOOK_NRM_JUMP 1 #define TEE_HOOK_NRM_CALL 3 #define TEE_HOOK_IAT 5 #define UE_ENGINE_ALOW_MODULE_LOADING 1 #define UE_ENGINE_AUTOFIX_FORWARDERS 2 #define UE_ENGINE_PASS_ALL_EXCEPTIONS 3 #define UE_ENGINE_NO_CONSOLE_WINDOW 4 #define UE_ENGINE_BACKUP_FOR_CRITICAL_FUNCTIONS 5 #define UE_ENGINE_CALL_PLUGIN_CALLBACK 6 #define UE_ENGINE_RESET_CUSTOM_HANDLER 7 #define UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK 8 #define UE_ENGINE_SET_DEBUG_PRIVILEGE 9 #define UE_OPTION_REMOVEALL 1 #define UE_OPTION_DISABLEALL 2 #define UE_OPTION_REMOVEALLDISABLED 3 #define UE_OPTION_REMOVEALLENABLED 4 #define UE_STATIC_DECRYPTOR_XOR 1 #define UE_STATIC_DECRYPTOR_SUB 2 #define UE_STATIC_DECRYPTOR_ADD 3 #define UE_STATIC_DECRYPTOR_FOREWARD 1 #define UE_STATIC_DECRYPTOR_BACKWARD 2 #define UE_STATIC_KEY_SIZE_1 1 #define UE_STATIC_KEY_SIZE_2 2 #define UE_STATIC_KEY_SIZE_4 4 #define UE_STATIC_KEY_SIZE_8 8 #define UE_STATIC_APLIB 1 #define UE_STATIC_APLIB_DEPACK 2 #define UE_STATIC_LZMA 3 #define UE_STATIC_HASH_MD5 1 #define UE_STATIC_HASH_SHA1 2 #define UE_STATIC_HASH_CRC32 3 #define UE_RESOURCE_LANGUAGE_ANY -1 #define UE_PE_OFFSET 0 #define UE_IMAGEBASE 1 #define UE_OEP 2 #define UE_SIZEOFIMAGE 3 #define UE_SIZEOFHEADERS 4 #define UE_SIZEOFOPTIONALHEADER 5 #define UE_SECTIONALIGNMENT 6 #define UE_IMPORTTABLEADDRESS 7 #define UE_IMPORTTABLESIZE 8 #define UE_RESOURCETABLEADDRESS 9 #define UE_RESOURCETABLESIZE 10 #define UE_EXPORTTABLEADDRESS 11 #define UE_EXPORTTABLESIZE 12 #define UE_TLSTABLEADDRESS 13 #define UE_TLSTABLESIZE 14 #define UE_RELOCATIONTABLEADDRESS 15 #define UE_RELOCATIONTABLESIZE 16 #define UE_TIMEDATESTAMP 17 #define UE_SECTIONNUMBER 18 #define UE_CHECKSUM 19 #define UE_SUBSYSTEM 20 #define UE_CHARACTERISTICS 21 #define UE_NUMBEROFRVAANDSIZES 22 #define UE_BASEOFCODE 23 #define UE_BASEOFDATA 24 #define UE_DLLCHARACTERISTICS 25 //leaving some enum space here for future additions #define UE_SECTIONNAME 40 #define UE_SECTIONVIRTUALOFFSET 41 #define UE_SECTIONVIRTUALSIZE 42 #define UE_SECTIONRAWOFFSET 43 #define UE_SECTIONRAWSIZE 44 #define UE_SECTIONFLAGS 45 #define UE_VANOTFOUND = -2; #define UE_CH_BREAKPOINT 1 #define UE_CH_SINGLESTEP 2 #define UE_CH_ACCESSVIOLATION 3 #define UE_CH_ILLEGALINSTRUCTION 4 #define UE_CH_NONCONTINUABLEEXCEPTION 5 #define UE_CH_ARRAYBOUNDSEXCEPTION 6 #define UE_CH_FLOATDENORMALOPERAND 7 #define UE_CH_FLOATDEVIDEBYZERO 8 #define UE_CH_INTEGERDEVIDEBYZERO 9 #define UE_CH_INTEGEROVERFLOW 10 #define UE_CH_PRIVILEGEDINSTRUCTION 11 #define UE_CH_PAGEGUARD 12 #define UE_CH_EVERYTHINGELSE 13 #define UE_CH_CREATETHREAD 14 #define UE_CH_EXITTHREAD 15 #define UE_CH_CREATEPROCESS 16 #define UE_CH_EXITPROCESS 17 #define UE_CH_LOADDLL 18 #define UE_CH_UNLOADDLL 19 #define UE_CH_OUTPUTDEBUGSTRING 20 #define UE_CH_AFTEREXCEPTIONPROCESSING 21 #define UE_CH_SYSTEMBREAKPOINT 23 #define UE_CH_UNHANDLEDEXCEPTION 24 #define UE_CH_RIPEVENT 25 #define UE_CH_DEBUGEVENT 26 #define UE_OPTION_HANDLER_RETURN_HANDLECOUNT 1 #define UE_OPTION_HANDLER_RETURN_ACCESS 2 #define UE_OPTION_HANDLER_RETURN_FLAGS 3 #define UE_OPTION_HANDLER_RETURN_TYPENAME 4 #define UE_BREAKPOINT_INT3 1 #define UE_BREAKPOINT_LONG_INT3 2 #define UE_BREAKPOINT_UD2 3 #define UE_BPXREMOVED 0 #define UE_BPXACTIVE 1 #define UE_BPXINACTIVE 2 #define UE_BREAKPOINT 0 #define UE_SINGLESHOOT 1 #define UE_HARDWARE 2 #define UE_MEMORY 3 #define UE_MEMORY_READ 4 #define UE_MEMORY_WRITE 5 #define UE_MEMORY_EXECUTE 6 #define UE_BREAKPOINT_TYPE_INT3 0x10000000 #define UE_BREAKPOINT_TYPE_LONG_INT3 0x20000000 #define UE_BREAKPOINT_TYPE_UD2 0x30000000 #define UE_HARDWARE_EXECUTE 4 #define UE_HARDWARE_WRITE 5 #define UE_HARDWARE_READWRITE 6 #define UE_HARDWARE_SIZE_1 7 #define UE_HARDWARE_SIZE_2 8 #define UE_HARDWARE_SIZE_4 9 #define UE_HARDWARE_SIZE_8 10 #define UE_ON_LIB_LOAD 1 #define UE_ON_LIB_UNLOAD 2 #define UE_ON_LIB_ALL 3 #define UE_APISTART 0 #define UE_APIEND 1 #define UE_PLATFORM_x86 1 #define UE_PLATFORM_x64 2 #define UE_PLATFORM_ALL 3 #define UE_FUNCTION_STDCALL 1 #define UE_FUNCTION_CCALL 2 #define UE_FUNCTION_FASTCALL 3 #define UE_FUNCTION_STDCALL_RET 4 #define UE_FUNCTION_CCALL_RET 5 #define UE_FUNCTION_FASTCALL_RET 6 #define UE_FUNCTION_STDCALL_CALL 7 #define UE_FUNCTION_CCALL_CALL 8 #define UE_FUNCTION_FASTCALL_CALL 9 #define UE_PARAMETER_BYTE 0 #define UE_PARAMETER_WORD 1 #define UE_PARAMETER_DWORD 2 #define UE_PARAMETER_QWORD 3 #define UE_PARAMETER_PTR_BYTE 4 #define UE_PARAMETER_PTR_WORD 5 #define UE_PARAMETER_PTR_DWORD 6 #define UE_PARAMETER_PTR_QWORD 7 #define UE_PARAMETER_STRING 8 #define UE_PARAMETER_UNICODE 9 #define UE_EAX 1 #define UE_EBX 2 #define UE_ECX 3 #define UE_EDX 4 #define UE_EDI 5 #define UE_ESI 6 #define UE_EBP 7 #define UE_ESP 8 #define UE_EIP 9 #define UE_EFLAGS 10 #define UE_DR0 11 #define UE_DR1 12 #define UE_DR2 13 #define UE_DR3 14 #define UE_DR6 15 #define UE_DR7 16 #define UE_RAX 17 #define UE_RBX 18 #define UE_RCX 19 #define UE_RDX 20 #define UE_RDI 21 #define UE_RSI 22 #define UE_RBP 23 #define UE_RSP 24 #define UE_RIP 25 #define UE_RFLAGS 26 #define UE_R8 27 #define UE_R9 28 #define UE_R10 29 #define UE_R11 30 #define UE_R12 31 #define UE_R13 32 #define UE_R14 33 #define UE_R15 34 #define UE_CIP 35 #define UE_CSP 36 #ifdef _WIN64 #define UE_CFLAGS UE_RFLAGS #else #define UE_CFLAGS UE_EFLAGS #endif #define UE_SEG_GS 37 #define UE_SEG_FS 38 #define UE_SEG_ES 39 #define UE_SEG_DS 40 #define UE_SEG_CS 41 #define UE_SEG_SS 42 #define UE_x87_r0 43 #define UE_x87_r1 44 #define UE_x87_r2 45 #define UE_x87_r3 46 #define UE_x87_r4 47 #define UE_x87_r5 48 #define UE_x87_r6 49 #define UE_x87_r7 50 #define UE_X87_STATUSWORD 51 #define UE_X87_CONTROLWORD 52 #define UE_X87_TAGWORD 53 #define UE_MXCSR 54 #define UE_MMX0 55 #define UE_MMX1 56 #define UE_MMX2 57 #define UE_MMX3 58 #define UE_MMX4 59 #define UE_MMX5 60 #define UE_MMX6 61 #define UE_MMX7 62 #define UE_XMM0 63 #define UE_XMM1 64 #define UE_XMM2 65 #define UE_XMM3 66 #define UE_XMM4 67 #define UE_XMM5 68 #define UE_XMM6 69 #define UE_XMM7 70 #define UE_XMM8 71 #define UE_XMM9 72 #define UE_XMM10 73 #define UE_XMM11 74 #define UE_XMM12 75 #define UE_XMM13 76 #define UE_XMM14 77 #define UE_XMM15 78 #define UE_x87_ST0 79 #define UE_x87_ST1 80 #define UE_x87_ST2 81 #define UE_x87_ST3 82 #define UE_x87_ST4 83 #define UE_x87_ST5 84 #define UE_x87_ST6 85 #define UE_x87_ST7 86 #define UE_YMM0 87 #define UE_YMM1 88 #define UE_YMM2 89 #define UE_YMM3 90 #define UE_YMM4 91 #define UE_YMM5 92 #define UE_YMM6 93 #define UE_YMM7 94 #define UE_YMM8 95 #define UE_YMM9 96 #define UE_YMM10 97 #define UE_YMM11 98 #define UE_YMM12 99 #define UE_YMM13 100 #define UE_YMM14 101 #define UE_YMM15 102 #ifndef CONTEXT_EXTENDED_REGISTERS #define CONTEXT_EXTENDED_REGISTERS 0 #endif typedef struct { DWORD PE32Offset; DWORD ImageBase; DWORD OriginalEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD NtSizeOfImage; DWORD NtSizeOfHeaders; WORD SizeOfOptionalHeaders; DWORD FileAlignment; DWORD SectionAligment; DWORD ImportTableAddress; DWORD ImportTableSize; DWORD ResourceTableAddress; DWORD ResourceTableSize; DWORD ExportTableAddress; DWORD ExportTableSize; DWORD TLSTableAddress; DWORD TLSTableSize; DWORD RelocationTableAddress; DWORD RelocationTableSize; DWORD TimeDateStamp; WORD SectionNumber; DWORD CheckSum; WORD SubSystem; WORD Characteristics; DWORD NumberOfRvaAndSizes; } PE32Struct, *PPE32Struct; typedef struct { DWORD PE64Offset; DWORD64 ImageBase; DWORD OriginalEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD NtSizeOfImage; DWORD NtSizeOfHeaders; WORD SizeOfOptionalHeaders; DWORD FileAlignment; DWORD SectionAligment; DWORD ImportTableAddress; DWORD ImportTableSize; DWORD ResourceTableAddress; DWORD ResourceTableSize; DWORD ExportTableAddress; DWORD ExportTableSize; DWORD TLSTableAddress; DWORD TLSTableSize; DWORD RelocationTableAddress; DWORD RelocationTableSize; DWORD TimeDateStamp; WORD SectionNumber; DWORD CheckSum; WORD SubSystem; WORD Characteristics; DWORD NumberOfRvaAndSizes; } PE64Struct, *PPE64Struct; #if defined(_WIN64) typedef PE64Struct PEStruct; #else typedef PE32Struct PEStruct; #endif typedef struct { bool NewDll; int NumberOfImports; ULONG_PTR ImageBase; ULONG_PTR BaseImportThunk; ULONG_PTR ImportThunk; char* APIName; char* DLLName; } ImportEnumData, *PImportEnumData; typedef struct { HANDLE hThread; DWORD dwThreadId; void* ThreadStartAddress; void* ThreadLocalBase; void* TebAddress; ULONG WaitTime; LONG Priority; LONG BasePriority; ULONG ContextSwitches; ULONG ThreadState; ULONG WaitReason; } THREAD_ITEM_DATA, *PTHREAD_ITEM_DATA; typedef struct { HANDLE hFile; void* BaseOfDll; HANDLE hFileMapping; void* hFileMappingView; char szLibraryPath[MAX_PATH]; char szLibraryName[MAX_PATH]; } LIBRARY_ITEM_DATA, *PLIBRARY_ITEM_DATA; typedef struct { HANDLE hFile; void* BaseOfDll; HANDLE hFileMapping; void* hFileMappingView; wchar_t szLibraryPath[MAX_PATH]; wchar_t szLibraryName[MAX_PATH]; } LIBRARY_ITEM_DATAW, *PLIBRARY_ITEM_DATAW; typedef struct { HANDLE hProcess; DWORD dwProcessId; HANDLE hThread; DWORD dwThreadId; HANDLE hFile; void* BaseOfImage; void* ThreadStartAddress; void* ThreadLocalBase; } PROCESS_ITEM_DATA, *PPROCESS_ITEM_DATA; typedef struct { ULONG ProcessId; HANDLE hHandle; } HandlerArray, *PHandlerArray; typedef struct { char PluginName[64]; DWORD PluginMajorVersion; DWORD PluginMinorVersion; HMODULE PluginBaseAddress; void* TitanDebuggingCallBack; void* TitanRegisterPlugin; void* TitanReleasePlugin; void* TitanResetPlugin; bool PluginDisabled; } PluginInformation, *PPluginInformation; #define TEE_MAXIMUM_HOOK_SIZE 14 #define TEE_MAXIMUM_HOOK_RELOCS 7 #if defined(_WIN64) #define TEE_MAXIMUM_HOOK_INSERT_SIZE 14 #else #define TEE_MAXIMUM_HOOK_INSERT_SIZE 5 #endif typedef struct HOOK_ENTRY { bool IATHook; BYTE HookType; DWORD HookSize; void* HookAddress; void* RedirectionAddress; BYTE HookBytes[TEE_MAXIMUM_HOOK_SIZE]; BYTE OriginalBytes[TEE_MAXIMUM_HOOK_SIZE]; void* IATHookModuleBase; DWORD IATHookNameHash; bool HookIsEnabled; bool HookIsRemote; void* PatchedEntry; DWORD RelocationInfo[TEE_MAXIMUM_HOOK_RELOCS]; int RelocationCount; } HOOK_ENTRY, *PHOOK_ENTRY; #define UE_DEPTH_SURFACE 0 #define UE_DEPTH_DEEP 1 #define UE_UNPACKER_CONDITION_SEARCH_FROM_EP 1 #define UE_UNPACKER_CONDITION_LOADLIBRARY 1 #define UE_UNPACKER_CONDITION_GETPROCADDRESS 2 #define UE_UNPACKER_CONDITION_ENTRYPOINTBREAK 3 #define UE_UNPACKER_CONDITION_RELOCSNAPSHOT1 4 #define UE_UNPACKER_CONDITION_RELOCSNAPSHOT2 5 #define UE_FIELD_OK 0 #define UE_FIELD_BROKEN_NON_FIXABLE 1 #define UE_FIELD_BROKEN_NON_CRITICAL 2 #define UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE 3 #define UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED 4 #define UE_FIELD_FIXABLE_NON_CRITICAL 5 #define UE_FIELD_FIXABLE_CRITICAL 6 #define UE_FIELD_NOT_PRESET 7 #define UE_FIELD_NOT_PRESET_WARNING 8 #define UE_RESULT_FILE_OK 10 #define UE_RESULT_FILE_INVALID_BUT_FIXABLE 11 #define UE_RESULT_FILE_INVALID_AND_NON_FIXABLE 12 #define UE_RESULT_FILE_INVALID_FORMAT 13 typedef struct { BYTE OveralEvaluation; bool EvaluationTerminatedByException; bool FileIs64Bit; bool FileIsDLL; bool FileIsConsole; bool MissingDependencies; bool MissingDeclaredAPIs; BYTE SignatureMZ; BYTE SignaturePE; BYTE EntryPoint; BYTE ImageBase; BYTE SizeOfImage; BYTE FileAlignment; BYTE SectionAlignment; BYTE ExportTable; BYTE RelocationTable; BYTE ImportTable; BYTE ImportTableSection; BYTE ImportTableData; BYTE IATTable; BYTE TLSTable; BYTE LoadConfigTable; BYTE BoundImportTable; BYTE COMHeaderTable; BYTE ResourceTable; BYTE ResourceData; BYTE SectionTable; } FILE_STATUS_INFO, *PFILE_STATUS_INFO; typedef struct { BYTE OveralEvaluation; bool FixingTerminatedByException; bool FileFixPerformed; bool StrippedRelocation; bool DontFixRelocations; DWORD OriginalRelocationTableAddress; DWORD OriginalRelocationTableSize; bool StrippedExports; bool DontFixExports; DWORD OriginalExportTableAddress; DWORD OriginalExportTableSize; bool StrippedResources; bool DontFixResources; DWORD OriginalResourceTableAddress; DWORD OriginalResourceTableSize; bool StrippedTLS; bool DontFixTLS; DWORD OriginalTLSTableAddress; DWORD OriginalTLSTableSize; bool StrippedLoadConfig; bool DontFixLoadConfig; DWORD OriginalLoadConfigTableAddress; DWORD OriginalLoadConfigTableSize; bool StrippedBoundImports; bool DontFixBoundImports; DWORD OriginalBoundImportTableAddress; DWORD OriginalBoundImportTableSize; bool StrippedIAT; bool DontFixIAT; DWORD OriginalImportAddressTableAddress; DWORD OriginalImportAddressTableSize; bool StrippedCOM; bool DontFixCOM; DWORD OriginalCOMTableAddress; DWORD OriginalCOMTableSize; } FILE_FIX_INFO, *PFILE_FIX_INFO; typedef struct DECLSPEC_ALIGN(16) _XmmRegister_t { ULONGLONG Low; LONGLONG High; } XmmRegister_t; typedef struct { XmmRegister_t Low; //XMM/SSE part XmmRegister_t High; //AVX part } YmmRegister_t; typedef struct { BYTE data[10]; int st_value; int tag; } x87FPURegister_t; typedef struct { WORD ControlWord; WORD StatusWord; WORD TagWord; DWORD ErrorOffset; DWORD ErrorSelector; DWORD DataOffset; DWORD DataSelector; DWORD Cr0NpxState; } x87FPU_t; typedef struct { ULONG_PTR cax; ULONG_PTR ccx; ULONG_PTR cdx; ULONG_PTR cbx; ULONG_PTR csp; ULONG_PTR cbp; ULONG_PTR csi; ULONG_PTR cdi; #ifdef _WIN64 ULONG_PTR r8; ULONG_PTR r9; ULONG_PTR r10; ULONG_PTR r11; ULONG_PTR r12; ULONG_PTR r13; ULONG_PTR r14; ULONG_PTR r15; #endif //_WIN64 ULONG_PTR cip; ULONG_PTR eflags; unsigned short gs; unsigned short fs; unsigned short es; unsigned short ds; unsigned short cs; unsigned short ss; ULONG_PTR dr0; ULONG_PTR dr1; ULONG_PTR dr2; ULONG_PTR dr3; ULONG_PTR dr6; ULONG_PTR dr7; BYTE RegisterArea[80]; x87FPU_t x87fpu; DWORD MxCsr; #ifdef _WIN64 XmmRegister_t XmmRegisters[16]; YmmRegister_t YmmRegisters[16]; #else // x86 XmmRegister_t XmmRegisters[8]; YmmRegister_t YmmRegisters[8]; #endif } TITAN_ENGINE_CONTEXT_t; #ifdef __cplusplus extern "C" { #endif // Global.Function.Declaration: // TitanEngine.Dumper.functions: __declspec(dllexport) bool TITCALL DumpProcess(HANDLE hProcess, LPVOID ImageBase, const char* szDumpFileName, ULONG_PTR EntryPoint); __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBase, const wchar_t* szDumpFileName, ULONG_PTR EntryPoint); __declspec(dllexport) bool TITCALL DumpProcessEx(DWORD ProcessId, LPVOID ImageBase, const char* szDumpFileName, ULONG_PTR EntryPoint); __declspec(dllexport) bool TITCALL DumpProcessExW(DWORD ProcessId, LPVOID ImageBase, const wchar_t* szDumpFileName, ULONG_PTR EntryPoint); __declspec(dllexport) bool TITCALL DumpMemory(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, const char* szDumpFileName); __declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, const wchar_t* szDumpFileName); __declspec(dllexport) bool TITCALL DumpMemoryEx(DWORD ProcessId, LPVOID MemoryStart, ULONG_PTR MemorySize, const char* szDumpFileName); __declspec(dllexport) bool TITCALL DumpMemoryExW(DWORD ProcessId, LPVOID MemoryStart, ULONG_PTR MemorySize, const wchar_t* szDumpFileName); __declspec(dllexport) bool TITCALL DumpRegions(HANDLE hProcess, const char* szDumpFolder, bool DumpAboveImageBaseOnly); __declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, const wchar_t* szDumpFolder, bool DumpAboveImageBaseOnly); __declspec(dllexport) bool TITCALL DumpRegionsEx(DWORD ProcessId, const char* szDumpFolder, bool DumpAboveImageBaseOnly); __declspec(dllexport) bool TITCALL DumpRegionsExW(DWORD ProcessId, const wchar_t* szDumpFolder, bool DumpAboveImageBaseOnly); __declspec(dllexport) bool TITCALL DumpModule(HANDLE hProcess, LPVOID ModuleBase, const char* szDumpFileName); __declspec(dllexport) bool TITCALL DumpModuleW(HANDLE hProcess, LPVOID ModuleBase, const wchar_t* szDumpFileName); __declspec(dllexport) bool TITCALL DumpModuleEx(DWORD ProcessId, LPVOID ModuleBase, const char* szDumpFileName); __declspec(dllexport) bool TITCALL DumpModuleExW(DWORD ProcessId, LPVOID ModuleBase, const wchar_t* szDumpFileName); __declspec(dllexport) bool TITCALL PastePEHeader(HANDLE hProcess, LPVOID ImageBase, const char* szDebuggedFileName); __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageBase, const wchar_t* szDebuggedFileName); __declspec(dllexport) bool TITCALL ExtractSection(const char* szFileName, const char* szDumpFileName, DWORD SectionNumber); __declspec(dllexport) bool TITCALL ExtractSectionW(const wchar_t* szFileName, const wchar_t* szDumpFileName, DWORD SectionNumber); __declspec(dllexport) bool TITCALL ResortFileSections(const char* szFileName); __declspec(dllexport) bool TITCALL ResortFileSectionsW(const wchar_t* szFileName); __declspec(dllexport) bool TITCALL FindOverlay(const char* szFileName, LPDWORD OverlayStart, LPDWORD OverlaySize); __declspec(dllexport) bool TITCALL FindOverlayW(const wchar_t* szFileName, LPDWORD OverlayStart, LPDWORD OverlaySize); __declspec(dllexport) bool TITCALL ExtractOverlay(const char* szFileName, const char* szExtactedFileName); __declspec(dllexport) bool TITCALL ExtractOverlayW(const wchar_t* szFileName, const wchar_t* szExtactedFileName); __declspec(dllexport) bool TITCALL AddOverlay(const char* szFileName, const char* szOverlayFileName); __declspec(dllexport) bool TITCALL AddOverlayW(const wchar_t* szFileName, const wchar_t* szOverlayFileName); __declspec(dllexport) bool TITCALL CopyOverlay(const char* szInFileName, const char* szOutFileName); __declspec(dllexport) bool TITCALL CopyOverlayW(const wchar_t* szInFileName, const wchar_t* szOutFileName); __declspec(dllexport) bool TITCALL RemoveOverlay(const char* szFileName); __declspec(dllexport) bool TITCALL RemoveOverlayW(const wchar_t* szFileName); __declspec(dllexport) bool TITCALL MakeAllSectionsRWE(const char* szFileName); __declspec(dllexport) bool TITCALL MakeAllSectionsRWEW(const wchar_t* szFileName); __declspec(dllexport) long TITCALL AddNewSectionEx(const char* szFileName, const char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize); __declspec(dllexport) long TITCALL AddNewSectionExW(const wchar_t* szFileName, const char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize); __declspec(dllexport) long TITCALL AddNewSection(const char* szFileName, const char* szSectionName, DWORD SectionSize); __declspec(dllexport) long TITCALL AddNewSectionW(const wchar_t* szFileName, const char* szSectionName, DWORD SectionSize); __declspec(dllexport) bool TITCALL ResizeLastSection(const char* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData); __declspec(dllexport) bool TITCALL ResizeLastSectionW(const wchar_t* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData); __declspec(dllexport) void TITCALL SetSharedOverlay(const char* szFileName); __declspec(dllexport) void TITCALL SetSharedOverlayW(const wchar_t* szFileName); __declspec(dllexport) char* TITCALL GetSharedOverlay(); __declspec(dllexport) wchar_t* TITCALL GetSharedOverlayW(); __declspec(dllexport) bool TITCALL DeleteLastSection(const char* szFileName); __declspec(dllexport) bool TITCALL DeleteLastSectionW(const wchar_t* szFileName); __declspec(dllexport) bool TITCALL DeleteLastSectionEx(const char* szFileName, DWORD NumberOfSections); __declspec(dllexport) bool TITCALL DeleteLastSectionExW(const wchar_t* szFileName, DWORD NumberOfSections); __declspec(dllexport) ULONG_PTR TITCALL GetPE32DataFromMappedFile(ULONG_PTR FileMapVA, DWORD WhichSection, DWORD WhichData); __declspec(dllexport) ULONG_PTR TITCALL GetPE32Data(const char* szFileName, DWORD WhichSection, DWORD WhichData); __declspec(dllexport) ULONG_PTR TITCALL GetPE32DataW(const wchar_t* szFileName, DWORD WhichSection, DWORD WhichData); __declspec(dllexport) bool TITCALL GetPE32DataFromMappedFileEx(ULONG_PTR FileMapVA, LPVOID DataStorage); __declspec(dllexport) bool TITCALL GetPE32DataEx(const char* szFileName, LPVOID DataStorage); __declspec(dllexport) bool TITCALL GetPE32DataExW(const wchar_t* szFileName, LPVOID DataStorage); __declspec(dllexport) bool TITCALL SetPE32DataForMappedFile(ULONG_PTR FileMapVA, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue); __declspec(dllexport) bool TITCALL SetPE32Data(const char* szFileName, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue); __declspec(dllexport) bool TITCALL SetPE32DataW(const wchar_t* szFileName, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue); __declspec(dllexport) bool TITCALL SetPE32DataForMappedFileEx(ULONG_PTR FileMapVA, LPVOID DataStorage); __declspec(dllexport) bool TITCALL SetPE32DataEx(const char* szFileName, LPVOID DataStorage); __declspec(dllexport) bool TITCALL SetPE32DataExW(const wchar_t* szFileName, LPVOID DataStorage); __declspec(dllexport) long TITCALL GetPE32SectionNumberFromVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert); __declspec(dllexport) ULONG_PTR TITCALL ConvertVAtoFileOffset(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType); __declspec(dllexport) ULONG_PTR TITCALL ConvertVAtoFileOffsetEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool AddressIsRVA, bool ReturnType); __declspec(dllexport) ULONG_PTR TITCALL ConvertFileOffsetToVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType); __declspec(dllexport) ULONG_PTR TITCALL ConvertFileOffsetToVAEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool ReturnType); __declspec(dllexport) bool TITCALL MemoryReadSafe(HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesRead); __declspec(dllexport) bool TITCALL MemoryWriteSafe(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesWritten); // TitanEngine.Realigner.functions: __declspec(dllexport) bool TITCALL FixHeaderCheckSum(const char* szFileName); __declspec(dllexport) bool TITCALL FixHeaderCheckSumW(const wchar_t* szFileName); __declspec(dllexport) long TITCALL RealignPE(ULONG_PTR FileMapVA, DWORD FileSize, DWORD RealingMode); __declspec(dllexport) long TITCALL RealignPEEx(const char* szFileName, DWORD RealingFileSize, DWORD ForcedFileAlignment); __declspec(dllexport) long TITCALL RealignPEExW(const wchar_t* szFileName, DWORD RealingFileSize, DWORD ForcedFileAlignment); __declspec(dllexport) bool TITCALL WipeSection(const char* szFileName, int WipeSectionNumber, bool RemovePhysically); __declspec(dllexport) bool TITCALL WipeSectionW(const wchar_t* szFileName, int WipeSectionNumber, bool RemovePhysically); __declspec(dllexport) bool TITCALL IsPE32FileValidEx(const char* szFileName, DWORD CheckDepth, LPVOID FileStatusInfo); __declspec(dllexport) bool TITCALL IsPE32FileValidExW(const wchar_t* szFileName, DWORD CheckDepth, LPVOID FileStatusInfo); __declspec(dllexport) bool TITCALL FixBrokenPE32FileEx(const char* szFileName, LPVOID FileStatusInfo, LPVOID FileFixInfo); __declspec(dllexport) bool TITCALL FixBrokenPE32FileExW(const wchar_t* szFileName, LPVOID FileStatusInfo, LPVOID FileFixInfo); __declspec(dllexport) bool TITCALL IsFileDLL(const char* szFileName, ULONG_PTR FileMapVA); __declspec(dllexport) bool TITCALL IsFileDLLW(const wchar_t* szFileName, ULONG_PTR FileMapVA); // TitanEngine.Hider.functions: __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess); __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess); __declspec(dllexport) void* TITCALL GetTEBLocation(HANDLE hThread); __declspec(dllexport) void* TITCALL GetTEBLocation64(HANDLE hThread); __declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel); __declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel); // TitanEngine.Relocater.functions: __declspec(dllexport) void TITCALL RelocaterCleanup(); __declspec(dllexport) void TITCALL RelocaterInit(DWORD MemorySize, ULONG_PTR OldImageBase, ULONG_PTR NewImageBase); __declspec(dllexport) void TITCALL RelocaterAddNewRelocation(HANDLE hProcess, ULONG_PTR RelocateAddress, DWORD RelocateState); __declspec(dllexport) long TITCALL RelocaterEstimatedSize(); __declspec(dllexport) bool TITCALL RelocaterExportRelocation(ULONG_PTR StorePlace, DWORD StorePlaceRVA, ULONG_PTR FileMapVA); __declspec(dllexport) bool TITCALL RelocaterExportRelocationEx(const char* szFileName, const char* szSectionName); __declspec(dllexport) bool TITCALL RelocaterExportRelocationExW(const wchar_t* szFileName, const char* szSectionName); __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTable(HANDLE hProcess, ULONG_PTR MemoryStart, DWORD MemorySize); __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProcess, ULONG_PTR MemoryStart, ULONG_PTR MemorySize, DWORD NtSizeOfImage); __declspec(dllexport) bool TITCALL RelocaterMakeSnapshot(HANDLE hProcess, const char* szSaveFileName, LPVOID MemoryStart, ULONG_PTR MemorySize); __declspec(dllexport) bool TITCALL RelocaterMakeSnapshotW(HANDLE hProcess, const wchar_t* szSaveFileName, LPVOID MemoryStart, ULONG_PTR MemorySize); __declspec(dllexport) bool TITCALL RelocaterCompareTwoSnapshots(HANDLE hProcess, ULONG_PTR LoadedImageBase, ULONG_PTR NtSizeOfImage, const char* szDumpFile1, const char* szDumpFile2, ULONG_PTR MemStart); __declspec(dllexport) bool TITCALL RelocaterCompareTwoSnapshotsW(HANDLE hProcess, ULONG_PTR LoadedImageBase, ULONG_PTR NtSizeOfImage, const wchar_t* szDumpFile1, const wchar_t* szDumpFile2, ULONG_PTR MemStart); __declspec(dllexport) bool TITCALL RelocaterChangeFileBase(const char* szFileName, ULONG_PTR NewImageBase); __declspec(dllexport) bool TITCALL RelocaterChangeFileBaseW(const wchar_t* szFileName, ULONG_PTR NewImageBase); __declspec(dllexport) bool TITCALL RelocaterRelocateMemoryBlock(ULONG_PTR FileMapVA, ULONG_PTR MemoryLocation, void* RelocateMemory, DWORD RelocateMemorySize, ULONG_PTR CurrentLoadedBase, ULONG_PTR RelocateBase); __declspec(dllexport) bool TITCALL RelocaterWipeRelocationTable(const char* szFileName); __declspec(dllexport) bool TITCALL RelocaterWipeRelocationTableW(const wchar_t* szFileName); // TitanEngine.Resourcer.functions: __declspec(dllexport) ULONG_PTR TITCALL ResourcerLoadFileForResourceUse(const char* szFileName); __declspec(dllexport) ULONG_PTR TITCALL ResourcerLoadFileForResourceUseW(const wchar_t* szFileName); __declspec(dllexport) bool TITCALL ResourcerFreeLoadedFile(LPVOID LoadedFileBase); __declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFileEx(HMODULE hFile, const char* szResourceType, const char* szResourceName, const char* szExtractedFileName); __declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFile(const char* szFileName, const char* szResourceType, const char* szResourceName, const char* szExtractedFileName); __declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFileW(const wchar_t* szFileName, char* szResourceType, const char* szResourceName, const char* szExtractedFileName); __declspec(dllexport) bool TITCALL ResourcerFindResource(const char* szFileName, const char* szResourceType, DWORD ResourceType, const char* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize); __declspec(dllexport) bool TITCALL ResourcerFindResourceW(const wchar_t* szFileName, const wchar_t* szResourceType, DWORD ResourceType, const wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize); __declspec(dllexport) bool TITCALL ResourcerFindResourceEx(ULONG_PTR FileMapVA, DWORD FileSize, const wchar_t* szResourceType, DWORD ResourceType, const wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize); __declspec(dllexport) void TITCALL ResourcerEnumerateResource(const char* szFileName, void* CallBack); __declspec(dllexport) void TITCALL ResourcerEnumerateResourceW(const wchar_t* szFileName, void* CallBack); __declspec(dllexport) void TITCALL ResourcerEnumerateResourceEx(ULONG_PTR FileMapVA, DWORD FileSize, void* CallBack); // TitanEngine.Threader.functions: __declspec(dllexport) bool TITCALL ThreaderImportRunningThreadData(DWORD ProcessId); __declspec(dllexport) void* TITCALL ThreaderGetThreadInfo(HANDLE hThread, DWORD ThreadId); __declspec(dllexport) void TITCALL ThreaderEnumThreadInfo(void* EnumCallBack); __declspec(dllexport) bool TITCALL ThreaderPauseThread(HANDLE hThread); __declspec(dllexport) bool TITCALL ThreaderResumeThread(HANDLE hThread); __declspec(dllexport) bool TITCALL ThreaderTerminateThread(HANDLE hThread, DWORD ThreadExitCode); __declspec(dllexport) bool TITCALL ThreaderPauseAllThreads(bool LeaveMainRunning); __declspec(dllexport) bool TITCALL ThreaderResumeAllThreads(bool LeaveMainPaused); __declspec(dllexport) bool TITCALL ThreaderPauseProcess(); __declspec(dllexport) bool TITCALL ThreaderResumeProcess(); __declspec(dllexport) ULONG_PTR TITCALL ThreaderCreateRemoteThread(ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId); __declspec(dllexport) bool TITCALL ThreaderInjectAndExecuteCode(LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize); __declspec(dllexport) ULONG_PTR TITCALL ThreaderCreateRemoteThreadEx(HANDLE hProcess, ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId); __declspec(dllexport) bool TITCALL ThreaderInjectAndExecuteCodeEx(HANDLE hProcess, LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize); __declspec(dllexport) void TITCALL ThreaderSetCallBackForNextExitThreadEvent(LPVOID exitThreadCallBack); __declspec(dllexport) bool TITCALL ThreaderIsThreadStillRunning(HANDLE hThread); __declspec(dllexport) bool TITCALL ThreaderIsThreadActive(HANDLE hThread); __declspec(dllexport) bool TITCALL ThreaderIsAnyThreadActive(); __declspec(dllexport) bool TITCALL ThreaderExecuteOnlyInjectedThreads(); __declspec(dllexport) ULONG_PTR TITCALL ThreaderGetOpenHandleForThread(DWORD ThreadId); __declspec(dllexport) bool TITCALL ThreaderIsExceptionInMainThread(); // TitanEngine.Debugger.functions: __declspec(dllexport) void* TITCALL StaticDisassembleEx(ULONG_PTR DisassmStart, LPVOID DisassmAddress); __declspec(dllexport) void* TITCALL StaticDisassemble(LPVOID DisassmAddress); __declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID DisassmAddress, bool ReturnInstructionType); __declspec(dllexport) void* TITCALL Disassemble(LPVOID DisassmAddress); __declspec(dllexport) long TITCALL StaticLengthDisassemble(LPVOID DisassmAddress); __declspec(dllexport) long TITCALL LengthDisassembleEx(HANDLE hProcess, LPVOID DisassmAddress); __declspec(dllexport) long TITCALL LengthDisassemble(LPVOID DisassmAddress); __declspec(dllexport) void* TITCALL InitDebug(char* szFileName, char* szCommandLine, char* szCurrentFolder); __declspec(dllexport) void* TITCALL InitDebugW(const wchar_t* szFileName, const wchar_t* szCommandLine, const wchar_t* szCurrentFolder); __declspec(dllexport) void* TITCALL InitDebugEx(const char* szFileName, const char* szCommandLine, const char* szCurrentFolder, LPVOID EntryCallBack); __declspec(dllexport) void* TITCALL InitDebugExW(const wchar_t* szFileName, const wchar_t* szCommandLine, const wchar_t* szCurrentFolder, LPVOID EntryCallBack); __declspec(dllexport) void* TITCALL InitDLLDebug(const char* szFileName, bool ReserveModuleBase, const char* szCommandLine, const char* szCurrentFolder, LPVOID EntryCallBack); __declspec(dllexport) void* TITCALL InitDLLDebugW(const wchar_t* szFileName, bool ReserveModuleBase, const wchar_t* szCommandLine, const wchar_t* szCurrentFolder, LPVOID EntryCallBack); __declspec(dllexport) bool TITCALL StopDebug(); __declspec(dllexport) void TITCALL SetBPXOptions(long DefaultBreakPointType); __declspec(dllexport) bool TITCALL IsBPXEnabled(ULONG_PTR bpxAddress); __declspec(dllexport) bool TITCALL EnableBPX(ULONG_PTR bpxAddress); __declspec(dllexport) bool TITCALL DisableBPX(ULONG_PTR bpxAddress); __declspec(dllexport) bool TITCALL SetBPX(ULONG_PTR bpxAddress, DWORD bpxType, LPVOID bpxCallBack); __declspec(dllexport) bool TITCALL DeleteBPX(ULONG_PTR bpxAddress); __declspec(dllexport) bool TITCALL SafeDeleteBPX(ULONG_PTR bpxAddress); __declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const char* szAPIName, DWORD bpxType, DWORD bpxPlace, LPVOID bpxCallBack); __declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, const char* szAPIName, DWORD bpxPlace); __declspec(dllexport) bool TITCALL SafeDeleteAPIBreakPoint(const char* szDLLName, const char* szAPIName, DWORD bpxPlace); __declspec(dllexport) bool TITCALL SetMemoryBPX(ULONG_PTR MemoryStart, SIZE_T SizeOfMemory, LPVOID bpxCallBack); __declspec(dllexport) bool TITCALL SetMemoryBPXEx(ULONG_PTR MemoryStart, SIZE_T SizeOfMemory, DWORD BreakPointType, bool RestoreOnHit, LPVOID bpxCallBack); __declspec(dllexport) bool TITCALL RemoveMemoryBPX(ULONG_PTR MemoryStart, SIZE_T SizeOfMemory); __declspec(dllexport) bool TITCALL GetContextFPUDataEx(HANDLE hActiveThread, void* FPUSaveArea); __declspec(dllexport) void TITCALL Getx87FPURegisters(x87FPURegister_t x87FPURegisters[8], TITAN_ENGINE_CONTEXT_t* titcontext); __declspec(dllexport) void TITCALL GetMMXRegisters(uint64_t mmx[8], TITAN_ENGINE_CONTEXT_t* titcontext); __declspec(dllexport) bool TITCALL GetFullContextDataEx(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_t* titcontext); __declspec(dllexport) bool TITCALL SetFullContextDataEx(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_t* titcontext); __declspec(dllexport) ULONG_PTR TITCALL GetContextDataEx(HANDLE hActiveThread, DWORD IndexOfRegister); __declspec(dllexport) ULONG_PTR TITCALL GetContextData(DWORD IndexOfRegister); __declspec(dllexport) bool TITCALL SetContextFPUDataEx(HANDLE hActiveThread, void* FPUSaveArea); __declspec(dllexport) bool TITCALL SetContextDataEx(HANDLE hActiveThread, DWORD IndexOfRegister, ULONG_PTR NewRegisterValue); __declspec(dllexport) bool TITCALL SetContextData(DWORD IndexOfRegister, ULONG_PTR NewRegisterValue); __declspec(dllexport) bool TITCALL GetAVXContext(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_t* titcontext); __declspec(dllexport) bool TITCALL SetAVXContext(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_t* titcontext); __declspec(dllexport) void TITCALL ClearExceptionNumber(); __declspec(dllexport) long TITCALL CurrentExceptionNumber(); __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryToCheck, int SizeOfMemoryToCheck, void* PatternToMatch, int SizeOfPatternToMatch, PBYTE WildCard); __declspec(dllexport) bool TITCALL MatchPattern(void* MemoryToCheck, int SizeOfMemoryToCheck, void* PatternToMatch, int SizeOfPatternToMatch, PBYTE WildCard); __declspec(dllexport) ULONG_PTR TITCALL FindEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, LPBYTE WildCard); extern "C" __declspec(dllexport) ULONG_PTR TITCALL Find(LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, LPBYTE WildCard); __declspec(dllexport) bool TITCALL FillEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, PBYTE FillByte); __declspec(dllexport) bool TITCALL Fill(LPVOID MemoryStart, DWORD MemorySize, PBYTE FillByte); __declspec(dllexport) bool TITCALL PatchEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, LPVOID ReplacePattern, DWORD ReplaceSize, bool AppendNOP, bool PrependNOP); __declspec(dllexport) bool TITCALL Patch(LPVOID MemoryStart, DWORD MemorySize, LPVOID ReplacePattern, DWORD ReplaceSize, bool AppendNOP, bool PrependNOP); __declspec(dllexport) bool TITCALL ReplaceEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, DWORD NumberOfRepetitions, LPVOID ReplacePattern, DWORD ReplaceSize, PBYTE WildCard); __declspec(dllexport) bool TITCALL Replace(LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, DWORD NumberOfRepetitions, LPVOID ReplacePattern, DWORD ReplaceSize, PBYTE WildCard); __declspec(dllexport) void* TITCALL GetDebugData(); __declspec(dllexport) void* TITCALL GetTerminationData(); __declspec(dllexport) long TITCALL GetExitCode(); __declspec(dllexport) ULONG_PTR TITCALL GetDebuggedDLLBaseAddress(); __declspec(dllexport) ULONG_PTR TITCALL GetDebuggedFileBaseAddress(); __declspec(dllexport) bool TITCALL GetRemoteString(HANDLE hProcess, LPVOID StringAddress, LPVOID StringStorage, int MaximumStringSize); __declspec(dllexport) ULONG_PTR TITCALL GetFunctionParameter(HANDLE hProcess, DWORD FunctionType, DWORD ParameterNumber, DWORD ParameterType); __declspec(dllexport) ULONG_PTR TITCALL GetJumpDestinationEx(HANDLE hProcess, ULONG_PTR InstructionAddress, bool JustJumps); __declspec(dllexport) ULONG_PTR TITCALL GetJumpDestination(HANDLE hProcess, ULONG_PTR InstructionAddress); __declspec(dllexport) bool TITCALL IsJumpGoingToExecuteEx(HANDLE hProcess, HANDLE hThread, ULONG_PTR InstructionAddress, ULONG_PTR RegFlags); __declspec(dllexport) bool TITCALL IsJumpGoingToExecute(); __declspec(dllexport) void TITCALL SetCustomHandler(DWORD ExceptionId, LPVOID CallBack); __declspec(dllexport) void TITCALL ForceClose(); __declspec(dllexport) void TITCALL StepInto(LPVOID traceCallBack); __declspec(dllexport) void TITCALL StepOver(LPVOID traceCallBack); __declspec(dllexport) void TITCALL StepOut(LPVOID StepOut, bool StepFinal); __declspec(dllexport) void TITCALL SingleStep(DWORD StepCount, LPVOID StepCallBack); __declspec(dllexport) bool TITCALL GetUnusedHardwareBreakPointRegister(LPDWORD RegisterIndex); __declspec(dllexport) bool TITCALL SetHardwareBreakPointEx(HANDLE hActiveThread, ULONG_PTR bpxAddress, DWORD IndexOfRegister, DWORD bpxType, DWORD bpxSize, LPVOID bpxCallBack, LPDWORD IndexOfSelectedRegister); __declspec(dllexport) bool TITCALL SetHardwareBreakPoint(ULONG_PTR bpxAddress, DWORD IndexOfRegister, DWORD bpxType, DWORD bpxSize, LPVOID bpxCallBack); __declspec(dllexport) bool TITCALL DeleteHardwareBreakPoint(DWORD IndexOfRegister); __declspec(dllexport) bool TITCALL RemoveAllBreakPoints(DWORD RemoveOption); __declspec(dllexport) PROCESS_INFORMATION* TITCALL TitanGetProcessInformation(); __declspec(dllexport) STARTUPINFOW* TITCALL TitanGetStartupInformation(); __declspec(dllexport) void TITCALL DebugLoop(); __declspec(dllexport) void TITCALL SetDebugLoopTimeOut(DWORD TimeOut); __declspec(dllexport) void TITCALL SetNextDbgContinueStatus(DWORD SetDbgCode); __declspec(dllexport) bool TITCALL AttachDebugger(DWORD ProcessId, bool KillOnExit, LPVOID DebugInfo, LPVOID CallBack); __declspec(dllexport) bool TITCALL DetachDebugger(DWORD ProcessId); __declspec(dllexport) bool TITCALL DetachDebuggerEx(DWORD ProcessId); __declspec(dllexport) void TITCALL DebugLoopEx(DWORD TimeOut); __declspec(dllexport) void TITCALL AutoDebugEx(const char* szFileName, bool ReserveModuleBase, const char* szCommandLine, const char* szCurrentFolder, DWORD TimeOut, LPVOID EntryCallBack); __declspec(dllexport) void TITCALL AutoDebugExW(const wchar_t* szFileName, bool ReserveModuleBase, const wchar_t* szCommandLine, const wchar_t* szCurrentFolder, DWORD TimeOut, LPVOID EntryCallBack); __declspec(dllexport) bool TITCALL IsFileBeingDebugged(); __declspec(dllexport) void TITCALL SetErrorModel(bool DisplayErrorMessages); // TitanEngine.FindOEP.functions: __declspec(dllexport) void TITCALL FindOEPInit(); __declspec(dllexport) bool TITCALL FindOEPGenerically(const char* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack); __declspec(dllexport) bool TITCALL FindOEPGenericallyW(const wchar_t* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack); // TitanEngine.Importer.functions: __declspec(dllexport) void TITCALL ImporterAddNewDll(const char* szDLLName, ULONG_PTR FirstThunk); __declspec(dllexport) void TITCALL ImporterAddNewAPI(const char* szAPIName, ULONG_PTR ThunkValue); __declspec(dllexport) void TITCALL ImporterAddNewOrdinalAPI(ULONG_PTR OrdinalNumber, ULONG_PTR ThunkValue); __declspec(dllexport) long TITCALL ImporterGetAddedDllCount(); __declspec(dllexport) long TITCALL ImporterGetAddedAPICount(); __declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap); __declspec(dllexport) long TITCALL ImporterEstimatedSize(); __declspec(dllexport) bool TITCALL ImporterExportIATEx(const char* szDumpFileName, const char* szExportFileName, const char* szSectionName); __declspec(dllexport) bool TITCALL ImporterExportIATExW(const wchar_t* szDumpFileName, const wchar_t* szExportFileName, const wchar_t* szSectionName = L".RL!TEv2"); __declspec(dllexport) ULONG_PTR TITCALL ImporterFindAPIWriteLocation(const char* szAPIName); __declspec(dllexport) ULONG_PTR TITCALL ImporterFindOrdinalAPIWriteLocation(ULONG_PTR OrdinalNumber); __declspec(dllexport) ULONG_PTR TITCALL ImporterFindAPIByWriteLocation(ULONG_PTR APIWriteLocation); __declspec(dllexport) ULONG_PTR TITCALL ImporterFindDLLByWriteLocation(ULONG_PTR APIWriteLocation); __declspec(dllexport) void* TITCALL ImporterGetDLLName(ULONG_PTR APIAddress); __declspec(dllexport) void* TITCALL ImporterGetDLLNameW(ULONG_PTR APIAddress); __declspec(dllexport) void* TITCALL ImporterGetAPIName(ULONG_PTR APIAddress); __declspec(dllexport) ULONG_PTR TITCALL ImporterGetAPIOrdinalNumber(ULONG_PTR APIAddress); __declspec(dllexport) void* TITCALL ImporterGetAPINameEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList); __declspec(dllexport) ULONG_PTR TITCALL ImporterGetRemoteAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress); __declspec(dllexport) ULONG_PTR TITCALL ImporterGetRemoteAPIAddressEx(const char* szDLLName, const char* szAPIName); __declspec(dllexport) ULONG_PTR TITCALL ImporterGetLocalAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress); __declspec(dllexport) void* TITCALL ImporterGetDLLNameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress); __declspec(dllexport) void* TITCALL ImporterGetDLLNameFromDebugeeW(HANDLE hProcess, ULONG_PTR APIAddress); __declspec(dllexport) void* TITCALL ImporterGetAPINameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress); __declspec(dllexport) ULONG_PTR TITCALL ImporterGetAPIOrdinalNumberFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress); __declspec(dllexport) long TITCALL ImporterGetDLLIndexEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList); __declspec(dllexport) long TITCALL ImporterGetDLLIndex(HANDLE hProcess, ULONG_PTR APIAddress, ULONG_PTR DLLBasesList); __declspec(dllexport) ULONG_PTR TITCALL ImporterGetRemoteDLLBase(HANDLE hProcess, HMODULE LocalModuleBase); __declspec(dllexport) ULONG_PTR TITCALL ImporterGetRemoteDLLBaseEx(HANDLE hProcess, const char* szModuleName); __declspec(dllexport) void* TITCALL ImporterGetRemoteDLLBaseExW(HANDLE hProcess, const wchar_t* szModuleName); __declspec(dllexport) bool TITCALL ImporterIsForwardedAPI(HANDLE hProcess, ULONG_PTR APIAddress); __declspec(dllexport) void* TITCALL ImporterGetForwardedAPIName(HANDLE hProcess, ULONG_PTR APIAddress); __declspec(dllexport) void* TITCALL ImporterGetForwardedDLLName(HANDLE hProcess, ULONG_PTR APIAddress); __declspec(dllexport) long TITCALL ImporterGetForwardedDLLIndex(HANDLE hProcess, ULONG_PTR APIAddress, ULONG_PTR DLLBasesList); __declspec(dllexport) ULONG_PTR TITCALL ImporterGetForwardedAPIOrdinalNumber(HANDLE hProcess, ULONG_PTR APIAddress); __declspec(dllexport) ULONG_PTR TITCALL ImporterGetNearestAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress); __declspec(dllexport) void* TITCALL ImporterGetNearestAPIName(HANDLE hProcess, ULONG_PTR APIAddress); __declspec(dllexport) bool TITCALL ImporterCopyOriginalIAT(const char* szOriginalFile, const char* szDumpFile); __declspec(dllexport) bool TITCALL ImporterCopyOriginalIATW(const wchar_t* szOriginalFile, const wchar_t* szDumpFile); __declspec(dllexport) bool TITCALL ImporterLoadImportTable(const char* szFileName); __declspec(dllexport) bool TITCALL ImporterLoadImportTableW(const wchar_t* szFileName); __declspec(dllexport) bool TITCALL ImporterMoveOriginalIAT(const char* szOriginalFile, const char* szDumpFile, const char* szSectionName); __declspec(dllexport) bool TITCALL ImporterMoveOriginalIATW(const wchar_t* szOriginalFile, const wchar_t* szDumpFile, const char* szSectionName); __declspec(dllexport) void TITCALL ImporterAutoSearchIAT(DWORD ProcessId, const char* szFileName, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize); __declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessIds, const wchar_t* szFileName, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize); __declspec(dllexport) void TITCALL ImporterAutoSearchIATEx(DWORD ProcessId, ULONG_PTR ImageBase, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize); __declspec(dllexport) void TITCALL ImporterEnumAddedData(LPVOID EnumCallBack); __declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, const char* szDumpedFile, const char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback); __declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, const wchar_t* szDumpedFile, const wchar_t* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback); __declspec(dllexport) long TITCALL ImporterAutoFixIAT(DWORD ProcessId, const char* szDumpedFile, ULONG_PTR SearchStart); __declspec(dllexport) long TITCALL ImporterAutoFixIATW(DWORD ProcessId, const wchar_t* szDumpedFile, ULONG_PTR SearchStart); __declspec(dllexport) bool TITCALL ImporterDeleteAPI(DWORD_PTR apiAddr); // Global.Engine.Hook.functions: __declspec(dllexport) bool TITCALL HooksSafeTransitionEx(LPVOID HookAddressArray, int NumberOfHooks, bool TransitionStart); __declspec(dllexport) bool TITCALL HooksSafeTransition(LPVOID HookAddress, bool TransitionStart); __declspec(dllexport) bool TITCALL HooksIsAddressRedirected(LPVOID HookAddress); __declspec(dllexport) void* TITCALL HooksGetTrampolineAddress(LPVOID HookAddress); __declspec(dllexport) void* TITCALL HooksGetHookEntryDetails(LPVOID HookAddress); __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress, LPVOID RedirectTo, int HookType); __declspec(dllexport) bool TITCALL HooksInsertNewIATRedirectionEx(ULONG_PTR FileMapVA, ULONG_PTR LoadedModuleBase, const char* szHookFunction, LPVOID RedirectTo); __declspec(dllexport) bool TITCALL HooksInsertNewIATRedirection(const char* szModuleName, const char* szHookFunction, LPVOID RedirectTo); __declspec(dllexport) bool TITCALL HooksRemoveRedirection(LPVOID HookAddress, bool RemoveAll); __declspec(dllexport) bool TITCALL HooksRemoveRedirectionsForModule(HMODULE ModuleBase); __declspec(dllexport) bool TITCALL HooksRemoveIATRedirection(const char* szModuleName, const char* szHookFunction, bool RemoveAll); __declspec(dllexport) bool TITCALL HooksDisableRedirection(LPVOID HookAddress, bool DisableAll); __declspec(dllexport) bool TITCALL HooksDisableRedirectionsForModule(HMODULE ModuleBase); __declspec(dllexport) bool TITCALL HooksDisableIATRedirection(const char* szModuleName, const char* szHookFunction, bool DisableAll); __declspec(dllexport) bool TITCALL HooksEnableRedirection(LPVOID HookAddress, bool EnableAll); __declspec(dllexport) bool TITCALL HooksEnableRedirectionsForModule(HMODULE ModuleBase); __declspec(dllexport) bool TITCALL HooksEnableIATRedirection(const char* szModuleName, const char* szHookFunction, bool EnableAll); __declspec(dllexport) void TITCALL HooksScanModuleMemory(HMODULE ModuleBase, LPVOID CallBack); __declspec(dllexport) void TITCALL HooksScanEntireProcessMemory(LPVOID CallBack); __declspec(dllexport) void TITCALL HooksScanEntireProcessMemoryEx(); // TitanEngine.Tracer.functions: __declspec(dllexport) void TITCALL TracerInit(); __declspec(dllexport) ULONG_PTR TITCALL TracerLevel1(HANDLE hProcess, ULONG_PTR AddressToTrace); __declspec(dllexport) ULONG_PTR TITCALL HashTracerLevel1(HANDLE hProcess, ULONG_PTR AddressToTrace, DWORD InputNumberOfInstructions); __declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULONG_PTR AddressToTrace); __declspec(dllexport) ULONG_PTR TITCALL TracerFixKnownRedirection(HANDLE hProcess, ULONG_PTR AddressToTrace, DWORD RedirectionId); __declspec(dllexport) ULONG_PTR TITCALL TracerFixRedirectionViaModule(HMODULE hModuleHandle, HANDLE hProcess, ULONG_PTR AddressToTrace, DWORD IdParameter); __declspec(dllexport) long TITCALL TracerFixRedirectionViaImpRecPlugin(HANDLE hProcess, const char* szPluginName, ULONG_PTR AddressToTrace); // TitanEngine.Exporter.functions: __declspec(dllexport) void TITCALL ExporterCleanup(); __declspec(dllexport) void TITCALL ExporterSetImageBase(ULONG_PTR ImageBase); __declspec(dllexport) void TITCALL ExporterInit(DWORD MemorySize, ULONG_PTR ImageBase, DWORD ExportOrdinalBase, const char* szExportModuleName); __declspec(dllexport) bool TITCALL ExporterAddNewExport(const char* szExportName, DWORD ExportRelativeAddress); __declspec(dllexport) bool TITCALL ExporterAddNewOrdinalExport(DWORD OrdinalNumber, DWORD ExportRelativeAddress); __declspec(dllexport) long TITCALL ExporterGetAddedExportCount(); __declspec(dllexport) long TITCALL ExporterEstimatedSize(); __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace, ULONG_PTR FileMapVA); __declspec(dllexport) bool TITCALL ExporterBuildExportTableEx(const char* szExportFileName, const char* szSectionName); __declspec(dllexport) bool TITCALL ExporterBuildExportTableExW(const wchar_t* szExportFileName, const char* szSectionName); __declspec(dllexport) bool TITCALL ExporterLoadExportTable(const char* szFileName); __declspec(dllexport) bool TITCALL ExporterLoadExportTableW(const wchar_t* szFileName); // TitanEngine.Librarian.functions: __declspec(dllexport) bool TITCALL LibrarianSetBreakPoint(const char* szLibraryName, DWORD bpxType, bool SingleShoot, LPVOID bpxCallBack); __declspec(dllexport) bool TITCALL LibrarianRemoveBreakPoint(const char* szLibraryName, DWORD bpxType); __declspec(dllexport) void* TITCALL LibrarianGetLibraryInfo(const char* szLibraryName); __declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoW(const wchar_t* szLibraryName); __declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoEx(void* BaseOfDll); __declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoExW(void* BaseOfDll); __declspec(dllexport) void TITCALL LibrarianEnumLibraryInfo(void* EnumCallBack); __declspec(dllexport) void TITCALL LibrarianEnumLibraryInfoW(void* EnumCallBack); // TitanEngine.Process.functions: __declspec(dllexport) long TITCALL GetActiveProcessId(const char* szImageName); __declspec(dllexport) long TITCALL GetActiveProcessIdW(const wchar_t* szImageName); __declspec(dllexport) void TITCALL EnumProcessesWithLibrary(const char* szLibraryName, void* EnumFunction); __declspec(dllexport) HANDLE TITCALL TitanOpenProcess(DWORD dwDesiredAccess, bool bInheritHandle, DWORD dwProcessId); __declspec(dllexport) HANDLE TITCALL TitanOpenThread(DWORD dwDesiredAccess, bool bInheritHandle, DWORD dwThreadId); // TitanEngine.TLSFixer.functions: __declspec(dllexport) bool TITCALL TLSBreakOnCallBack(LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks, LPVOID bpxCallBack); __declspec(dllexport) bool TITCALL TLSGrabCallBackData(const char* szFileName, LPVOID ArrayOfCallBacks, LPDWORD NumberOfCallBacks); __declspec(dllexport) bool TITCALL TLSGrabCallBackDataW(const wchar_t* szFileName, LPVOID ArrayOfCallBacks, LPDWORD NumberOfCallBacks); __declspec(dllexport) bool TITCALL TLSBreakOnCallBackEx(const char* szFileName, LPVOID bpxCallBack); __declspec(dllexport) bool TITCALL TLSBreakOnCallBackExW(const wchar_t* szFileName, LPVOID bpxCallBack); __declspec(dllexport) bool TITCALL TLSRemoveCallback(const char* szFileName); __declspec(dllexport) bool TITCALL TLSRemoveCallbackW(const wchar_t* szFileName); __declspec(dllexport) bool TITCALL TLSRemoveTable(const char* szFileName); __declspec(dllexport) bool TITCALL TLSRemoveTableW(const wchar_t* szFileName); __declspec(dllexport) bool TITCALL TLSBackupData(const char* szFileName); __declspec(dllexport) bool TITCALL TLSBackupDataW(const wchar_t* szFileName); __declspec(dllexport) bool TITCALL TLSRestoreData(); __declspec(dllexport) bool TITCALL TLSBuildNewTable(ULONG_PTR FileMapVA, ULONG_PTR StorePlace, ULONG_PTR StorePlaceRVA, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks); __declspec(dllexport) bool TITCALL TLSBuildNewTableEx(const char* szFileName, const char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks); __declspec(dllexport) bool TITCALL TLSBuildNewTableExW(const wchar_t* szFileName, const char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks); // TitanEngine.TranslateName.functions: __declspec(dllexport) void* TITCALL TranslateNativeName(const char* szNativeName); __declspec(dllexport) void* TITCALL TranslateNativeNameW(const wchar_t* szNativeName); // TitanEngine.Handler.functions: __declspec(dllexport) long TITCALL HandlerGetActiveHandleCount(DWORD ProcessId); __declspec(dllexport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE hHandle); __declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName); __declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName); __declspec(dllexport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId, LPVOID HandleBuffer, DWORD MaxHandleCount); __declspec(dllexport) ULONG_PTR TITCALL HandlerGetHandleDetails(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, DWORD InformationReturn); __declspec(dllexport) bool TITCALL HandlerCloseRemoteHandle(HANDLE hProcess, HANDLE hHandle); __declspec(dllexport) long TITCALL HandlerEnumerateLockHandles(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated, LPVOID HandleDataBuffer, DWORD MaxHandleCount); __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(const wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated, LPVOID HandleDataBuffer, DWORD MaxHandleCount); __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandles(const char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated); __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(const wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated); __declspec(dllexport) bool TITCALL HandlerIsFileLocked(const char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated); __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(const wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated); // TitanEngine.Handler[Mutex].functions: __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess, DWORD ProcessId, LPVOID HandleBuffer, DWORD MaxHandleCount); __declspec(dllexport) ULONG_PTR TITCALL HandlerGetOpenMutexHandle(HANDLE hProcess, DWORD ProcessId, const char* szMutexString); __declspec(dllexport) ULONG_PTR TITCALL HandlerGetOpenMutexHandleW(HANDLE hProcess, DWORD ProcessId, const wchar_t* szMutexString); __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutex(const char* szMutexString); __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(const wchar_t* szMutexString); // TitanEngine.Injector.functions: __declspec(dllexport) bool TITCALL RemoteLoadLibrary(HANDLE hProcess, const char* szLibraryFile, bool WaitForThreadExit); __declspec(dllexport) bool TITCALL RemoteLoadLibraryW(HANDLE hProcess, const wchar_t* szLibraryFile, bool WaitForThreadExit); __declspec(dllexport) bool TITCALL RemoteFreeLibrary(HANDLE hProcess, HMODULE hModule, const char* szLibraryFile, bool WaitForThreadExit); __declspec(dllexport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE hModule, const wchar_t* szLibraryFile, bool WaitForThreadExit); __declspec(dllexport) bool TITCALL RemoteExitProcess(HANDLE hProcess, DWORD ExitCode); // TitanEngine.StaticUnpacker.functions: __declspec(dllexport) bool TITCALL StaticFileLoad(const char* szFileName, DWORD DesiredAccess, bool SimulateLoad, LPHANDLE FileHandle, LPDWORD LoadedSize, LPHANDLE FileMap, PULONG_PTR FileMapVA); __declspec(dllexport) bool TITCALL StaticFileLoadW(const wchar_t* szFileName, DWORD DesiredAccess, bool SimulateLoad, LPHANDLE FileHandle, LPDWORD LoadedSize, LPHANDLE FileMap, PULONG_PTR FileMapVA); __declspec(dllexport) bool TITCALL StaticFileUnload(const char* szFileName, bool CommitChanges, HANDLE FileHandle, DWORD LoadedSize, HANDLE FileMap, ULONG_PTR FileMapVA); __declspec(dllexport) bool TITCALL StaticFileUnloadW(const wchar_t* szFileName, bool CommitChanges, HANDLE FileHandle, DWORD LoadedSize, HANDLE FileMap, ULONG_PTR FileMapVA); __declspec(dllexport) bool TITCALL StaticFileOpen(const char* szFileName, DWORD DesiredAccess, LPHANDLE FileHandle, LPDWORD FileSizeLow, LPDWORD FileSizeHigh); __declspec(dllexport) bool TITCALL StaticFileOpenW(const wchar_t* szFileName, DWORD DesiredAccess, LPHANDLE FileHandle, LPDWORD FileSizeLow, LPDWORD FileSizeHigh); __declspec(dllexport) bool TITCALL StaticFileGetContent(HANDLE FileHandle, DWORD FilePositionLow, LPDWORD FilePositionHigh, void* Buffer, DWORD Size); __declspec(dllexport) void TITCALL StaticFileClose(HANDLE FileHandle); __declspec(dllexport) void TITCALL StaticMemoryDecrypt(LPVOID MemoryStart, DWORD MemorySize, DWORD DecryptionType, DWORD DecryptionKeySize, ULONG_PTR DecryptionKey); __declspec(dllexport) void TITCALL StaticMemoryDecryptEx(LPVOID MemoryStart, DWORD MemorySize, DWORD DecryptionKeySize, void* DecryptionCallBack); __declspec(dllexport) void TITCALL StaticMemoryDecryptSpecial(LPVOID MemoryStart, DWORD MemorySize, DWORD DecryptionKeySize, DWORD SpecDecryptionType, void* DecryptionCallBack); __declspec(dllexport) void TITCALL StaticSectionDecrypt(ULONG_PTR FileMapVA, DWORD SectionNumber, bool SimulateLoad, DWORD DecryptionType, DWORD DecryptionKeySize, ULONG_PTR DecryptionKey); __declspec(dllexport) bool TITCALL StaticMemoryDecompress(void* Source, DWORD SourceSize, void* Destination, DWORD DestinationSize, int Algorithm); __declspec(dllexport) bool TITCALL StaticRawMemoryCopy(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR VitualAddressToCopy, DWORD Size, bool AddressIsRVA, const char* szDumpFileName); __declspec(dllexport) bool TITCALL StaticRawMemoryCopyW(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR VitualAddressToCopy, DWORD Size, bool AddressIsRVA, const wchar_t* szDumpFileName); __declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx(HANDLE hFile, DWORD RawAddressToCopy, DWORD Size, const char* szDumpFileName); __declspec(dllexport) bool TITCALL StaticRawMemoryCopyExW(HANDLE hFile, DWORD RawAddressToCopy, DWORD Size, const wchar_t* szDumpFileName); __declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx64(HANDLE hFile, DWORD64 RawAddressToCopy, DWORD64 Size, const char* szDumpFileName); __declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx64W(HANDLE hFile, DWORD64 RawAddressToCopy, DWORD64 Size, const wchar_t* szDumpFileName); __declspec(dllexport) bool TITCALL StaticHashMemory(void* MemoryToHash, DWORD SizeOfMemory, void* HashDigest, bool OutputString, int Algorithm); __declspec(dllexport) bool TITCALL StaticHashFileW(const wchar_t* szFileName, char* HashDigest, bool OutputString, int Algorithm); __declspec(dllexport) bool TITCALL StaticHashFile(const char* szFileName, char* HashDigest, bool OutputString, int Algorithm); // TitanEngine.Engine.functions: __declspec(dllexport) void TITCALL EngineUnpackerInitialize(const char* szFileName, const char* szUnpackedFileName, bool DoLogData, bool DoRealignFile, bool DoMoveOverlay, void* EntryCallBack); __declspec(dllexport) void TITCALL EngineUnpackerInitializeW(const wchar_t* szFileName, const wchar_t* szUnpackedFileName, bool DoLogData, bool DoRealignFile, bool DoMoveOverlay, void* EntryCallBack); __declspec(dllexport) bool TITCALL EngineUnpackerSetBreakCondition(void* SearchStart, DWORD SearchSize, void* SearchPattern, DWORD PatternSize, DWORD PatternDelta, ULONG_PTR BreakType, bool SingleBreak, DWORD Parameter1, DWORD Parameter2); __declspec(dllexport) void TITCALL EngineUnpackerSetEntryPointAddress(ULONG_PTR UnpackedEntryPointAddress); __declspec(dllexport) void TITCALL EngineUnpackerFinalizeUnpacking(); // TitanEngine.Engine.functions: __declspec(dllexport) void TITCALL SetEngineVariable(DWORD VariableId, bool VariableSet); __declspec(dllexport) bool TITCALL EngineCreateMissingDependencies(const char* szFileName, const char* szOutputFolder, bool LogCreatedFiles); __declspec(dllexport) bool TITCALL EngineCreateMissingDependenciesW(const wchar_t* szFileName, const wchar_t* szOutputFolder, bool LogCreatedFiles); __declspec(dllexport) bool TITCALL EngineFakeMissingDependencies(HANDLE hProcess); __declspec(dllexport) bool TITCALL EngineDeleteCreatedDependencies(); __declspec(dllexport) bool TITCALL EngineCreateUnpackerWindow(const char* WindowUnpackerTitle, const char* WindowUnpackerLongTitle, const char* WindowUnpackerName, const char* WindowUnpackerAuthor, void* StartUnpackingCallBack); __declspec(dllexport) void TITCALL EngineAddUnpackerWindowLogMessage(const char* szLogMessage); __declspec(dllexport) bool TITCALL EngineCheckStructAlignment(DWORD StructureType, ULONG_PTR StructureSize); // Global.Engine.Extension.Functions: __declspec(dllexport) bool TITCALL ExtensionManagerIsPluginLoaded(const char* szPluginName); __declspec(dllexport) bool TITCALL ExtensionManagerIsPluginEnabled(const char* szPluginName); __declspec(dllexport) bool TITCALL ExtensionManagerDisableAllPlugins(); __declspec(dllexport) bool TITCALL ExtensionManagerDisablePlugin(const char* szPluginName); __declspec(dllexport) bool TITCALL ExtensionManagerEnableAllPlugins(); __declspec(dllexport) bool TITCALL ExtensionManagerEnablePlugin(const char* szPluginName); __declspec(dllexport) bool TITCALL ExtensionManagerUnloadAllPlugins(); __declspec(dllexport) bool TITCALL ExtensionManagerUnloadPlugin(const char* szPluginName); __declspec(dllexport) void* TITCALL ExtensionManagerGetPluginInfo(const char* szPluginName); #ifdef __cplusplus } #endif #pragma pack(pop) #endif /*TITANENGINE*/ ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/XEDParse/XEDParse.h ================================================ #ifndef _XEDPARSE_H #define _XEDPARSE_H #include //XEDParse defines #ifdef XEDPARSE_BUILD #define XEDPARSE_EXPORT __declspec(dllexport) #else #define XEDPARSE_EXPORT __declspec(dllimport) #endif //XEDPARSE_BUILD #define XEDPARSE_CALL //calling convention #define XEDPARSE_MAXBUFSIZE 256 #define XEDPARSE_MAXASMSIZE 16 //typedefs typedef bool (XEDPARSE_CALL* CBXEDPARSE_UNKNOWN)(const char* text, ULONGLONG* value); //XEDParse enums enum XEDPARSE_STATUS { XEDPARSE_ERROR = 0, XEDPARSE_OK = 1 }; //XEDParse structs #pragma pack(push,8) struct XEDPARSE { bool x64; // use 64-bit instructions ULONGLONG cip; //instruction pointer (for relative addressing) unsigned int dest_size; //destination size (returned by XEDParse) CBXEDPARSE_UNKNOWN cbUnknown; //unknown operand callback unsigned char dest[XEDPARSE_MAXASMSIZE]; //destination buffer char instr[XEDPARSE_MAXBUFSIZE]; //instruction text char error[XEDPARSE_MAXBUFSIZE]; //error text (in case of an error) }; #pragma pack(pop) #ifdef __cplusplus extern "C" { #endif XEDPARSE_EXPORT XEDPARSE_STATUS XEDPARSE_CALL XEDParseAssemble(XEDPARSE* XEDParse); #ifdef __cplusplus } #endif #endif // _XEDPARSE_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_dbgfunctions.h ================================================ #ifndef _DBGFUNCTIONS_H #define _DBGFUNCTIONS_H #ifndef __cplusplus #include #endif typedef struct { char mod[MAX_MODULE_SIZE]; duint addr; unsigned char oldbyte; unsigned char newbyte; } DBGPATCHINFO; typedef struct { duint addr; duint from; duint to; char comment[MAX_COMMENT_SIZE]; } DBGCALLSTACKENTRY; typedef struct { int total; DBGCALLSTACKENTRY* entries; } DBGCALLSTACK; typedef struct { duint addr; duint handler; } DBGSEHRECORD; typedef struct { duint total; DBGSEHRECORD* records; } DBGSEHCHAIN; typedef struct { DWORD dwProcessId; char szExeFile[MAX_PATH]; char szExeMainWindowTitle[MAX_PATH]; char szExeArgs[MAX_COMMAND_LINE_SIZE]; } DBGPROCESSINFO; typedef struct { DWORD rva; BYTE type; WORD size; } DBGRELOCATIONINFO; typedef enum { InstructionBody = 0, InstructionHeading = 1, InstructionTailing = 2, InstructionOverlapped = 3, // The byte was executed with differing instruction base addresses DataByte, // This and the following is not implemented yet. DataWord, DataDWord, DataQWord, DataFloat, DataDouble, DataLongDouble, DataXMM, DataYMM, DataMMX, DataMixed, //the byte is accessed in multiple ways InstructionDataMixed //the byte is both executed and written } TRACERECORDBYTETYPE; typedef enum { TraceRecordNone, TraceRecordBitExec, TraceRecordByteWithExecTypeAndCounter, TraceRecordWordWithExecTypeAndCounter } TRACERECORDTYPE; typedef struct { duint Handle; unsigned char TypeNumber; unsigned int GrantedAccess; } HANDLEINFO; // The longest ip address is 1234:6789:1234:6789:1234:6789:123.567.901.345 (46 bytes) #define TCP_ADDR_SIZE 50 typedef struct { char RemoteAddress[TCP_ADDR_SIZE]; unsigned short RemotePort; char LocalAddress[TCP_ADDR_SIZE]; unsigned short LocalPort; char StateText[TCP_ADDR_SIZE]; unsigned int State; } TCPCONNECTIONINFO; typedef struct { duint handle; duint parent; DWORD threadId; DWORD style; DWORD styleEx; duint wndProc; bool enabled; RECT position; char windowTitle[MAX_COMMENT_SIZE]; char windowClass[MAX_COMMENT_SIZE]; } WINDOW_INFO; typedef struct { duint addr; duint size; duint flags; } HEAPINFO; typedef struct { const char* name; duint value; } CONSTANTINFO; typedef bool (*ASSEMBLEATEX)(duint addr, const char* instruction, char* error, bool fillnop); typedef bool (*SECTIONFROMADDR)(duint addr, char* section); typedef bool (*MODNAMEFROMADDR)(duint addr, char* modname, bool extension); typedef duint(*MODBASEFROMADDR)(duint addr); typedef duint(*MODBASEFROMNAME)(const char* modname); typedef duint(*MODSIZEFROMADDR)(duint addr); typedef bool (*ASSEMBLE)(duint addr, unsigned char* dest, int* size, const char* instruction, char* error); typedef bool (*PATCHGET)(duint addr); typedef bool (*PATCHINRANGE)(duint start, duint end); typedef bool (*MEMPATCH)(duint va, const unsigned char* src, duint size); typedef void (*PATCHRESTORERANGE)(duint start, duint end); typedef bool (*PATCHENUM)(DBGPATCHINFO* patchlist, size_t* cbsize); typedef bool (*PATCHRESTORE)(duint addr); typedef int (*PATCHFILE)(DBGPATCHINFO* patchlist, int count, const char* szFileName, char* error); typedef int (*MODPATHFROMADDR)(duint addr, char* path, int size); typedef int (*MODPATHFROMNAME)(const char* modname, char* path, int size); typedef bool (*DISASMFAST)(const unsigned char* data, duint addr, BASIC_INSTRUCTION_INFO* basicinfo); typedef void (*MEMUPDATEMAP)(); typedef void (*GETCALLSTACK)(DBGCALLSTACK* callstack); typedef void (*GETSEHCHAIN)(DBGSEHCHAIN* sehchain); typedef void (*SYMBOLDOWNLOADALLSYMBOLS)(const char* szSymbolStore); typedef bool (*GETJIT)(char* jit, bool x64); typedef bool (*GETJITAUTO)(bool* jitauto); typedef bool (*GETDEFJIT)(char* defjit); typedef bool (*GETPROCESSLIST)(DBGPROCESSINFO** entries, int* count); typedef bool (*GETPAGERIGHTS)(duint addr, char* rights); typedef bool (*SETPAGERIGHTS)(duint addr, const char* rights); typedef bool (*PAGERIGHTSTOSTRING)(DWORD protect, char* rights); typedef bool (*ISPROCESSELEVATED)(); typedef bool (*GETCMDLINE)(char* cmdline, size_t* cbsize); typedef bool (*SETCMDLINE)(const char* cmdline); typedef duint(*FILEOFFSETTOVA)(const char* modname, duint offset); typedef duint(*VATOFILEOFFSET)(duint va); typedef duint(*GETADDRFROMLINE)(const char* szSourceFile, int line, duint* displacement); typedef bool (*GETSOURCEFROMADDR)(duint addr, char* szSourceFile, int* line); typedef bool (*VALFROMSTRING)(const char* string, duint* value); typedef bool (*PATCHGETEX)(duint addr, DBGPATCHINFO* info); typedef bool (*GETBRIDGEBP)(BPXTYPE type, duint addr, BRIDGEBP* bp); typedef bool (*STRINGFORMATINLINE)(const char* format, size_t resultSize, char* result); typedef void (*GETMNEMONICBRIEF)(const char* mnem, size_t resultSize, char* result); typedef unsigned int (*GETTRACERECORDHITCOUNT)(duint address); typedef TRACERECORDBYTETYPE(*GETTRACERECORDBYTETYPE)(duint address); typedef bool (*SETTRACERECORDTYPE)(duint pageAddress, TRACERECORDTYPE type); typedef TRACERECORDTYPE(*GETTRACERECORDTYPE)(duint pageAddress); typedef bool (*ENUMHANDLES)(ListOf(HANDLEINFO) handles); typedef bool (*GETHANDLENAME)(duint handle, char* name, size_t nameSize, char* typeName, size_t typeNameSize); typedef bool (*ENUMTCPCONNECTIONS)(ListOf(TCPCONNECTIONINFO) connections); typedef duint(*GETDBGEVENTS)(); typedef int (*MODGETPARTY)(duint base); typedef void (*MODSETPARTY)(duint base, int party); typedef bool(*WATCHISWATCHDOGTRIGGERED)(unsigned int id); typedef bool(*MEMISCODEPAGE)(duint addr, bool refresh); typedef bool(*ANIMATECOMMAND)(const char* command); typedef void(*DBGSETDEBUGGEEINITSCRIPT)(const char* fileName); typedef const char* (*DBGGETDEBUGGEEINITSCRIPT)(); typedef bool(*HANDLESENUMWINDOWS)(ListOf(WINDOW_INFO) windows); typedef bool(*HANDLESENUMHEAPS)(ListOf(HEAPINFO) heaps); typedef bool(*THREADGETNAME)(DWORD tid, char* name); typedef bool(*ISDEPENABLED)(); typedef void(*GETCALLSTACKEX)(DBGCALLSTACK* callstack, bool cache); typedef bool(*GETUSERCOMMENT)(duint addr, char* comment); typedef void(*ENUMCONSTANTS)(ListOf(CONSTANTINFO) constants); typedef duint(*MEMBPSIZE)(duint addr); typedef bool(*MODRELOCATIONSFROMADDR)(duint addr, ListOf(DBGRELOCATIONINFO) relocations); typedef bool(*MODRELOCATIONATADDR)(duint addr, DBGRELOCATIONINFO* relocation); typedef bool(*MODRELOCATIONSINRANGE)(duint addr, duint size, ListOf(DBGRELOCATIONINFO) relocations); typedef duint(*DBGETHASH)(); typedef int(*SYMAUTOCOMPLETE)(const char* Search, char** Buffer, int MaxSymbols); //The list of all the DbgFunctions() return value. //WARNING: This list is append only. Do not insert things in the middle or plugins would break. typedef struct DBGFUNCTIONS_ { ASSEMBLEATEX AssembleAtEx; SECTIONFROMADDR SectionFromAddr; MODNAMEFROMADDR ModNameFromAddr; MODBASEFROMADDR ModBaseFromAddr; MODBASEFROMNAME ModBaseFromName; MODSIZEFROMADDR ModSizeFromAddr; ASSEMBLE Assemble; PATCHGET PatchGet; PATCHINRANGE PatchInRange; MEMPATCH MemPatch; PATCHRESTORERANGE PatchRestoreRange; PATCHENUM PatchEnum; PATCHRESTORE PatchRestore; PATCHFILE PatchFile; MODPATHFROMADDR ModPathFromAddr; MODPATHFROMNAME ModPathFromName; DISASMFAST DisasmFast; MEMUPDATEMAP MemUpdateMap; GETCALLSTACK GetCallStack; GETSEHCHAIN GetSEHChain; SYMBOLDOWNLOADALLSYMBOLS SymbolDownloadAllSymbols; GETJITAUTO GetJitAuto; GETJIT GetJit; GETDEFJIT GetDefJit; GETPROCESSLIST GetProcessList; GETPAGERIGHTS GetPageRights; SETPAGERIGHTS SetPageRights; PAGERIGHTSTOSTRING PageRightsToString; ISPROCESSELEVATED IsProcessElevated; GETCMDLINE GetCmdline; SETCMDLINE SetCmdline; FILEOFFSETTOVA FileOffsetToVa; VATOFILEOFFSET VaToFileOffset; GETADDRFROMLINE GetAddrFromLine; GETSOURCEFROMADDR GetSourceFromAddr; VALFROMSTRING ValFromString; PATCHGETEX PatchGetEx; GETBRIDGEBP GetBridgeBp; STRINGFORMATINLINE StringFormatInline; GETMNEMONICBRIEF GetMnemonicBrief; GETTRACERECORDHITCOUNT GetTraceRecordHitCount; GETTRACERECORDBYTETYPE GetTraceRecordByteType; SETTRACERECORDTYPE SetTraceRecordType; GETTRACERECORDTYPE GetTraceRecordType; ENUMHANDLES EnumHandles; GETHANDLENAME GetHandleName; ENUMTCPCONNECTIONS EnumTcpConnections; GETDBGEVENTS GetDbgEvents; MODGETPARTY ModGetParty; MODSETPARTY ModSetParty; WATCHISWATCHDOGTRIGGERED WatchIsWatchdogTriggered; MEMISCODEPAGE MemIsCodePage; ANIMATECOMMAND AnimateCommand; DBGSETDEBUGGEEINITSCRIPT DbgSetDebuggeeInitScript; DBGGETDEBUGGEEINITSCRIPT DbgGetDebuggeeInitScript; HANDLESENUMWINDOWS EnumWindows; HANDLESENUMHEAPS EnumHeaps; THREADGETNAME ThreadGetName; ISDEPENABLED IsDepEnabled; GETCALLSTACKEX GetCallStackEx; GETUSERCOMMENT GetUserComment; ENUMCONSTANTS EnumConstants; ENUMCONSTANTS EnumErrorCodes; ENUMCONSTANTS EnumExceptions; MEMBPSIZE MemBpSize; MODRELOCATIONSFROMADDR ModRelocationsFromAddr; MODRELOCATIONATADDR ModRelocationAtAddr; MODRELOCATIONSINRANGE ModRelocationsInRange; DBGETHASH DbGetHash; SYMAUTOCOMPLETE SymAutoComplete; } DBGFUNCTIONS; #ifdef BUILD_DBG const DBGFUNCTIONS* dbgfunctionsget(); void dbgfunctionsinit(); #endif //BUILD_DBG #endif //_DBGFUNCTIONS_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_plugin_types.h ================================================ #ifndef _PLUGIN_DATA_H #define _PLUGIN_DATA_H #ifdef BUILD_DBG #include "_global.h" #include "jansson/jansson.h" #include #else #ifdef __GNUC__ #include "dbghelp/dbghelp.h" #else #include #endif // __GNUC__ #ifndef deflen #define deflen 1024 #endif // deflen #include "bridgemain.h" #include "_dbgfunctions.h" #include "jansson/jansson.h" #endif // BUILD_DBG #endif // _PLUGIN_DATA_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_plugins.h ================================================ #ifndef _PLUGINS_H #define _PLUGINS_H #ifndef __cplusplus #include #endif #ifndef PLUG_IMPEXP #ifdef BUILD_DBG #define PLUG_IMPEXP __declspec(dllexport) #else #define PLUG_IMPEXP __declspec(dllimport) #endif //BUILD_DBG #endif //PLUG_IMPEXP #include "_plugin_types.h" //default structure alignments forced #ifdef _WIN64 #pragma pack(push, 16) #else //x86 #pragma pack(push, 8) #endif //_WIN64 //defines #define PLUG_SDKVERSION 1 #define PLUG_DB_LOADSAVE_DATA 1 #define PLUG_DB_LOADSAVE_ALL 2 //structures typedef struct { //provided by the debugger int pluginHandle; //provided by the pluginit function int sdkVersion; int pluginVersion; char pluginName[256]; } PLUG_INITSTRUCT; typedef struct { //provided by the debugger HWND hwndDlg; //gui window handle int hMenu; //plugin menu handle int hMenuDisasm; //plugin disasm menu handle int hMenuDump; //plugin dump menu handle int hMenuStack; //plugin stack menu handle } PLUG_SETUPSTRUCT; typedef struct { void* data; //user data } PLUG_SCRIPTSTRUCT; //callback structures typedef struct { const char* szFileName; } PLUG_CB_INITDEBUG; typedef struct { void* reserved; } PLUG_CB_STOPDEBUG; typedef struct { CREATE_PROCESS_DEBUG_INFO* CreateProcessInfo; IMAGEHLP_MODULE64* modInfo; const char* DebugFileName; PROCESS_INFORMATION* fdProcessInfo; } PLUG_CB_CREATEPROCESS; typedef struct { EXIT_PROCESS_DEBUG_INFO* ExitProcess; } PLUG_CB_EXITPROCESS; typedef struct { CREATE_THREAD_DEBUG_INFO* CreateThread; DWORD dwThreadId; } PLUG_CB_CREATETHREAD; typedef struct { EXIT_THREAD_DEBUG_INFO* ExitThread; DWORD dwThreadId; } PLUG_CB_EXITTHREAD; typedef struct { void* reserved; } PLUG_CB_SYSTEMBREAKPOINT; typedef struct { LOAD_DLL_DEBUG_INFO* LoadDll; IMAGEHLP_MODULE64* modInfo; const char* modname; } PLUG_CB_LOADDLL; typedef struct { UNLOAD_DLL_DEBUG_INFO* UnloadDll; } PLUG_CB_UNLOADDLL; typedef struct { OUTPUT_DEBUG_STRING_INFO* DebugString; } PLUG_CB_OUTPUTDEBUGSTRING; typedef struct { EXCEPTION_DEBUG_INFO* Exception; } PLUG_CB_EXCEPTION; typedef struct { BRIDGEBP* breakpoint; } PLUG_CB_BREAKPOINT; typedef struct { void* reserved; } PLUG_CB_PAUSEDEBUG; typedef struct { void* reserved; } PLUG_CB_RESUMEDEBUG; typedef struct { void* reserved; } PLUG_CB_STEPPED; typedef struct { DWORD dwProcessId; } PLUG_CB_ATTACH; typedef struct { PROCESS_INFORMATION* fdProcessInfo; } PLUG_CB_DETACH; typedef struct { DEBUG_EVENT* DebugEvent; } PLUG_CB_DEBUGEVENT; typedef struct { int hEntry; } PLUG_CB_MENUENTRY; typedef struct { MSG* message; long* result; bool retval; } PLUG_CB_WINEVENT; typedef struct { MSG* message; bool retval; } PLUG_CB_WINEVENTGLOBAL; typedef struct { json_t* root; int loadSaveType; } PLUG_CB_LOADSAVEDB; typedef struct { const char* symbol; bool retval; } PLUG_CB_FILTERSYMBOL; typedef struct { duint cip; bool stop; } PLUG_CB_TRACEEXECUTE; typedef struct { int hWindow; duint VA; } PLUG_CB_SELCHANGED; typedef struct { BridgeCFGraphList graph; } PLUG_CB_ANALYZE; typedef struct { duint addr; BRIDGE_ADDRINFO* addrinfo; bool retval; } PLUG_CB_ADDRINFO; typedef struct { const char* string; duint value; int* value_size; bool* isvar; bool* hexonly; bool retval; } PLUG_CB_VALFROMSTRING; typedef struct { const char* string; duint value; bool retval; } PLUG_CB_VALTOSTRING; typedef struct { int hMenu; } PLUG_CB_MENUPREPARE; //enums typedef enum { CB_INITDEBUG, //PLUG_CB_INITDEBUG CB_STOPDEBUG, //PLUG_CB_STOPDEBUG CB_CREATEPROCESS, //PLUG_CB_CREATEPROCESS CB_EXITPROCESS, //PLUG_CB_EXITPROCESS CB_CREATETHREAD, //PLUG_CB_CREATETHREAD CB_EXITTHREAD, //PLUG_CB_EXITTHREAD CB_SYSTEMBREAKPOINT, //PLUG_CB_SYSTEMBREAKPOINT CB_LOADDLL, //PLUG_CB_LOADDLL CB_UNLOADDLL, //PLUG_CB_UNLOADDLL CB_OUTPUTDEBUGSTRING, //PLUG_CB_OUTPUTDEBUGSTRING CB_EXCEPTION, //PLUG_CB_EXCEPTION CB_BREAKPOINT, //PLUG_CB_BREAKPOINT CB_PAUSEDEBUG, //PLUG_CB_PAUSEDEBUG CB_RESUMEDEBUG, //PLUG_CB_RESUMEDEBUG CB_STEPPED, //PLUG_CB_STEPPED CB_ATTACH, //PLUG_CB_ATTACHED (before attaching, after CB_INITDEBUG) CB_DETACH, //PLUG_CB_DETACH (before detaching, before CB_STOPDEBUG) CB_DEBUGEVENT, //PLUG_CB_DEBUGEVENT (called on any debug event) CB_MENUENTRY, //PLUG_CB_MENUENTRY CB_WINEVENT, //PLUG_CB_WINEVENT CB_WINEVENTGLOBAL, //PLUG_CB_WINEVENTGLOBAL CB_LOADDB, //PLUG_CB_LOADSAVEDB CB_SAVEDB, //PLUG_CB_LOADSAVEDB CB_FILTERSYMBOL, //PLUG_CB_FILTERSYMBOL CB_TRACEEXECUTE, //PLUG_CB_TRACEEXECUTE CB_SELCHANGED, //PLUG_CB_SELCHANGED CB_ANALYZE, //PLUG_CB_ANALYZE CB_ADDRINFO, //PLUG_CB_ADDRINFO CB_VALFROMSTRING, //PLUG_CB_VALFROMSTRING CB_VALTOSTRING, //PLUG_CB_VALTOSTRING CB_MENUPREPARE, //PLUG_CB_MENUPREPARE CB_LAST } CBTYPE; typedef enum { FORMAT_ERROR, //generic failure (no message) FORMAT_SUCCESS, //success FORMAT_ERROR_MESSAGE, //formatting failed but an error was put in the buffer (there are always at least 511 characters available). FORMAT_BUFFER_TOO_SMALL //buffer too small (x64dbg will retry until the buffer is big enough) } FORMATRESULT; //typedefs typedef void (*CBPLUGIN)(CBTYPE cbType, void* callbackInfo); typedef bool (*CBPLUGINCOMMAND)(int argc, char** argv); typedef void (*CBPLUGINSCRIPT)(); typedef duint(*CBPLUGINEXPRFUNCTION)(int argc, duint* argv, void* userdata); typedef FORMATRESULT(*CBPLUGINFORMATFUNCTION)(char* dest, size_t destCount, int argc, char* argv[], duint value, void* userdata); typedef bool (*CBPLUGINPREDICATE)(void* userdata); //exports #ifdef __cplusplus extern "C" { #endif PLUG_IMPEXP void _plugin_registercallback(int pluginHandle, CBTYPE cbType, CBPLUGIN cbPlugin); PLUG_IMPEXP bool _plugin_unregistercallback(int pluginHandle, CBTYPE cbType); PLUG_IMPEXP bool _plugin_registercommand(int pluginHandle, const char* command, CBPLUGINCOMMAND cbCommand, bool debugonly); PLUG_IMPEXP bool _plugin_unregistercommand(int pluginHandle, const char* command); PLUG_IMPEXP void _plugin_logprintf(const char* format, ...); PLUG_IMPEXP void _plugin_logputs(const char* text); PLUG_IMPEXP void _plugin_logprint(const char* text); PLUG_IMPEXP void _plugin_debugpause(); PLUG_IMPEXP void _plugin_debugskipexceptions(bool skip); PLUG_IMPEXP int _plugin_menuadd(int hMenu, const char* title); PLUG_IMPEXP bool _plugin_menuaddentry(int hMenu, int hEntry, const char* title); PLUG_IMPEXP bool _plugin_menuaddseparator(int hMenu); PLUG_IMPEXP bool _plugin_menuclear(int hMenu); PLUG_IMPEXP void _plugin_menuseticon(int hMenu, const ICONDATA* icon); PLUG_IMPEXP void _plugin_menuentryseticon(int pluginHandle, int hEntry, const ICONDATA* icon); PLUG_IMPEXP void _plugin_menuentrysetchecked(int pluginHandle, int hEntry, bool checked); PLUG_IMPEXP void _plugin_menusetvisible(int pluginHandle, int hMenu, bool visible); PLUG_IMPEXP void _plugin_menuentrysetvisible(int pluginHandle, int hEntry, bool visible); PLUG_IMPEXP void _plugin_menusetname(int pluginHandle, int hMenu, const char* name); PLUG_IMPEXP void _plugin_menuentrysetname(int pluginHandle, int hEntry, const char* name); PLUG_IMPEXP void _plugin_menuentrysethotkey(int pluginHandle, int hEntry, const char* hotkey); PLUG_IMPEXP bool _plugin_menuremove(int hMenu); PLUG_IMPEXP bool _plugin_menuentryremove(int pluginHandle, int hEntry); PLUG_IMPEXP void _plugin_startscript(CBPLUGINSCRIPT cbScript); PLUG_IMPEXP bool _plugin_waituntilpaused(); PLUG_IMPEXP bool _plugin_registerexprfunction(int pluginHandle, const char* name, int argc, CBPLUGINEXPRFUNCTION cbFunction, void* userdata); PLUG_IMPEXP bool _plugin_unregisterexprfunction(int pluginHandle, const char* name); PLUG_IMPEXP bool _plugin_unload(const char* pluginName); PLUG_IMPEXP bool _plugin_load(const char* pluginName); PLUG_IMPEXP duint _plugin_hash(const void* data, duint size); PLUG_IMPEXP bool _plugin_registerformatfunction(int pluginHandle, const char* type, CBPLUGINFORMATFUNCTION cbFunction, void* userdata); PLUG_IMPEXP bool _plugin_unregisterformatfunction(int pluginHandle, const char* type); #ifdef __cplusplus } #endif #pragma pack(pop) #endif // _PLUGINS_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_scriptapi.h ================================================ #ifndef _SCRIPT_API_H #define _SCRIPT_API_H #include "_plugins.h" #define SCRIPT_EXPORT PLUG_IMPEXP #endif //_SCRIPT_API_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_scriptapi_argument.h ================================================ #ifndef _SCRIPTAPI_ARGUMENT_H #define _SCRIPTAPI_ARGUMENT_H #include "_scriptapi.h" namespace Script { namespace Argument { struct ArgumentInfo { char mod[MAX_MODULE_SIZE]; duint rvaStart; duint rvaEnd; bool manual; duint instructioncount; }; SCRIPT_EXPORT bool Add(duint start, duint end, bool manual, duint instructionCount = 0); SCRIPT_EXPORT bool Add(const ArgumentInfo* info); SCRIPT_EXPORT bool Get(duint addr, duint* start = nullptr, duint* end = nullptr, duint* instructionCount = nullptr); SCRIPT_EXPORT bool GetInfo(duint addr, ArgumentInfo* info); SCRIPT_EXPORT bool Overlaps(duint start, duint end); SCRIPT_EXPORT bool Delete(duint address); SCRIPT_EXPORT void DeleteRange(duint start, duint end, bool deleteManual = false); SCRIPT_EXPORT void Clear(); SCRIPT_EXPORT bool GetList(ListOf(ArgumentInfo) list); //caller has the responsibility to free the list }; //Argument }; //Script #endif //_SCRIPTAPI_ARGUMENT_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_scriptapi_assembler.h ================================================ #ifndef _SCRIPTAPI_ASSEMBLER_H #define _SCRIPTAPI_ASSEMBLER_H #include "_scriptapi.h" namespace Script { namespace Assembler { SCRIPT_EXPORT bool Assemble(duint addr, unsigned char* dest, int* size, const char* instruction); //dest[16] SCRIPT_EXPORT bool AssembleEx(duint addr, unsigned char* dest, int* size, const char* instruction, char* error); //dest[16], error[MAX_ERROR_SIZE] SCRIPT_EXPORT bool AssembleMem(duint addr, const char* instruction); SCRIPT_EXPORT bool AssembleMemEx(duint addr, const char* instruction, int* size, char* error, bool fillnop); //error[MAX_ERROR_SIZE] }; //Assembler }; //Script #endif //_SCRIPTAPI_ASSEMBLER_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_scriptapi_bookmark.h ================================================ #ifndef _SCRIPTAPI_BOOKMARK_H #define _SCRIPTAPI_BOOKMARK_H #include "_scriptapi.h" namespace Script { namespace Bookmark { struct BookmarkInfo { char mod[MAX_MODULE_SIZE]; duint rva; bool manual; }; SCRIPT_EXPORT bool Set(duint addr, bool manual = false); SCRIPT_EXPORT bool Set(const BookmarkInfo* info); SCRIPT_EXPORT bool Get(duint addr); SCRIPT_EXPORT bool GetInfo(duint addr, BookmarkInfo* info); SCRIPT_EXPORT bool Delete(duint addr); SCRIPT_EXPORT void DeleteRange(duint start, duint end); SCRIPT_EXPORT void Clear(); SCRIPT_EXPORT bool GetList(ListOf(BookmarkInfo) list); //caller has the responsibility to free the list }; //Bookmark }; //Script #endif //_SCRIPTAPI_BOOKMARK_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_scriptapi_comment.h ================================================ #ifndef _SCRIPTAPI_COMMENT_H #define _SCRIPTAPI_COMMENT_H #include "_scriptapi.h" namespace Script { namespace Comment { struct CommentInfo { char mod[MAX_MODULE_SIZE]; duint rva; char text[MAX_LABEL_SIZE]; bool manual; }; SCRIPT_EXPORT bool Set(duint addr, const char* text, bool manual = false); SCRIPT_EXPORT bool Set(const CommentInfo* info); SCRIPT_EXPORT bool Get(duint addr, char* text); //text[MAX_COMMENT_SIZE] SCRIPT_EXPORT bool GetInfo(duint addr, CommentInfo* info); SCRIPT_EXPORT bool Delete(duint addr); SCRIPT_EXPORT void DeleteRange(duint start, duint end); SCRIPT_EXPORT void Clear(); SCRIPT_EXPORT bool GetList(ListOf(CommentInfo) list); //caller has the responsibility to free the list }; //Comment }; //Script #endif //_SCRIPTAPI_COMMENT_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_scriptapi_debug.h ================================================ #ifndef _SCRIPTAPI_DEBUG_H #define _SCRIPTAPI_DEBUG_H #include "_scriptapi.h" namespace Script { namespace Debug { enum HardwareType { HardwareAccess, HardwareWrite, HardwareExecute }; SCRIPT_EXPORT void Wait(); SCRIPT_EXPORT void Run(); SCRIPT_EXPORT void Pause(); SCRIPT_EXPORT void Stop(); SCRIPT_EXPORT void StepIn(); SCRIPT_EXPORT void StepOver(); SCRIPT_EXPORT void StepOut(); SCRIPT_EXPORT bool SetBreakpoint(duint address); SCRIPT_EXPORT bool DeleteBreakpoint(duint address); SCRIPT_EXPORT bool DisableBreakpoint(duint address); SCRIPT_EXPORT bool SetHardwareBreakpoint(duint address, HardwareType type = HardwareExecute); SCRIPT_EXPORT bool DeleteHardwareBreakpoint(duint address); }; //Debug }; //Script #endif //_SCRIPTAPI_DEBUG_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_scriptapi_flag.h ================================================ #ifndef _SCRIPTAPI_FLAG_H #define _SCRIPTAPI_FLAG_H #include "_scriptapi.h" namespace Script { namespace Flag { enum FlagEnum { ZF, OF, CF, PF, SF, TF, AF, DF, IF }; SCRIPT_EXPORT bool Get(FlagEnum flag); SCRIPT_EXPORT bool Set(FlagEnum flag, bool value); SCRIPT_EXPORT bool GetZF(); SCRIPT_EXPORT bool SetZF(bool value); SCRIPT_EXPORT bool GetOF(); SCRIPT_EXPORT bool SetOF(bool value); SCRIPT_EXPORT bool GetCF(); SCRIPT_EXPORT bool SetCF(bool value); SCRIPT_EXPORT bool GetPF(); SCRIPT_EXPORT bool SetPF(bool value); SCRIPT_EXPORT bool GetSF(); SCRIPT_EXPORT bool SetSF(bool value); SCRIPT_EXPORT bool GetTF(); SCRIPT_EXPORT bool SetTF(bool value); SCRIPT_EXPORT bool GetAF(); SCRIPT_EXPORT bool SetAF(bool value); SCRIPT_EXPORT bool GetDF(); SCRIPT_EXPORT bool SetDF(bool value); SCRIPT_EXPORT bool GetIF(); SCRIPT_EXPORT bool SetIF(bool value); }; }; #endif //_SCRIPTAPI_FLAG_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_scriptapi_function.h ================================================ #ifndef _SCRIPTAPI_FUNCTION_H #define _SCRIPTAPI_FUNCTION_H #include "_scriptapi.h" namespace Script { namespace Function { struct FunctionInfo { char mod[MAX_MODULE_SIZE]; duint rvaStart; duint rvaEnd; bool manual; duint instructioncount; }; SCRIPT_EXPORT bool Add(duint start, duint end, bool manual, duint instructionCount = 0); SCRIPT_EXPORT bool Add(const FunctionInfo* info); SCRIPT_EXPORT bool Get(duint addr, duint* start = nullptr, duint* end = nullptr, duint* instructionCount = nullptr); SCRIPT_EXPORT bool GetInfo(duint addr, FunctionInfo* info); SCRIPT_EXPORT bool Overlaps(duint start, duint end); SCRIPT_EXPORT bool Delete(duint address); SCRIPT_EXPORT void DeleteRange(duint start, duint end, bool deleteManual); SCRIPT_EXPORT void DeleteRange(duint start, duint end); SCRIPT_EXPORT void Clear(); SCRIPT_EXPORT bool GetList(ListOf(FunctionInfo) list); //caller has the responsibility to free the list }; //Function }; //Script #endif //_SCRIPTAPI_FUNCTION_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_scriptapi_gui.h ================================================ #ifndef _SCRIPTAPI_GUI_H #define _SCRIPTAPI_GUI_H #include "_scriptapi.h" namespace Script { namespace Gui { namespace Disassembly { SCRIPT_EXPORT bool SelectionGet(duint* start, duint* end); SCRIPT_EXPORT bool SelectionSet(duint start, duint end); SCRIPT_EXPORT duint SelectionGetStart(); SCRIPT_EXPORT duint SelectionGetEnd(); }; //Disassembly namespace Dump { SCRIPT_EXPORT bool SelectionGet(duint* start, duint* end); SCRIPT_EXPORT bool SelectionSet(duint start, duint end); SCRIPT_EXPORT duint SelectionGetStart(); SCRIPT_EXPORT duint SelectionGetEnd(); }; //Dump namespace Stack { SCRIPT_EXPORT bool SelectionGet(duint* start, duint* end); SCRIPT_EXPORT bool SelectionSet(duint start, duint end); SCRIPT_EXPORT duint SelectionGetStart(); SCRIPT_EXPORT duint SelectionGetEnd(); }; //Stack namespace Graph { SCRIPT_EXPORT duint SelectionGetStart(); }; //Graph namespace MemMap { SCRIPT_EXPORT duint SelectionGetStart(); }; //MemoryMap namespace SymMod { SCRIPT_EXPORT duint SelectionGetStart(); }; //SymMod }; //Gui namespace Gui { enum Window { DisassemblyWindow, DumpWindow, StackWindow, GraphWindow, MemMapWindow, SymModWindow }; SCRIPT_EXPORT bool SelectionGet(Window window, duint* start, duint* end); SCRIPT_EXPORT bool SelectionSet(Window window, duint start, duint end); SCRIPT_EXPORT duint SelectionGetStart(Window window); SCRIPT_EXPORT duint SelectionGetEnd(Window window); SCRIPT_EXPORT void Message(const char* message); SCRIPT_EXPORT bool MessageYesNo(const char* message); SCRIPT_EXPORT bool InputLine(const char* title, char* text); //text[GUI_MAX_LINE_SIZE] SCRIPT_EXPORT bool InputValue(const char* title, duint* value); SCRIPT_EXPORT void Refresh(); SCRIPT_EXPORT void AddQWidgetTab(void* qWidget); SCRIPT_EXPORT void ShowQWidgetTab(void* qWidget); SCRIPT_EXPORT void CloseQWidgetTab(void* qWidget); }; //Gui }; //Script #endif //_SCRIPTAPI_GUI_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_scriptapi_label.h ================================================ #ifndef _SCRIPTAPI_LABEL_H #define _SCRIPTAPI_LABEL_H #include "_scriptapi.h" namespace Script { namespace Label { struct LabelInfo { char mod[MAX_MODULE_SIZE]; duint rva; char text[MAX_LABEL_SIZE]; bool manual; }; SCRIPT_EXPORT bool Set(duint addr, const char* text, bool manual = false); SCRIPT_EXPORT bool Set(const LabelInfo* info); SCRIPT_EXPORT bool FromString(const char* label, duint* addr); SCRIPT_EXPORT bool Get(duint addr, char* text); //text[MAX_LABEL_SIZE] SCRIPT_EXPORT bool GetInfo(duint addr, LabelInfo* info); SCRIPT_EXPORT bool Delete(duint addr); SCRIPT_EXPORT void DeleteRange(duint start, duint end); SCRIPT_EXPORT void Clear(); SCRIPT_EXPORT bool GetList(ListOf(LabelInfo) list); //caller has the responsibility to free the list }; //Label }; //Script #endif //_SCRIPTAPI_LABEL_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_scriptapi_memory.h ================================================ #ifndef _SCRIPTAPI_MEMORY_H #define _SCRIPTAPI_MEMORY_H #include "_scriptapi.h" namespace Script { namespace Memory { SCRIPT_EXPORT bool Read(duint addr, void* data, duint size, duint* sizeRead); SCRIPT_EXPORT bool Write(duint addr, const void* data, duint size, duint* sizeWritten); SCRIPT_EXPORT bool IsValidPtr(duint addr); SCRIPT_EXPORT duint RemoteAlloc(duint addr, duint size); SCRIPT_EXPORT bool RemoteFree(duint addr); SCRIPT_EXPORT unsigned int GetProtect(duint addr, bool reserved = false, bool cache = true); SCRIPT_EXPORT duint GetBase(duint addr, bool reserved = false, bool cache = true); SCRIPT_EXPORT duint GetSize(duint addr, bool reserved = false, bool cache = true); SCRIPT_EXPORT unsigned char ReadByte(duint addr); SCRIPT_EXPORT bool WriteByte(duint addr, unsigned char data); SCRIPT_EXPORT unsigned short ReadWord(duint addr); SCRIPT_EXPORT bool WriteWord(duint addr, unsigned short data); SCRIPT_EXPORT unsigned int ReadDword(duint addr); SCRIPT_EXPORT bool WriteDword(duint addr, unsigned int data); SCRIPT_EXPORT unsigned long long ReadQword(duint addr); SCRIPT_EXPORT bool WriteQword(duint addr, unsigned long long data); SCRIPT_EXPORT duint ReadPtr(duint addr); SCRIPT_EXPORT bool WritePtr(duint addr, duint data); }; //Memory }; //Script #endif //_SCRIPTAPI_MEMORY_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_scriptapi_misc.h ================================================ #ifndef _SCRIPTAPI_MISC_H #define _SCRIPTAPI_MISC_H #include "_scriptapi.h" namespace Script { namespace Misc { /// /// Evaluates an expression and returns the result. Analagous to using the Command field in x64dbg. /// /// Expressions can consist of memory locations, registers, flags, API names, labels, symbols, variables etc. /// /// Example: bool success = ParseExpression("[esp+8]", &val) /// /// The expression to evaluate. /// The result of the expression. /// True on success, False on failure. SCRIPT_EXPORT bool ParseExpression(const char* expression, duint* value); /// /// Returns the address of a function in the debuggee's memory space. /// /// Example: duint addr = RemoteGetProcAddress("kernel32.dll", "GetProcAddress") /// /// The name of the module. /// The name of the function. /// The address of the function in the debuggee. SCRIPT_EXPORT duint RemoteGetProcAddress(const char* module, const char* api); /// /// Returns the address for a label created in the disassembly window. /// /// Example: duint addr = ResolveLabel("sneaky_crypto") /// /// The name of the label to resolve. /// The memory address for the label. SCRIPT_EXPORT duint ResolveLabel(const char* label); /// /// Allocates the requested number of bytes from x64dbg's default process heap. /// /// Note: this allocation is in the debugger, not the debuggee. /// /// Memory allocated using this function should be Free'd after use. /// /// Example: void* addr = Alloc(0x100000) /// /// Number of bytes to allocate. /// A pointer to the newly allocated memory. SCRIPT_EXPORT void* Alloc(duint size); /// /// Frees memory previously allocated by Alloc. /// /// Example: Free(addr) /// /// Pointer returned by Alloc. /// Nothing. SCRIPT_EXPORT void Free(void* ptr); }; //Misc }; //Script #endif //_SCRIPTAPI_MISC_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_scriptapi_module.h ================================================ #ifndef _SCRIPTAPI_MODULE_H #define _SCRIPTAPI_MODULE_H #include "_scriptapi.h" namespace Script { namespace Module { struct ModuleInfo { duint base; duint size; duint entry; int sectionCount; char name[MAX_MODULE_SIZE]; char path[MAX_PATH]; }; struct ModuleSectionInfo { duint addr; duint size; char name[MAX_SECTION_SIZE * 5]; }; SCRIPT_EXPORT bool InfoFromAddr(duint addr, ModuleInfo* info); SCRIPT_EXPORT bool InfoFromName(const char* name, ModuleInfo* info); SCRIPT_EXPORT duint BaseFromAddr(duint addr); SCRIPT_EXPORT duint BaseFromName(const char* name); SCRIPT_EXPORT duint SizeFromAddr(duint addr); SCRIPT_EXPORT duint SizeFromName(const char* name); SCRIPT_EXPORT bool NameFromAddr(duint addr, char* name); //name[MAX_MODULE_SIZE] SCRIPT_EXPORT bool PathFromAddr(duint addr, char* path); //path[MAX_PATH] SCRIPT_EXPORT bool PathFromName(const char* name, char* path); //path[MAX_PATH] SCRIPT_EXPORT duint EntryFromAddr(duint addr); SCRIPT_EXPORT duint EntryFromName(const char* name); SCRIPT_EXPORT int SectionCountFromAddr(duint addr); SCRIPT_EXPORT int SectionCountFromName(const char* name); SCRIPT_EXPORT bool SectionFromAddr(duint addr, int number, ModuleSectionInfo* section); SCRIPT_EXPORT bool SectionFromName(const char* name, int number, ModuleSectionInfo* section); SCRIPT_EXPORT bool SectionListFromAddr(duint addr, ListOf(ModuleSectionInfo) list); SCRIPT_EXPORT bool SectionListFromName(const char* name, ListOf(ModuleSectionInfo) list); SCRIPT_EXPORT bool GetMainModuleInfo(ModuleInfo* info); SCRIPT_EXPORT duint GetMainModuleBase(); SCRIPT_EXPORT duint GetMainModuleSize(); SCRIPT_EXPORT duint GetMainModuleEntry(); SCRIPT_EXPORT int GetMainModuleSectionCount(); SCRIPT_EXPORT bool GetMainModuleName(char* name); //name[MAX_MODULE_SIZE] SCRIPT_EXPORT bool GetMainModulePath(char* path); //path[MAX_PATH] SCRIPT_EXPORT bool GetMainModuleSectionList(ListOf(ModuleSectionInfo) list); //caller has the responsibility to free the list SCRIPT_EXPORT bool GetList(ListOf(ModuleInfo) list); //caller has the responsibility to free the list }; //Module }; //Script #endif //_SCRIPTAPI_MODULE_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_scriptapi_pattern.h ================================================ #ifndef _SCRIPTAPI_PATTERN_H #define _SCRIPTAPI_PATTERN_H #include "_scriptapi.h" namespace Script { namespace Pattern { SCRIPT_EXPORT duint Find(unsigned char* data, duint datasize, const char* pattern); SCRIPT_EXPORT duint FindMem(duint start, duint size, const char* pattern); SCRIPT_EXPORT void Write(unsigned char* data, duint datasize, const char* pattern); SCRIPT_EXPORT void WriteMem(duint start, duint size, const char* pattern); SCRIPT_EXPORT bool SearchAndReplace(unsigned char* data, duint datasize, const char* searchpattern, const char* replacepattern); SCRIPT_EXPORT bool SearchAndReplaceMem(duint start, duint size, const char* searchpattern, const char* replacepattern); }; }; #endif //_SCRIPTAPI_FIND_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_scriptapi_register.h ================================================ #ifndef _SCRIPTAPI_REGISTER_H #define _SCRIPTAPI_REGISTER_H #include "_scriptapi.h" namespace Script { namespace Register { enum RegisterEnum { DR0, DR1, DR2, DR3, DR6, DR7, EAX, AX, AH, AL, EBX, BX, BH, BL, ECX, CX, CH, CL, EDX, DX, DH, DL, EDI, DI, ESI, SI, EBP, BP, ESP, SP, EIP, #ifdef _WIN64 RAX, RBX, RCX, RDX, RSI, SIL, RDI, DIL, RBP, BPL, RSP, SPL, RIP, R8, R8D, R8W, R8B, R9, R9D, R9W, R9B, R10, R10D, R10W, R10B, R11, R11D, R11W, R11B, R12, R12D, R12W, R12B, R13, R13D, R13W, R13B, R14, R14D, R14W, R14B, R15, R15D, R15W, R15B, #endif //_WIN64 CIP, CSP, CAX, CBX, CCX, CDX, CDI, CSI, CBP, CFLAGS }; //RegisterEnum SCRIPT_EXPORT duint Get(RegisterEnum reg); SCRIPT_EXPORT bool Set(RegisterEnum reg, duint value); SCRIPT_EXPORT int Size(); //gets architecture register size in bytes SCRIPT_EXPORT duint GetDR0(); SCRIPT_EXPORT bool SetDR0(duint value); SCRIPT_EXPORT duint GetDR1(); SCRIPT_EXPORT bool SetDR1(duint value); SCRIPT_EXPORT duint GetDR2(); SCRIPT_EXPORT bool SetDR2(duint value); SCRIPT_EXPORT duint GetDR3(); SCRIPT_EXPORT bool SetDR3(duint value); SCRIPT_EXPORT duint GetDR6(); SCRIPT_EXPORT bool SetDR6(duint value); SCRIPT_EXPORT duint GetDR7(); SCRIPT_EXPORT bool SetDR7(duint value); SCRIPT_EXPORT unsigned int GetEAX(); SCRIPT_EXPORT bool SetEAX(unsigned int value); SCRIPT_EXPORT unsigned short GetAX(); SCRIPT_EXPORT bool SetAX(unsigned short value); SCRIPT_EXPORT unsigned char GetAH(); SCRIPT_EXPORT bool SetAH(unsigned char value); SCRIPT_EXPORT unsigned char GetAL(); SCRIPT_EXPORT bool SetAL(unsigned char value); SCRIPT_EXPORT unsigned int GetEBX(); SCRIPT_EXPORT bool SetEBX(unsigned int value); SCRIPT_EXPORT unsigned short GetBX(); SCRIPT_EXPORT bool SetBX(unsigned short value); SCRIPT_EXPORT unsigned char GetBH(); SCRIPT_EXPORT bool SetBH(unsigned char value); SCRIPT_EXPORT unsigned char GetBL(); SCRIPT_EXPORT bool SetBL(unsigned char value); SCRIPT_EXPORT unsigned int GetECX(); SCRIPT_EXPORT bool SetECX(unsigned int value); SCRIPT_EXPORT unsigned short GetCX(); SCRIPT_EXPORT bool SetCX(unsigned short value); SCRIPT_EXPORT unsigned char GetCH(); SCRIPT_EXPORT bool SetCH(unsigned char value); SCRIPT_EXPORT unsigned char GetCL(); SCRIPT_EXPORT bool SetCL(unsigned char value); SCRIPT_EXPORT unsigned int GetEDX(); SCRIPT_EXPORT bool SetEDX(unsigned int value); SCRIPT_EXPORT unsigned short GetDX(); SCRIPT_EXPORT bool SetDX(unsigned short value); SCRIPT_EXPORT unsigned char GetDH(); SCRIPT_EXPORT bool SetDH(unsigned char value); SCRIPT_EXPORT unsigned char GetDL(); SCRIPT_EXPORT bool SetDL(unsigned char value); SCRIPT_EXPORT unsigned int GetEDI(); SCRIPT_EXPORT bool SetEDI(unsigned int value); SCRIPT_EXPORT unsigned short GetDI(); SCRIPT_EXPORT bool SetDI(unsigned short value); SCRIPT_EXPORT unsigned int GetESI(); SCRIPT_EXPORT bool SetESI(unsigned int value); SCRIPT_EXPORT unsigned short GetSI(); SCRIPT_EXPORT bool SetSI(unsigned short value); SCRIPT_EXPORT unsigned int GetEBP(); SCRIPT_EXPORT bool SetEBP(unsigned int value); SCRIPT_EXPORT unsigned short GetBP(); SCRIPT_EXPORT bool SetBP(unsigned short value); SCRIPT_EXPORT unsigned int GetESP(); SCRIPT_EXPORT bool SetESP(unsigned int value); SCRIPT_EXPORT unsigned short GetSP(); SCRIPT_EXPORT bool SetSP(unsigned short value); SCRIPT_EXPORT unsigned int GetEIP(); SCRIPT_EXPORT bool SetEIP(unsigned int value); #ifdef _WIN64 SCRIPT_EXPORT unsigned long long GetRAX(); SCRIPT_EXPORT bool SetRAX(unsigned long long value); SCRIPT_EXPORT unsigned long long GetRBX(); SCRIPT_EXPORT bool SetRBX(unsigned long long value); SCRIPT_EXPORT unsigned long long GetRCX(); SCRIPT_EXPORT bool SetRCX(unsigned long long value); SCRIPT_EXPORT unsigned long long GetRDX(); SCRIPT_EXPORT bool SetRDX(unsigned long long value); SCRIPT_EXPORT unsigned long long GetRSI(); SCRIPT_EXPORT bool SetRSI(unsigned long long value); SCRIPT_EXPORT unsigned char GetSIL(); SCRIPT_EXPORT bool SetSIL(unsigned char value); SCRIPT_EXPORT unsigned long long GetRDI(); SCRIPT_EXPORT bool SetRDI(unsigned long long value); SCRIPT_EXPORT unsigned char GetDIL(); SCRIPT_EXPORT bool SetDIL(unsigned char value); SCRIPT_EXPORT unsigned long long GetRBP(); SCRIPT_EXPORT bool SetRBP(unsigned long long value); SCRIPT_EXPORT unsigned char GetBPL(); SCRIPT_EXPORT bool SetBPL(unsigned char value); SCRIPT_EXPORT unsigned long long GetRSP(); SCRIPT_EXPORT bool SetRSP(unsigned long long value); SCRIPT_EXPORT unsigned char GetSPL(); SCRIPT_EXPORT bool SetSPL(unsigned char value); SCRIPT_EXPORT unsigned long long GetRIP(); SCRIPT_EXPORT bool SetRIP(unsigned long long value); SCRIPT_EXPORT unsigned long long GetR8(); SCRIPT_EXPORT bool SetR8(unsigned long long value); SCRIPT_EXPORT unsigned int GetR8D(); SCRIPT_EXPORT bool SetR8D(unsigned int value); SCRIPT_EXPORT unsigned short GetR8W(); SCRIPT_EXPORT bool SetR8W(unsigned short value); SCRIPT_EXPORT unsigned char GetR8B(); SCRIPT_EXPORT bool SetR8B(unsigned char value); SCRIPT_EXPORT unsigned long long GetR9(); SCRIPT_EXPORT bool SetR9(unsigned long long value); SCRIPT_EXPORT unsigned int GetR9D(); SCRIPT_EXPORT bool SetR9D(unsigned int value); SCRIPT_EXPORT unsigned short GetR9W(); SCRIPT_EXPORT bool SetR9W(unsigned short value); SCRIPT_EXPORT unsigned char GetR9B(); SCRIPT_EXPORT bool SetR9B(unsigned char value); SCRIPT_EXPORT unsigned long long GetR10(); SCRIPT_EXPORT bool SetR10(unsigned long long value); SCRIPT_EXPORT unsigned int GetR10D(); SCRIPT_EXPORT bool SetR10D(unsigned int value); SCRIPT_EXPORT unsigned short GetR10W(); SCRIPT_EXPORT bool SetR10W(unsigned short value); SCRIPT_EXPORT unsigned char GetR10B(); SCRIPT_EXPORT bool SetR10B(unsigned char value); SCRIPT_EXPORT unsigned long long GetR11(); SCRIPT_EXPORT bool SetR11(unsigned long long value); SCRIPT_EXPORT unsigned int GetR11D(); SCRIPT_EXPORT bool SetR11D(unsigned int value); SCRIPT_EXPORT unsigned short GetR11W(); SCRIPT_EXPORT bool SetR11W(unsigned short value); SCRIPT_EXPORT unsigned char GetR11B(); SCRIPT_EXPORT bool SetR11B(unsigned char value); SCRIPT_EXPORT unsigned long long GetR12(); SCRIPT_EXPORT bool SetR12(unsigned long long value); SCRIPT_EXPORT unsigned int GetR12D(); SCRIPT_EXPORT bool SetR12D(unsigned int value); SCRIPT_EXPORT unsigned short GetR12W(); SCRIPT_EXPORT bool SetR12W(unsigned short value); SCRIPT_EXPORT unsigned char GetR12B(); SCRIPT_EXPORT bool SetR12B(unsigned char value); SCRIPT_EXPORT unsigned long long GetR13(); SCRIPT_EXPORT bool SetR13(unsigned long long value); SCRIPT_EXPORT unsigned int GetR13D(); SCRIPT_EXPORT bool SetR13D(unsigned int value); SCRIPT_EXPORT unsigned short GetR13W(); SCRIPT_EXPORT bool SetR13W(unsigned short value); SCRIPT_EXPORT unsigned char GetR13B(); SCRIPT_EXPORT bool SetR13B(unsigned char value); SCRIPT_EXPORT unsigned long long GetR14(); SCRIPT_EXPORT bool SetR14(unsigned long long value); SCRIPT_EXPORT unsigned int GetR14D(); SCRIPT_EXPORT bool SetR14D(unsigned int value); SCRIPT_EXPORT unsigned short GetR14W(); SCRIPT_EXPORT bool SetR14W(unsigned short value); SCRIPT_EXPORT unsigned char GetR14B(); SCRIPT_EXPORT bool SetR14B(unsigned char value); SCRIPT_EXPORT unsigned long long GetR15(); SCRIPT_EXPORT bool SetR15(unsigned long long value); SCRIPT_EXPORT unsigned int GetR15D(); SCRIPT_EXPORT bool SetR15D(unsigned int value); SCRIPT_EXPORT unsigned short GetR15W(); SCRIPT_EXPORT bool SetR15W(unsigned short value); SCRIPT_EXPORT unsigned char GetR15B(); SCRIPT_EXPORT bool SetR15B(unsigned char value); #endif //_WIN64 SCRIPT_EXPORT duint GetCAX(); SCRIPT_EXPORT bool SetCAX(duint value); SCRIPT_EXPORT duint GetCBX(); SCRIPT_EXPORT bool SetCBX(duint value); SCRIPT_EXPORT duint GetCCX(); SCRIPT_EXPORT bool SetCCX(duint value); SCRIPT_EXPORT duint GetCDX(); SCRIPT_EXPORT bool SetCDX(duint value); SCRIPT_EXPORT duint GetCDI(); SCRIPT_EXPORT bool SetCDI(duint value); SCRIPT_EXPORT duint GetCSI(); SCRIPT_EXPORT bool SetCSI(duint value); SCRIPT_EXPORT duint GetCBP(); SCRIPT_EXPORT bool SetCBP(duint value); SCRIPT_EXPORT duint GetCSP(); SCRIPT_EXPORT bool SetCSP(duint value); SCRIPT_EXPORT duint GetCIP(); SCRIPT_EXPORT bool SetCIP(duint value); SCRIPT_EXPORT duint GetCFLAGS(); SCRIPT_EXPORT bool SetCFLAGS(duint value); }; //Register }; //Script #endif //_SCRIPTAPI_REGISTER_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_scriptapi_stack.h ================================================ #ifndef _SCRIPTAPI_STACK_H #define _SCRIPTAPI_STACK_H #include "_scriptapi.h" namespace Script { namespace Stack { SCRIPT_EXPORT duint Pop(); SCRIPT_EXPORT duint Push(duint value); //returns the previous top, equal to Peek(1) SCRIPT_EXPORT duint Peek(int offset = 0); //offset is in multiples of Register::Size(), for easy x32/x64 portability }; //Stack }; //Script #endif //_SCRIPTAPI_STACK_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/_scriptapi_symbol.h ================================================ #ifndef _SCRIPTAPI_SYMBOL_H #define _SCRIPTAPI_SYMBOL_H #include "_scriptapi.h" namespace Script { namespace Symbol { enum SymbolType { Function, //user-defined function Import, //IAT entry Export //export }; struct SymbolInfo { char mod[MAX_MODULE_SIZE]; duint rva; char name[MAX_LABEL_SIZE]; bool manual; SymbolType type; }; SCRIPT_EXPORT bool GetList(ListOf(SymbolInfo) list); //caller has the responsibility to free the list }; //Symbol }; //Script #endif //_SCRIPTAPI_SYMBOL_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/bridgegraph.h ================================================ #ifndef _GRAPH_H #define _GRAPH_H typedef struct { duint addr; //virtual address of the instruction unsigned char data[15]; //instruction bytes } BridgeCFInstruction; typedef struct { duint parentGraph; //function of which this node is a part duint start; //start of the block duint end; //end of the block (inclusive) duint brtrue; //destination if condition is true duint brfalse; //destination if condition is false duint icount; //number of instructions in node bool terminal; //node is a RET bool split; //node is a split (brtrue points to the next node) bool indirectcall; //node contains indirect calls (call reg, call [reg+X]) void* userdata; //user data ListInfo exits; //exits (including brtrue and brfalse, duint) ListInfo instrs; //block instructions } BridgeCFNodeList; typedef struct { duint entryPoint; //graph entry point void* userdata; //user data ListInfo nodes; //graph nodes (BridgeCFNodeList) } BridgeCFGraphList; #ifdef __cplusplus #if _MSC_VER >= 1700 && !defined(NO_CPP11) #include #include #include #include struct BridgeCFNode { duint parentGraph; //function of which this node is a part duint start; //start of the block duint end; //end of the block (inclusive) duint brtrue; //destination if condition is true duint brfalse; //destination if condition is false duint icount; //number of instructions in node bool terminal; //node is a RET bool split; //node is a split (brtrue points to the next node) bool indirectcall; //node contains indirect calls (call reg, call [reg+X]) void* userdata; //user data std::vector exits; //exits (including brtrue and brfalse) std::vector instrs; //block instructions static void Free(const BridgeCFNodeList* nodeList) { if(!BridgeList::Free(&nodeList->exits)) __debugbreak(); if(!BridgeList::Free(&nodeList->instrs)) __debugbreak(); } explicit BridgeCFNode(const BridgeCFNodeList* nodeList, bool freedata) { if(!nodeList) __debugbreak(); parentGraph = nodeList->parentGraph; start = nodeList->start; end = nodeList->end; brtrue = nodeList->brtrue; brfalse = nodeList->brfalse; icount = nodeList->icount; terminal = nodeList->terminal; indirectcall = nodeList->indirectcall; split = nodeList->split; userdata = nodeList->userdata; if(!BridgeList::ToVector(&nodeList->exits, exits, freedata)) __debugbreak(); if(!BridgeList::ToVector(&nodeList->instrs, instrs, freedata)) __debugbreak(); } explicit BridgeCFNode(duint parentGraph, duint start, duint end) : parentGraph(parentGraph), start(start), end(end), brtrue(0), brfalse(0), icount(0), terminal(false), indirectcall(false), split(false), userdata(nullptr) { } explicit BridgeCFNode() : parentGraph(0), start(0), end(0), brtrue(0), brfalse(0), icount(0), terminal(false), split(false), userdata(nullptr) { } BridgeCFNodeList ToNodeList() const { BridgeCFNodeList out; out.parentGraph = parentGraph; out.start = start; out.end = end; out.brtrue = brtrue; out.brfalse = brfalse; out.icount = icount; out.terminal = terminal; out.indirectcall = indirectcall; out.split = split; out.userdata = userdata; BridgeList::CopyData(&out.exits, exits); BridgeList::CopyData(&out.instrs, instrs); return std::move(out); } }; struct BridgeCFGraph { duint entryPoint; //graph entry point void* userdata; //user data std::unordered_map nodes; //CFNode.start -> CFNode std::unordered_map> parents; //CFNode.start -> parents static void Free(const BridgeCFGraphList* graphList) { if(!graphList || graphList->nodes.size != graphList->nodes.count * sizeof(BridgeCFNodeList)) __debugbreak(); auto data = (BridgeCFNodeList*)graphList->nodes.data; for(int i = 0; i < graphList->nodes.count; i++) BridgeCFNode::Free(&data[i]); BridgeFree(data); } explicit BridgeCFGraph(const BridgeCFGraphList* graphList, bool freedata) { if(!graphList || graphList->nodes.size != graphList->nodes.count * sizeof(BridgeCFNodeList)) __debugbreak(); entryPoint = graphList->entryPoint; userdata = graphList->userdata; auto data = (BridgeCFNodeList*)graphList->nodes.data; for(int i = 0; i < graphList->nodes.count; i++) AddNode(BridgeCFNode(&data[i], freedata)); if(freedata && data) BridgeFree(data); } explicit BridgeCFGraph(duint entryPoint) : entryPoint(entryPoint), userdata(nullptr) { } void AddNode(const BridgeCFNode & node) { nodes[node.start] = node; AddParent(node.start, node.brtrue); AddParent(node.start, node.brfalse); } void AddParent(duint child, duint parent) { if(!child || !parent) return; auto found = parents.find(child); if(found == parents.end()) { parents[child] = std::unordered_set(); parents[child].insert(parent); } else found->second.insert(parent); } BridgeCFGraphList ToGraphList() const { BridgeCFGraphList out; out.entryPoint = entryPoint; out.userdata = userdata; std::vector nodeList; nodeList.reserve(nodes.size()); for(const auto & nodeIt : nodes) nodeList.push_back(nodeIt.second.ToNodeList()); BridgeList::CopyData(&out.nodes, nodeList); return std::move(out); } }; #endif //_MSC_VER #endif //__cplusplus #endif //_GRAPH_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/bridgelist.h ================================================ #ifndef _LIST_H #define _LIST_H typedef struct { int count; //Number of element in the list. size_t size; //Size of list in bytes (used for type checking). void* data; //Pointer to the list contents. Must be deleted by the caller using BridgeFree (or BridgeList::Free). } ListInfo; #define ListOf(Type) ListInfo* #ifdef __cplusplus #include /** \brief A list object. This object is NOT thread safe. \tparam Type BridgeList contents type. */ template class BridgeList { public: /** \brief BridgeList constructor. \param _freeData (Optional) the free function. */ explicit BridgeList() { memset(&_listInfo, 0, sizeof(_listInfo)); } /** \brief BridgeList destructor. */ ~BridgeList() { Cleanup(); } /** \brief Gets the list data. \return Returns ListInfo->data. Can be null if the list was never initialized. Will be destroyed once this object goes out of scope! */ Type* Data() const { return reinterpret_cast(_listInfo.data); } /** \brief Gets the number of elements in the list. This will crash the program if the data is not consistent with the specified template argument. \return The number of elements in the list. */ int Count() const { if(_listInfo.size != _listInfo.count * sizeof(Type)) //make sure the user is using the correct type. __debugbreak(); return _listInfo.count; } /** \brief Cleans up the list, freeing the list data when it is not null. */ void Cleanup() { if(_listInfo.data) { BridgeFree(_listInfo.data); _listInfo.data = nullptr; } } /** \brief Reference operator (cleans up the previous list) \return Pointer to the ListInfo. */ ListInfo* operator&() { Cleanup(); return &_listInfo; } /** \brief Array indexer operator. This will crash if you try to access out-of-bounds. \param index Zero-based index of the item you want to get. \return Reference to a value at that index. */ Type & operator[](size_t index) const { if(index >= size_t(Count())) //make sure the out-of-bounds access is caught as soon as possible. __debugbreak(); return Data()[index]; } /** \brief Copies data to a ListInfo structure.. \param [out] listInfo If non-null, information describing the list. \param listData Data to copy in the ListInfo structure. \return true if it succeeds, false if it fails. */ static bool CopyData(ListInfo* listInfo, const std::vector & listData) { if(!listInfo) return false; listInfo->count = int(listData.size()); listInfo->size = listInfo->count * sizeof(Type); if(listInfo->count) { listInfo->data = BridgeAlloc(listInfo->size); Type* curItem = reinterpret_cast(listInfo->data); for(const auto & item : listData) { *curItem = item; ++curItem; } } else listInfo->data = nullptr; return true; } static bool Free(const ListInfo* listInfo) { if(!listInfo || listInfo->size != listInfo->count * sizeof(Type) || (listInfo->count && !listInfo->data)) return false; BridgeFree(listInfo->data); return true; } static bool ToVector(const ListInfo* listInfo, std::vector & listData, bool freedata = true) { if(!listInfo || listInfo->size != listInfo->count * sizeof(Type) || (listInfo->count && !listInfo->data)) return false; listData.resize(listInfo->count); for(int i = 0; i < listInfo->count; i++) listData[i] = ((Type*)listInfo->data)[i]; if(freedata && listInfo->data) BridgeFree(listInfo->data); return true; } private: ListInfo _listInfo; }; #endif //__cplusplus #endif //_LIST_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/bridgemain.h ================================================ #ifndef _BRIDGEMAIN_H_ #define _BRIDGEMAIN_H_ #include #ifndef __cplusplus #include #endif //default structure alignments forced #ifdef _WIN64 #pragma pack(push, 16) #else //x86 #pragma pack(push, 8) #endif //_WIN64 #ifdef _WIN64 typedef unsigned long long duint; typedef signed long long dsint; #else typedef unsigned long duint; typedef signed long dsint; #endif //_WIN64 #ifndef BRIDGE_IMPEXP #ifdef BUILD_BRIDGE #define BRIDGE_IMPEXP __declspec(dllexport) #else #define BRIDGE_IMPEXP __declspec(dllimport) #endif //BUILD_BRIDGE #endif //BRIDGE_IMPEXP #ifdef __cplusplus extern "C" { #endif //Bridge defines #define MAX_SETTING_SIZE 65536 #define DBG_VERSION 25 //Bridge functions /// /// Initialize the bridge. /// /// On error it returns a non-null error message. BRIDGE_IMPEXP const wchar_t* BridgeInit(); /// /// Start the bridge. /// /// On error it returns a non-null error message. BRIDGE_IMPEXP const wchar_t* BridgeStart(); /// /// Allocate buffer. Use BridgeFree to free the buffer. /// /// Size in bytes of the buffer to allocate. /// A pointer to the allocated buffer. This function will trigger a crash dump if unsuccessful. BRIDGE_IMPEXP void* BridgeAlloc(size_t size); /// /// Free buffer allocated by BridgeAlloc. /// /// Buffer to free. BRIDGE_IMPEXP void BridgeFree(void* ptr); /// /// Get a string setting from the in-memory setting store. /// /// Section the setting is in. Cannot be null. /// Setting key (name). Cannot be null. /// Output buffer for the value. Should be of MAX_SETTING_SIZE. Cannot be null. /// True if the setting was found and copied in the value parameter. BRIDGE_IMPEXP bool BridgeSettingGet(const char* section, const char* key, char* value); /// /// Get an integer setting from the in-memory setting store. /// /// Section the setting is in. Cannot be null. /// Setting key (name). Cannot be null. /// Output value. /// True if the setting was found and successfully converted to an integer. BRIDGE_IMPEXP bool BridgeSettingGetUint(const char* section, const char* key, duint* value); /// /// Set a string setting in the in-memory setting store. /// /// Section the setting is in. Cannot be null. /// Setting key (name). Set to null to clear the whole section. /// New setting value. Set to null to remove the key from the section. /// True if the operation was successful. BRIDGE_IMPEXP bool BridgeSettingSet(const char* section, const char* key, const char* value); /// /// Set an integer setting in the in-memory setting store. /// /// Section the setting is in. Cannot be null. /// Setting key (name). Set to null to clear the whole section. /// New setting value. /// True if the operation was successful. BRIDGE_IMPEXP bool BridgeSettingSetUint(const char* section, const char* key, duint value); /// /// Flush the in-memory setting store to disk. /// /// BRIDGE_IMPEXP bool BridgeSettingFlush(); /// /// Read the in-memory setting store from disk. /// /// Line where the error occurred. Set to null to ignore this. /// True if the setting were read and parsed correctly. BRIDGE_IMPEXP bool BridgeSettingRead(int* errorLine); /// /// Get the debugger version. /// /// 25 BRIDGE_IMPEXP int BridgeGetDbgVersion(); #ifdef __cplusplus } #endif //list structure (and C++ wrapper) #include "bridgelist.h" #include "bridgegraph.h" #ifdef __cplusplus extern "C" { #endif //Debugger defines #define MAX_LABEL_SIZE 256 #define MAX_COMMENT_SIZE 512 #define MAX_MODULE_SIZE 256 #define MAX_IMPORT_SIZE 65536 #define MAX_BREAKPOINT_SIZE 256 #define MAX_CONDITIONAL_EXPR_SIZE 256 #define MAX_CONDITIONAL_TEXT_SIZE 256 #define MAX_SCRIPT_LINE_SIZE 2048 #define MAX_THREAD_NAME_SIZE 256 #define MAX_WATCH_NAME_SIZE 256 #define MAX_STRING_SIZE 512 #define MAX_ERROR_SIZE 512 #define RIGHTS_STRING_SIZE (sizeof("ERWCG") + 1) #define MAX_SECTION_SIZE 10 #define MAX_COMMAND_LINE_SIZE 256 #define MAX_MNEMONIC_SIZE 64 #define PAGE_SIZE 0x1000 //Debugger enums typedef enum { initialized, paused, running, stopped } DBGSTATE; typedef enum { SEG_DEFAULT, SEG_ES, SEG_DS, SEG_FS, SEG_GS, SEG_CS, SEG_SS } SEGMENTREG; typedef enum { flagmodule = 0x1, flaglabel = 0x2, flagcomment = 0x4, flagbookmark = 0x8, flagfunction = 0x10, flagloop = 0x20, flagargs = 0x40, flagNoFuncOffset = 0x80 } ADDRINFOFLAGS; typedef enum { bp_none = 0, bp_normal = 1, bp_hardware = 2, bp_memory = 4, bp_dll = 8, bp_exception = 16 } BPXTYPE; typedef enum { FUNC_NONE, FUNC_BEGIN, FUNC_MIDDLE, FUNC_END, FUNC_SINGLE } FUNCTYPE; typedef enum { LOOP_NONE, LOOP_BEGIN, LOOP_MIDDLE, LOOP_ENTRY, LOOP_END, LOOP_SINGLE } LOOPTYPE; //order by most important type last typedef enum { XREF_NONE, XREF_DATA, XREF_JMP, XREF_CALL } XREFTYPE; typedef enum { ARG_NONE, ARG_BEGIN, ARG_MIDDLE, ARG_END, ARG_SINGLE } ARGTYPE; typedef enum { DBG_SCRIPT_LOAD, // param1=const char* filename, param2=unused DBG_SCRIPT_UNLOAD, // param1=unused, param2=unused DBG_SCRIPT_RUN, // param1=int destline, param2=unused DBG_SCRIPT_STEP, // param1=unused, param2=unused DBG_SCRIPT_BPTOGGLE, // param1=int line, param2=unused DBG_SCRIPT_BPGET, // param1=int line, param2=unused DBG_SCRIPT_CMDEXEC, // param1=const char* command, param2=unused DBG_SCRIPT_ABORT, // param1=unused, param2=unused DBG_SCRIPT_GETLINETYPE, // param1=int line, param2=unused DBG_SCRIPT_SETIP, // param1=int line, param2=unused DBG_SCRIPT_GETBRANCHINFO, // param1=int line, param2=SCRIPTBRANCH* info DBG_SYMBOL_ENUM, // param1=SYMBOLCBINFO* cbInfo, param2=unused DBG_ASSEMBLE_AT, // param1=duint addr, param2=const char* instruction DBG_MODBASE_FROM_NAME, // param1=const char* modname, param2=unused DBG_DISASM_AT, // param1=duint addr, param2=DISASM_INSTR* instr DBG_STACK_COMMENT_GET, // param1=duint addr, param2=STACK_COMMENT* comment DBG_GET_THREAD_LIST, // param1=THREADALLINFO* list, param2=unused DBG_SETTINGS_UPDATED, // param1=unused, param2=unused DBG_DISASM_FAST_AT, // param1=duint addr, param2=BASIC_INSTRUCTION_INFO* basicinfo DBG_MENU_ENTRY_CLICKED, // param1=int hEntry, param2=unused DBG_FUNCTION_GET, // param1=FUNCTION_LOOP_INFO* info, param2=unused DBG_FUNCTION_OVERLAPS, // param1=FUNCTION_LOOP_INFO* info, param2=unused DBG_FUNCTION_ADD, // param1=FUNCTION_LOOP_INFO* info, param2=unused DBG_FUNCTION_DEL, // param1=FUNCTION_LOOP_INFO* info, param2=unused DBG_LOOP_GET, // param1=FUNCTION_LOOP_INFO* info, param2=unused DBG_LOOP_OVERLAPS, // param1=FUNCTION_LOOP_INFO* info, param2=unused DBG_LOOP_ADD, // param1=FUNCTION_LOOP_INFO* info, param2=unused DBG_LOOP_DEL, // param1=FUNCTION_LOOP_INFO* info, param2=unused DBG_IS_RUN_LOCKED, // param1=unused, param2=unused DBG_IS_BP_DISABLED, // param1=duint addr, param2=unused DBG_SET_AUTO_COMMENT_AT, // param1=duint addr, param2=const char* text DBG_DELETE_AUTO_COMMENT_RANGE, // param1=duint start, param2=duint end DBG_SET_AUTO_LABEL_AT, // param1=duint addr, param2=const char* text DBG_DELETE_AUTO_LABEL_RANGE, // param1=duint start, param2=duint end DBG_SET_AUTO_BOOKMARK_AT, // param1=duint addr, param2=const char* text DBG_DELETE_AUTO_BOOKMARK_RANGE, // param1=duint start, param2=duint end DBG_SET_AUTO_FUNCTION_AT, // param1=duint addr, param2=const char* text DBG_DELETE_AUTO_FUNCTION_RANGE, // param1=duint start, param2=duint end DBG_GET_STRING_AT, // param1=duint addr, param2=unused DBG_GET_FUNCTIONS, // param1=unused, param2=unused DBG_WIN_EVENT, // param1=MSG* message, param2=long* result DBG_WIN_EVENT_GLOBAL, // param1=MSG* message, param2=unused DBG_INITIALIZE_LOCKS, // param1=unused, param2=unused DBG_DEINITIALIZE_LOCKS, // param1=unused, param2=unused DBG_GET_TIME_WASTED_COUNTER, // param1=unused, param2=unused DBG_SYMBOL_ENUM_FROMCACHE, // param1=SYMBOLCBINFO* cbInfo, param2=unused DBG_DELETE_COMMENT_RANGE, // param1=duint start, param2=duint end DBG_DELETE_LABEL_RANGE, // param1=duint start, param2=duint end DBG_DELETE_BOOKMARK_RANGE, // param1=duint start, param2=duint end DBG_GET_XREF_COUNT_AT, // param1=duint addr, param2=unused DBG_GET_XREF_TYPE_AT, // param1=duint addr, param2=unused DBG_XREF_ADD, // param1=duint addr, param2=duint from DBG_XREF_DEL_ALL, // param1=duint addr, param2=unused DBG_XREF_GET, // param1=duint addr, param2=XREF_INFO* info DBG_GET_ENCODE_TYPE_BUFFER, // param1=duint addr, param2=unused DBG_ENCODE_TYPE_GET, // param1=duint addr, param2=duint size DBG_DELETE_ENCODE_TYPE_RANGE, // param1=duint start, param2=duint end DBG_ENCODE_SIZE_GET, // param1=duint addr, param2=duint codesize DBG_DELETE_ENCODE_TYPE_SEG, // param1=duint addr, param2=unused DBG_RELEASE_ENCODE_TYPE_BUFFER, // param1=void* buffer, param2=unused DBG_ARGUMENT_GET, // param1=FUNCTION* info, param2=unused DBG_ARGUMENT_OVERLAPS, // param1=FUNCTION* info, param2=unused DBG_ARGUMENT_ADD, // param1=FUNCTION* info, param2=unused DBG_ARGUMENT_DEL, // param1=FUNCTION* info, param2=unused DBG_GET_WATCH_LIST, // param1=ListOf(WATCHINFO), param2=unused DBG_SELCHANGED, // param1=hWindow, param2=VA DBG_GET_PROCESS_HANDLE, // param1=unused, param2=unused DBG_GET_THREAD_HANDLE, // param1=unused, param2=unused DBG_GET_PROCESS_ID, // param1=unused, param2=unused DBG_GET_THREAD_ID, // param1=unused, param2=unused DBG_GET_PEB_ADDRESS, // param1=DWORD ProcessId, param2=unused DBG_GET_TEB_ADDRESS, // param1=DWORD ThreadId, param2=unused DBG_ANALYZE_FUNCTION, // param1=BridgeCFGraphList* graph, param2=duint entry DBG_MENU_PREPARE // param1=int hMenu, param2=unused } DBGMSG; typedef enum { linecommand, linebranch, linelabel, linecomment, lineempty, } SCRIPTLINETYPE; typedef enum { scriptnobranch, scriptjmp, scriptjnejnz, scriptjejz, scriptjbjl, scriptjajg, scriptjbejle, scriptjaejge, scriptcall } SCRIPTBRANCHTYPE; typedef enum { instr_normal, instr_branch, instr_stack } DISASM_INSTRTYPE; typedef enum { arg_normal, arg_memory } DISASM_ARGTYPE; typedef enum { str_none, str_ascii, str_unicode } STRING_TYPE; typedef enum { _PriorityIdle = -15, _PriorityAboveNormal = 1, _PriorityBelowNormal = -1, _PriorityHighest = 2, _PriorityLowest = -2, _PriorityNormal = 0, _PriorityTimeCritical = 15, _PriorityUnknown = 0x7FFFFFFF } THREADPRIORITY; typedef enum { _Executive = 0, _FreePage = 1, _PageIn = 2, _PoolAllocation = 3, _DelayExecution = 4, _Suspended = 5, _UserRequest = 6, _WrExecutive = 7, _WrFreePage = 8, _WrPageIn = 9, _WrPoolAllocation = 10, _WrDelayExecution = 11, _WrSuspended = 12, _WrUserRequest = 13, _WrEventPair = 14, _WrQueue = 15, _WrLpcReceive = 16, _WrLpcReply = 17, _WrVirtualMemory = 18, _WrPageOut = 19, _WrRendezvous = 20, _Spare2 = 21, _Spare3 = 22, _Spare4 = 23, _Spare5 = 24, _WrCalloutStack = 25, _WrKernel = 26, _WrResource = 27, _WrPushLock = 28, _WrMutex = 29, _WrQuantumEnd = 30, _WrDispatchInt = 31, _WrPreempted = 32, _WrYieldExecution = 33, _WrFastMutex = 34, _WrGuardedMutex = 35, _WrRundown = 36, } THREADWAITREASON; typedef enum { size_byte = 1, size_word = 2, size_dword = 4, size_qword = 8 } MEMORY_SIZE; typedef enum { enc_unknown, //must be 0 enc_byte, //1 byte enc_word, //2 bytes enc_dword, //4 bytes enc_fword, //6 bytes enc_qword, //8 bytes enc_tbyte, //10 bytes enc_oword, //16 bytes enc_mmword, //8 bytes enc_xmmword, //16 bytes enc_ymmword, //32 bytes enc_zmmword, //64 bytes avx512 not supported enc_real4, //4 byte float enc_real8, //8 byte double enc_real10, //10 byte decimal enc_ascii, //ascii sequence enc_unicode, //unicode sequence enc_code, //start of code enc_junk, //junk code enc_middle //middle of data } ENCODETYPE; typedef enum { TYPE_UINT, // unsigned integer TYPE_INT, // signed integer TYPE_FLOAT,// single precision floating point value TYPE_ASCII, // ascii string TYPE_UNICODE, // unicode string TYPE_INVALID // invalid watch expression or data type } WATCHVARTYPE; typedef enum { MODE_DISABLED, // watchdog is disabled MODE_ISTRUE, // alert if expression is not 0 MODE_ISFALSE, // alert if expression is 0 MODE_CHANGED, // alert if expression is changed MODE_UNCHANGED // alert if expression is not changed } WATCHDOGMODE; typedef enum { hw_access, hw_write, hw_execute } BPHWTYPE; typedef enum { mem_access, mem_read, mem_write, mem_execute } BPMEMTYPE; typedef enum { dll_load = 1, dll_unload, dll_all } BPDLLTYPE; typedef enum { ex_firstchance = 1, ex_secondchance, ex_all } BPEXTYPE; typedef enum { hw_byte, hw_word, hw_dword, hw_qword } BPHWSIZE; //Debugger typedefs typedef MEMORY_SIZE VALUE_SIZE; typedef struct SYMBOLINFO_ SYMBOLINFO; typedef struct DBGFUNCTIONS_ DBGFUNCTIONS; typedef void (*CBSYMBOLENUM)(SYMBOLINFO* symbol, void* user); //Debugger structs typedef struct { MEMORY_BASIC_INFORMATION mbi; char info[MAX_MODULE_SIZE]; } MEMPAGE; typedef struct { int count; MEMPAGE* page; } MEMMAP; typedef struct { BPXTYPE type; duint addr; bool enabled; bool singleshoot; bool active; char name[MAX_BREAKPOINT_SIZE]; char mod[MAX_MODULE_SIZE]; unsigned short slot; // extended part unsigned char typeEx; //BPHWTYPE/BPMEMTYPE/BPDLLTYPE/BPEXTYPE unsigned char hwSize; //BPHWSIZE unsigned int hitCount; bool fastResume; bool silent; char breakCondition[MAX_CONDITIONAL_EXPR_SIZE]; char logText[MAX_CONDITIONAL_TEXT_SIZE]; char logCondition[MAX_CONDITIONAL_EXPR_SIZE]; char commandText[MAX_CONDITIONAL_TEXT_SIZE]; char commandCondition[MAX_CONDITIONAL_EXPR_SIZE]; } BRIDGEBP; typedef struct { int count; BRIDGEBP* bp; } BPMAP; typedef struct { char WatchName[MAX_WATCH_NAME_SIZE]; char Expression[MAX_CONDITIONAL_EXPR_SIZE]; unsigned int window; unsigned int id; WATCHVARTYPE varType; WATCHDOGMODE watchdogMode; duint value; bool watchdogTriggered; } WATCHINFO; typedef struct { duint start; //OUT duint end; //OUT duint instrcount; //OUT } FUNCTION; typedef struct { int depth; //IN duint start; //OUT duint end; //OUT duint instrcount; //OUT } LOOP; typedef struct { int flags; //ADDRINFOFLAGS (IN) char module[MAX_MODULE_SIZE]; //module the address is in char label[MAX_LABEL_SIZE]; char comment[MAX_COMMENT_SIZE]; bool isbookmark; FUNCTION function; LOOP loop; FUNCTION args; } BRIDGE_ADDRINFO; struct SYMBOLINFO_ { duint addr; char* decoratedSymbol; char* undecoratedSymbol; bool isImported; }; typedef struct { duint base; char name[MAX_MODULE_SIZE]; } SYMBOLMODULEINFO; typedef struct { duint base; CBSYMBOLENUM cbSymbolEnum; void* user; } SYMBOLCBINFO; typedef struct { bool c; bool p; bool a; bool z; bool s; bool t; bool i; bool d; bool o; } FLAGS; typedef struct { bool FZ; bool PM; bool UM; bool OM; bool ZM; bool IM; bool DM; bool DAZ; bool PE; bool UE; bool OE; bool ZE; bool DE; bool IE; unsigned short RC; } MXCSRFIELDS; typedef struct { bool B; bool C3; bool C2; bool C1; bool C0; bool ES; bool SF; bool P; bool U; bool O; bool Z; bool D; bool I; unsigned short TOP; } X87STATUSWORDFIELDS; typedef struct { bool IC; bool IEM; bool PM; bool UM; bool OM; bool ZM; bool DM; bool IM; unsigned short RC; unsigned short PC; } X87CONTROLWORDFIELDS; typedef struct DECLSPEC_ALIGN(16) _XMMREGISTER { ULONGLONG Low; LONGLONG High; } XMMREGISTER; typedef struct { XMMREGISTER Low; //XMM/SSE part XMMREGISTER High; //AVX part } YMMREGISTER; typedef struct { BYTE data[10]; int st_value; int tag; } X87FPUREGISTER; typedef struct { WORD ControlWord; WORD StatusWord; WORD TagWord; DWORD ErrorOffset; DWORD ErrorSelector; DWORD DataOffset; DWORD DataSelector; DWORD Cr0NpxState; } X87FPU; typedef struct { ULONG_PTR cax; ULONG_PTR ccx; ULONG_PTR cdx; ULONG_PTR cbx; ULONG_PTR csp; ULONG_PTR cbp; ULONG_PTR csi; ULONG_PTR cdi; #ifdef _WIN64 ULONG_PTR r8; ULONG_PTR r9; ULONG_PTR r10; ULONG_PTR r11; ULONG_PTR r12; ULONG_PTR r13; ULONG_PTR r14; ULONG_PTR r15; #endif //_WIN64 ULONG_PTR cip; ULONG_PTR eflags; unsigned short gs; unsigned short fs; unsigned short es; unsigned short ds; unsigned short cs; unsigned short ss; ULONG_PTR dr0; ULONG_PTR dr1; ULONG_PTR dr2; ULONG_PTR dr3; ULONG_PTR dr6; ULONG_PTR dr7; BYTE RegisterArea[80]; X87FPU x87fpu; DWORD MxCsr; #ifdef _WIN64 XMMREGISTER XmmRegisters[16]; YMMREGISTER YmmRegisters[16]; #else // x86 XMMREGISTER XmmRegisters[8]; YMMREGISTER YmmRegisters[8]; #endif } REGISTERCONTEXT; typedef struct { DWORD code; char name[128]; } LASTERROR; typedef struct { DWORD code; char name[128]; } LASTSTATUS; typedef struct { REGISTERCONTEXT regcontext; FLAGS flags; X87FPUREGISTER x87FPURegisters[8]; unsigned long long mmx[8]; MXCSRFIELDS MxCsrFields; X87STATUSWORDFIELDS x87StatusWordFields; X87CONTROLWORDFIELDS x87ControlWordFields; LASTERROR lastError; LASTSTATUS lastStatus; } REGDUMP; typedef struct { DISASM_ARGTYPE type; //normal/memory SEGMENTREG segment; char mnemonic[64]; duint constant; //constant in the instruction (imm/disp) duint value; //equal to constant or equal to the register value duint memvalue; //memsize:[value] } DISASM_ARG; typedef struct { char instruction[64]; DISASM_INSTRTYPE type; int argcount; int instr_size; DISASM_ARG arg[3]; } DISASM_INSTR; typedef struct { char color[8]; //hex color-code char comment[MAX_COMMENT_SIZE]; } STACK_COMMENT; typedef struct { int ThreadNumber; HANDLE Handle; DWORD ThreadId; duint ThreadStartAddress; duint ThreadLocalBase; char threadName[MAX_THREAD_NAME_SIZE]; } THREADINFO; typedef struct { THREADINFO BasicInfo; duint ThreadCip; DWORD SuspendCount; THREADPRIORITY Priority; THREADWAITREASON WaitReason; DWORD LastError; FILETIME UserTime; FILETIME KernelTime; FILETIME CreationTime; ULONG64 Cycles; // Windows Vista or greater } THREADALLINFO; typedef struct { int count; THREADALLINFO* list; int CurrentThread; } THREADLIST; typedef struct { duint value; //displacement / addrvalue (rip-relative) MEMORY_SIZE size; //byte/word/dword/qword char mnemonic[MAX_MNEMONIC_SIZE]; } MEMORY_INFO; typedef struct { duint value; VALUE_SIZE size; } VALUE_INFO; //definitions for BASIC_INSTRUCTION_INFO.type #define TYPE_VALUE 1 #define TYPE_MEMORY 2 #define TYPE_ADDR 4 typedef struct { DWORD type; //value|memory|addr VALUE_INFO value; //immediat MEMORY_INFO memory; duint addr; //addrvalue (jumps + calls) bool branch; //jumps/calls bool call; //instruction is a call int size; char instruction[MAX_MNEMONIC_SIZE * 4]; } BASIC_INSTRUCTION_INFO; typedef struct { SCRIPTBRANCHTYPE type; int dest; char branchlabel[256]; } SCRIPTBRANCH; typedef struct { duint addr; duint start; duint end; bool manual; int depth; } FUNCTION_LOOP_INFO; typedef struct { duint addr; XREFTYPE type; } XREF_RECORD; typedef struct { duint refcount; XREF_RECORD* references; } XREF_INFO; //Debugger functions BRIDGE_IMPEXP const char* DbgInit(); BRIDGE_IMPEXP void DbgExit(); BRIDGE_IMPEXP bool DbgMemRead(duint va, void* dest, duint size); BRIDGE_IMPEXP bool DbgMemWrite(duint va, const void* src, duint size); BRIDGE_IMPEXP duint DbgMemGetPageSize(duint base); BRIDGE_IMPEXP duint DbgMemFindBaseAddr(duint addr, duint* size); /// /// Asynchronously execute a debugger command by adding it to the command queue. /// Note: the command may not have completed before this call returns. Use this /// function if you don't care when the command gets executed. /// /// Example: DbgCmdExec("ClearLog") /// /// The command to execute. /// True if the command was successfully submitted to the command queue. False if the submission failed. BRIDGE_IMPEXP bool DbgCmdExec(const char* cmd); /// /// Performs synchronous execution of a debugger command. This function call only /// returns after the command has completed. /// /// Example: DbgCmdExecDirect("loadlib advapi32.dll") /// /// The command to execute. /// True if the command executed successfully, False if there was a problem. BRIDGE_IMPEXP bool DbgCmdExecDirect(const char* cmd); BRIDGE_IMPEXP bool DbgMemMap(MEMMAP* memmap); BRIDGE_IMPEXP bool DbgIsValidExpression(const char* expression); BRIDGE_IMPEXP bool DbgIsDebugging(); BRIDGE_IMPEXP bool DbgIsJumpGoingToExecute(duint addr); BRIDGE_IMPEXP bool DbgGetLabelAt(duint addr, SEGMENTREG segment, char* text); BRIDGE_IMPEXP bool DbgSetLabelAt(duint addr, const char* text); BRIDGE_IMPEXP void DbgClearLabelRange(duint start, duint end); BRIDGE_IMPEXP bool DbgGetCommentAt(duint addr, char* text); BRIDGE_IMPEXP bool DbgSetCommentAt(duint addr, const char* text); BRIDGE_IMPEXP void DbgClearCommentRange(duint start, duint end); BRIDGE_IMPEXP bool DbgGetBookmarkAt(duint addr); BRIDGE_IMPEXP bool DbgSetBookmarkAt(duint addr, bool isbookmark); BRIDGE_IMPEXP void DbgClearBookmarkRange(duint start, duint end); BRIDGE_IMPEXP bool DbgGetModuleAt(duint addr, char* text); BRIDGE_IMPEXP BPXTYPE DbgGetBpxTypeAt(duint addr); BRIDGE_IMPEXP duint DbgValFromString(const char* string); BRIDGE_IMPEXP bool DbgGetRegDumpEx(REGDUMP* regdump, size_t size); BRIDGE_IMPEXP bool DbgValToString(const char* string, duint value); BRIDGE_IMPEXP bool DbgMemIsValidReadPtr(duint addr); BRIDGE_IMPEXP int DbgGetBpList(BPXTYPE type, BPMAP* list); BRIDGE_IMPEXP FUNCTYPE DbgGetFunctionTypeAt(duint addr); BRIDGE_IMPEXP LOOPTYPE DbgGetLoopTypeAt(duint addr, int depth); BRIDGE_IMPEXP duint DbgGetBranchDestination(duint addr); BRIDGE_IMPEXP void DbgScriptLoad(const char* filename); BRIDGE_IMPEXP void DbgScriptUnload(); BRIDGE_IMPEXP void DbgScriptRun(int destline); BRIDGE_IMPEXP void DbgScriptStep(); BRIDGE_IMPEXP bool DbgScriptBpToggle(int line); BRIDGE_IMPEXP bool DbgScriptBpGet(int line); BRIDGE_IMPEXP bool DbgScriptCmdExec(const char* command); BRIDGE_IMPEXP void DbgScriptAbort(); BRIDGE_IMPEXP SCRIPTLINETYPE DbgScriptGetLineType(int line); BRIDGE_IMPEXP void DbgScriptSetIp(int line); BRIDGE_IMPEXP bool DbgScriptGetBranchInfo(int line, SCRIPTBRANCH* info); BRIDGE_IMPEXP void DbgSymbolEnum(duint base, CBSYMBOLENUM cbSymbolEnum, void* user); BRIDGE_IMPEXP void DbgSymbolEnumFromCache(duint base, CBSYMBOLENUM cbSymbolEnum, void* user); BRIDGE_IMPEXP bool DbgAssembleAt(duint addr, const char* instruction); BRIDGE_IMPEXP duint DbgModBaseFromName(const char* name); BRIDGE_IMPEXP void DbgDisasmAt(duint addr, DISASM_INSTR* instr); BRIDGE_IMPEXP bool DbgStackCommentGet(duint addr, STACK_COMMENT* comment); BRIDGE_IMPEXP void DbgGetThreadList(THREADLIST* list); BRIDGE_IMPEXP void DbgSettingsUpdated(); BRIDGE_IMPEXP void DbgDisasmFastAt(duint addr, BASIC_INSTRUCTION_INFO* basicinfo); BRIDGE_IMPEXP void DbgMenuEntryClicked(int hEntry); BRIDGE_IMPEXP bool DbgFunctionGet(duint addr, duint* start, duint* end); BRIDGE_IMPEXP bool DbgFunctionOverlaps(duint start, duint end); BRIDGE_IMPEXP bool DbgFunctionAdd(duint start, duint end); BRIDGE_IMPEXP bool DbgFunctionDel(duint addr); BRIDGE_IMPEXP bool DbgArgumentGet(duint addr, duint* start, duint* end); BRIDGE_IMPEXP bool DbgArgumentOverlaps(duint start, duint end); BRIDGE_IMPEXP bool DbgArgumentAdd(duint start, duint end); BRIDGE_IMPEXP bool DbgArgumentDel(duint addr); BRIDGE_IMPEXP bool DbgLoopGet(int depth, duint addr, duint* start, duint* end); BRIDGE_IMPEXP bool DbgLoopOverlaps(int depth, duint start, duint end); BRIDGE_IMPEXP bool DbgLoopAdd(duint start, duint end); BRIDGE_IMPEXP bool DbgLoopDel(int depth, duint addr); BRIDGE_IMPEXP bool DbgXrefAdd(duint addr, duint from); BRIDGE_IMPEXP bool DbgXrefDelAll(duint addr); BRIDGE_IMPEXP bool DbgXrefGet(duint addr, XREF_INFO* info); BRIDGE_IMPEXP size_t DbgGetXrefCountAt(duint addr); BRIDGE_IMPEXP XREFTYPE DbgGetXrefTypeAt(duint addr); BRIDGE_IMPEXP bool DbgIsRunLocked(); BRIDGE_IMPEXP bool DbgIsBpDisabled(duint addr); BRIDGE_IMPEXP bool DbgSetAutoCommentAt(duint addr, const char* text); BRIDGE_IMPEXP void DbgClearAutoCommentRange(duint start, duint end); BRIDGE_IMPEXP bool DbgSetAutoLabelAt(duint addr, const char* text); BRIDGE_IMPEXP void DbgClearAutoLabelRange(duint start, duint end); BRIDGE_IMPEXP bool DbgSetAutoBookmarkAt(duint addr); BRIDGE_IMPEXP void DbgClearAutoBookmarkRange(duint start, duint end); BRIDGE_IMPEXP bool DbgSetAutoFunctionAt(duint start, duint end); BRIDGE_IMPEXP void DbgClearAutoFunctionRange(duint start, duint end); BRIDGE_IMPEXP bool DbgGetStringAt(duint addr, char* text); BRIDGE_IMPEXP const DBGFUNCTIONS* DbgFunctions(); BRIDGE_IMPEXP bool DbgWinEvent(MSG* message, long* result); BRIDGE_IMPEXP bool DbgWinEventGlobal(MSG* message); BRIDGE_IMPEXP bool DbgIsRunning(); BRIDGE_IMPEXP duint DbgGetTimeWastedCounter(); BRIDGE_IMPEXP ARGTYPE DbgGetArgTypeAt(duint addr); BRIDGE_IMPEXP void* DbgGetEncodeTypeBuffer(duint addr, duint* size); BRIDGE_IMPEXP void DbgReleaseEncodeTypeBuffer(void* buffer); BRIDGE_IMPEXP ENCODETYPE DbgGetEncodeTypeAt(duint addr, duint size); BRIDGE_IMPEXP duint DbgGetEncodeSizeAt(duint addr, duint codesize); BRIDGE_IMPEXP bool DbgSetEncodeType(duint addr, duint size, ENCODETYPE type); BRIDGE_IMPEXP void DbgDelEncodeTypeRange(duint start, duint end); BRIDGE_IMPEXP void DbgDelEncodeTypeSegment(duint start); BRIDGE_IMPEXP bool DbgGetWatchList(ListOf(WATCHINFO) list); BRIDGE_IMPEXP void DbgSelChanged(int hWindow, duint VA); BRIDGE_IMPEXP HANDLE DbgGetProcessHandle(); BRIDGE_IMPEXP HANDLE DbgGetThreadHandle(); BRIDGE_IMPEXP DWORD DbgGetProcessId(); BRIDGE_IMPEXP DWORD DbgGetThreadId(); BRIDGE_IMPEXP duint DbgGetPebAddress(DWORD ProcessId); BRIDGE_IMPEXP duint DbgGetTebAddress(DWORD ThreadId); BRIDGE_IMPEXP bool DbgAnalyzeFunction(duint entry, BridgeCFGraphList* graph); BRIDGE_IMPEXP duint DbgEval(const char* expression, bool* success = 0); BRIDGE_IMPEXP void DbgMenuPrepare(int hMenu); //Gui defines #define GUI_PLUGIN_MENU 0 #define GUI_DISASM_MENU 1 #define GUI_DUMP_MENU 2 #define GUI_STACK_MENU 3 #define GUI_DISASSEMBLY 0 #define GUI_DUMP 1 #define GUI_STACK 2 #define GUI_GRAPH 3 #define GUI_MEMMAP 4 #define GUI_SYMMOD 5 #define GUI_MAX_LINE_SIZE 65536 #define GUI_MAX_DISASSEMBLY_SIZE 2048 //Gui enums typedef enum { GUI_DISASSEMBLE_AT, // param1=(duint)va, param2=(duint)cip GUI_SET_DEBUG_STATE, // param1=(DBGSTATE)state, param2=unused GUI_ADD_MSG_TO_LOG, // param1=(const char*)msg, param2=unused GUI_CLEAR_LOG, // param1=unused, param2=unused GUI_UPDATE_REGISTER_VIEW, // param1=unused, param2=unused GUI_UPDATE_DISASSEMBLY_VIEW, // param1=unused, param2=unused GUI_UPDATE_BREAKPOINTS_VIEW, // param1=unused, param2=unused GUI_UPDATE_WINDOW_TITLE, // param1=(const char*)file, param2=unused GUI_GET_WINDOW_HANDLE, // param1=unused, param2=unused GUI_DUMP_AT, // param1=(duint)va param2=unused GUI_SCRIPT_ADD, // param1=int count, param2=const char** lines GUI_SCRIPT_CLEAR, // param1=unused, param2=unused GUI_SCRIPT_SETIP, // param1=int line, param2=unused GUI_SCRIPT_ERROR, // param1=int line, param2=const char* message GUI_SCRIPT_SETTITLE, // param1=const char* title, param2=unused GUI_SCRIPT_SETINFOLINE, // param1=int line, param2=const char* info GUI_SCRIPT_MESSAGE, // param1=const char* message, param2=unused GUI_SCRIPT_MSGYN, // param1=const char* message, param2=unused GUI_SYMBOL_LOG_ADD, // param1(const char*)msg, param2=unused GUI_SYMBOL_LOG_CLEAR, // param1=unused, param2=unused GUI_SYMBOL_SET_PROGRESS, // param1=int percent param2=unused GUI_SYMBOL_UPDATE_MODULE_LIST, // param1=int count, param2=SYMBOLMODULEINFO* modules GUI_REF_ADDCOLUMN, // param1=int width, param2=(const char*)title GUI_REF_SETROWCOUNT, // param1=int rows, param2=unused GUI_REF_GETROWCOUNT, // param1=unused, param2=unused GUI_REF_DELETEALLCOLUMNS, // param1=unused, param2=unused GUI_REF_SETCELLCONTENT, // param1=(CELLINFO*)info, param2=unused GUI_REF_GETCELLCONTENT, // param1=int row, param2=int col GUI_REF_RELOADDATA, // param1=unused, param2=unused GUI_REF_SETSINGLESELECTION, // param1=int index, param2=bool scroll GUI_REF_SETPROGRESS, // param1=int progress, param2=unused GUI_REF_SETCURRENTTASKPROGRESS, // param1=int progress, param2=const char* taskTitle GUI_REF_SETSEARCHSTARTCOL, // param1=int col param2=unused GUI_STACK_DUMP_AT, // param1=duint addr, param2=duint csp GUI_UPDATE_DUMP_VIEW, // param1=unused, param2=unused GUI_UPDATE_THREAD_VIEW, // param1=unused, param2=unused GUI_ADD_RECENT_FILE, // param1=(const char*)file, param2=unused GUI_SET_LAST_EXCEPTION, // param1=unsigned int code, param2=unused GUI_GET_DISASSEMBLY, // param1=duint addr, param2=char* text GUI_MENU_ADD, // param1=int hMenu, param2=const char* title GUI_MENU_ADD_ENTRY, // param1=int hMenu, param2=const char* title GUI_MENU_ADD_SEPARATOR, // param1=int hMenu, param2=unused GUI_MENU_CLEAR, // param1=int hMenu, param2=unused GUI_SELECTION_GET, // param1=int hWindow, param2=SELECTIONDATA* selection GUI_SELECTION_SET, // param1=int hWindow, param2=const SELECTIONDATA* selection GUI_GETLINE_WINDOW, // param1=const char* title, param2=char* text GUI_AUTOCOMPLETE_ADDCMD, // param1=const char* cmd, param2=ununsed GUI_AUTOCOMPLETE_DELCMD, // param1=const char* cmd, param2=ununsed GUI_AUTOCOMPLETE_CLEARALL, // param1=unused, param2=unused GUI_SCRIPT_ENABLEHIGHLIGHTING, // param1=bool enable, param2=unused GUI_ADD_MSG_TO_STATUSBAR, // param1=const char* msg, param2=unused GUI_UPDATE_SIDEBAR, // param1=unused, param2=unused GUI_REPAINT_TABLE_VIEW, // param1=unused, param2=unused GUI_UPDATE_PATCHES, // param1=unused, param2=unused GUI_UPDATE_CALLSTACK, // param1=unused, param2=unused GUI_UPDATE_SEHCHAIN, // param1=unused, param2=unused GUI_SYMBOL_REFRESH_CURRENT, // param1=unused, param2=unused GUI_UPDATE_MEMORY_VIEW, // param1=unused, param2=unused GUI_REF_INITIALIZE, // param1=const char* name, param2=unused GUI_LOAD_SOURCE_FILE, // param1=const char* path, param2=line GUI_MENU_SET_ICON, // param1=int hMenu, param2=ICONINFO* GUI_MENU_SET_ENTRY_ICON, // param1=int hEntry, param2=ICONINFO* GUI_SHOW_CPU, // param1=unused, param2=unused GUI_ADD_QWIDGET_TAB, // param1=QWidget*, param2=unused GUI_SHOW_QWIDGET_TAB, // param1=QWidget*, param2=unused GUI_CLOSE_QWIDGET_TAB, // param1=QWidget*, param2=unused GUI_EXECUTE_ON_GUI_THREAD, // param1=GUICALLBACK, param2=unused GUI_UPDATE_TIME_WASTED_COUNTER, // param1=unused, param2=unused GUI_SET_GLOBAL_NOTES, // param1=const char* text, param2=unused GUI_GET_GLOBAL_NOTES, // param1=char** text, param2=unused GUI_SET_DEBUGGEE_NOTES, // param1=const char* text, param2=unused GUI_GET_DEBUGGEE_NOTES, // param1=char** text, param2=unused GUI_DUMP_AT_N, // param1=int index, param2=duint va GUI_DISPLAY_WARNING, // param1=const char *text, param2=unused GUI_REGISTER_SCRIPT_LANG, // param1=SCRIPTTYPEINFO* info, param2=unused GUI_UNREGISTER_SCRIPT_LANG, // param1=int id, param2=unused GUI_UPDATE_ARGUMENT_VIEW, // param1=unused, param2=unused GUI_FOCUS_VIEW, // param1=int hWindow, param2=unused GUI_UPDATE_WATCH_VIEW, // param1=unused, param2=unused GUI_LOAD_GRAPH, // param1=BridgeCFGraphList* param2=unused GUI_GRAPH_AT, // param1=duint addr param2=unused GUI_UPDATE_GRAPH_VIEW, // param1=unused, param2=unused GUI_SET_LOG_ENABLED, // param1=bool isEnabled param2=unused GUI_ADD_FAVOURITE_TOOL, // param1=const char* name param2=const char* description GUI_ADD_FAVOURITE_COMMAND, // param1=const char* command param2=const char* shortcut GUI_SET_FAVOURITE_TOOL_SHORTCUT,// param1=const char* name param2=const char* shortcut GUI_FOLD_DISASSEMBLY, // param1=duint startAddress param2=duint length GUI_SELECT_IN_MEMORY_MAP, // param1=duint addr, param2=unused GUI_GET_ACTIVE_VIEW, // param1=ACTIVEVIEW*, param2=unused GUI_MENU_SET_ENTRY_CHECKED, // param1=int hEntry, param2=bool checked GUI_ADD_INFO_LINE, // param1=const char* infoline, param2=unused GUI_PROCESS_EVENTS, // param1=unused, param2=unused GUI_TYPE_ADDNODE, // param1=void* parent, param2=TYPEDESCRIPTOR* type GUI_TYPE_CLEAR, // param1=unused, param2=unused GUI_UPDATE_TYPE_WIDGET, // param1=unused, param2=unused GUI_CLOSE_APPLICATION, // param1=unused, param2=unused GUI_MENU_SET_VISIBLE, // param1=int hMenu, param2=bool visible GUI_MENU_SET_ENTRY_VISIBLE, // param1=int hEntry, param2=bool visible GUI_MENU_SET_NAME, // param1=int hMenu, param2=const char* name GUI_MENU_SET_ENTRY_NAME, // param1=int hEntry, param2=const char* name GUI_FLUSH_LOG, // param1=unused, param2=unused GUI_MENU_SET_ENTRY_HOTKEY, // param1=int hEntry, param2=const char* hack GUI_REF_SEARCH_GETROWCOUNT, // param1=unused, param2=unused GUI_REF_SEARCH_GETCELLCONTENT, // param1=int row, param2=int col GUI_MENU_REMOVE, // param1=int hEntryMenu, param2=unused GUI_REF_ADDCOMMAND, // param1=const char* title, param2=const char* command GUI_OPEN_TRACE_FILE, // param1=const char* file name,param2=unused GUI_UPDATE_TRACE_BROWSER // param1=unused, param2=unused } GUIMSG; //GUI Typedefs struct _TYPEDESCRIPTOR; typedef void (*GUICALLBACK)(); typedef bool (*GUISCRIPTEXECUTE)(const char* text); typedef void (*GUISCRIPTCOMPLETER)(const char* text, char** entries, int* entryCount); typedef bool (*TYPETOSTRING)(const struct _TYPEDESCRIPTOR* type, char* dest, size_t* destCount); //don't change destCount for final failure //GUI structures typedef struct { int row; int col; const char* str; } CELLINFO; typedef struct { duint start; duint end; } SELECTIONDATA; typedef struct { const void* data; duint size; } ICONDATA; typedef struct { char name[64]; int id; GUISCRIPTEXECUTE execute; GUISCRIPTCOMPLETER completeCommand; } SCRIPTTYPEINFO; typedef struct { void* titleHwnd; void* classHwnd; char title[MAX_STRING_SIZE]; char className[MAX_STRING_SIZE]; } ACTIVEVIEW; typedef struct _TYPEDESCRIPTOR { bool expanded; //is the type node expanded? bool reverse; //big endian? const char* name; //type name (int b) duint addr; //virtual address duint offset; //offset to addr for the actual location int id; //type id int size; //sizeof(type) TYPETOSTRING callback; //convert to string void* userdata; //user data } TYPEDESCRIPTOR; //GUI functions //code page is utf8 BRIDGE_IMPEXP const char* GuiTranslateText(const char* Source); BRIDGE_IMPEXP void GuiDisasmAt(duint addr, duint cip); BRIDGE_IMPEXP void GuiSetDebugState(DBGSTATE state); BRIDGE_IMPEXP void GuiSetDebugStateFast(DBGSTATE state); BRIDGE_IMPEXP void GuiAddLogMessage(const char* msg); BRIDGE_IMPEXP void GuiLogClear(); BRIDGE_IMPEXP void GuiUpdateAllViews(); BRIDGE_IMPEXP void GuiUpdateRegisterView(); BRIDGE_IMPEXP void GuiUpdateDisassemblyView(); BRIDGE_IMPEXP void GuiUpdateBreakpointsView(); BRIDGE_IMPEXP void GuiUpdateWindowTitle(const char* filename); BRIDGE_IMPEXP HWND GuiGetWindowHandle(); BRIDGE_IMPEXP void GuiDumpAt(duint va); BRIDGE_IMPEXP void GuiScriptAdd(int count, const char** lines); BRIDGE_IMPEXP void GuiScriptClear(); BRIDGE_IMPEXP void GuiScriptSetIp(int line); BRIDGE_IMPEXP void GuiScriptError(int line, const char* message); BRIDGE_IMPEXP void GuiScriptSetTitle(const char* title); BRIDGE_IMPEXP void GuiScriptSetInfoLine(int line, const char* info); BRIDGE_IMPEXP void GuiScriptMessage(const char* message); BRIDGE_IMPEXP int GuiScriptMsgyn(const char* message); BRIDGE_IMPEXP void GuiScriptEnableHighlighting(bool enable); BRIDGE_IMPEXP void GuiSymbolLogAdd(const char* message); BRIDGE_IMPEXP void GuiSymbolLogClear(); BRIDGE_IMPEXP void GuiSymbolSetProgress(int percent); BRIDGE_IMPEXP void GuiSymbolUpdateModuleList(int count, SYMBOLMODULEINFO* modules); BRIDGE_IMPEXP void GuiSymbolRefreshCurrent(); BRIDGE_IMPEXP void GuiReferenceAddColumn(int width, const char* title); BRIDGE_IMPEXP void GuiReferenceSetRowCount(int count); BRIDGE_IMPEXP int GuiReferenceGetRowCount(); BRIDGE_IMPEXP int GuiReferenceSearchGetRowCount(); BRIDGE_IMPEXP void GuiReferenceDeleteAllColumns(); BRIDGE_IMPEXP void GuiReferenceInitialize(const char* name); BRIDGE_IMPEXP void GuiReferenceSetCellContent(int row, int col, const char* str); BRIDGE_IMPEXP char* GuiReferenceGetCellContent(int row, int col); BRIDGE_IMPEXP char* GuiReferenceSearchGetCellContent(int row, int col); BRIDGE_IMPEXP void GuiReferenceReloadData(); BRIDGE_IMPEXP void GuiReferenceSetSingleSelection(int index, bool scroll); BRIDGE_IMPEXP void GuiReferenceSetProgress(int progress); BRIDGE_IMPEXP void GuiReferenceSetCurrentTaskProgress(int progress, const char* taskTitle); BRIDGE_IMPEXP void GuiReferenceSetSearchStartCol(int col); BRIDGE_IMPEXP void GuiStackDumpAt(duint addr, duint csp); BRIDGE_IMPEXP void GuiUpdateDumpView(); BRIDGE_IMPEXP void GuiUpdateWatchView(); BRIDGE_IMPEXP void GuiUpdateThreadView(); BRIDGE_IMPEXP void GuiUpdateMemoryView(); BRIDGE_IMPEXP void GuiAddRecentFile(const char* file); BRIDGE_IMPEXP void GuiSetLastException(unsigned int exception); BRIDGE_IMPEXP bool GuiGetDisassembly(duint addr, char* text); BRIDGE_IMPEXP int GuiMenuAdd(int hMenu, const char* title); BRIDGE_IMPEXP int GuiMenuAddEntry(int hMenu, const char* title); BRIDGE_IMPEXP void GuiMenuAddSeparator(int hMenu); BRIDGE_IMPEXP void GuiMenuClear(int hMenu); BRIDGE_IMPEXP void GuiMenuRemove(int hEntryMenu); BRIDGE_IMPEXP bool GuiSelectionGet(int hWindow, SELECTIONDATA* selection); BRIDGE_IMPEXP bool GuiSelectionSet(int hWindow, const SELECTIONDATA* selection); BRIDGE_IMPEXP bool GuiGetLineWindow(const char* title, char* text); BRIDGE_IMPEXP void GuiAutoCompleteAddCmd(const char* cmd); BRIDGE_IMPEXP void GuiAutoCompleteDelCmd(const char* cmd); BRIDGE_IMPEXP void GuiAutoCompleteClearAll(); BRIDGE_IMPEXP void GuiAddStatusBarMessage(const char* msg); BRIDGE_IMPEXP void GuiUpdateSideBar(); BRIDGE_IMPEXP void GuiRepaintTableView(); BRIDGE_IMPEXP void GuiUpdatePatches(); BRIDGE_IMPEXP void GuiUpdateCallStack(); BRIDGE_IMPEXP void GuiUpdateSEHChain(); BRIDGE_IMPEXP void GuiLoadSourceFile(const char* path, int line); BRIDGE_IMPEXP void GuiMenuSetIcon(int hMenu, const ICONDATA* icon); BRIDGE_IMPEXP void GuiMenuSetEntryIcon(int hEntry, const ICONDATA* icon); BRIDGE_IMPEXP void GuiMenuSetEntryChecked(int hEntry, bool checked); BRIDGE_IMPEXP void GuiMenuSetVisible(int hMenu, bool visible); BRIDGE_IMPEXP void GuiMenuSetEntryVisible(int hEntry, bool visible); BRIDGE_IMPEXP void GuiMenuSetName(int hMenu, const char* name); BRIDGE_IMPEXP void GuiMenuSetEntryName(int hEntry, const char* name); BRIDGE_IMPEXP void GuiMenuSetEntryHotkey(int hEntry, const char* hack); BRIDGE_IMPEXP void GuiShowCpu(); BRIDGE_IMPEXP void GuiAddQWidgetTab(void* qWidget); BRIDGE_IMPEXP void GuiShowQWidgetTab(void* qWidget); BRIDGE_IMPEXP void GuiCloseQWidgetTab(void* qWidget); BRIDGE_IMPEXP void GuiExecuteOnGuiThread(GUICALLBACK cbGuiThread); BRIDGE_IMPEXP void GuiUpdateTimeWastedCounter(); BRIDGE_IMPEXP void GuiSetGlobalNotes(const char* text); BRIDGE_IMPEXP void GuiGetGlobalNotes(char** text); BRIDGE_IMPEXP void GuiSetDebuggeeNotes(const char* text); BRIDGE_IMPEXP void GuiGetDebuggeeNotes(char** text); BRIDGE_IMPEXP void GuiDumpAtN(duint va, int index); BRIDGE_IMPEXP void GuiDisplayWarning(const char* title, const char* text); BRIDGE_IMPEXP void GuiRegisterScriptLanguage(SCRIPTTYPEINFO* info); BRIDGE_IMPEXP void GuiUnregisterScriptLanguage(int id); BRIDGE_IMPEXP void GuiUpdateArgumentWidget(); BRIDGE_IMPEXP void GuiFocusView(int hWindow); BRIDGE_IMPEXP bool GuiIsUpdateDisabled(); BRIDGE_IMPEXP void GuiUpdateEnable(bool updateNow); BRIDGE_IMPEXP void GuiUpdateDisable(); BRIDGE_IMPEXP bool GuiLoadGraph(BridgeCFGraphList* graph, duint addr); BRIDGE_IMPEXP duint GuiGraphAt(duint addr); BRIDGE_IMPEXP void GuiUpdateGraphView(); BRIDGE_IMPEXP void GuiDisableLog(); BRIDGE_IMPEXP void GuiEnableLog(); BRIDGE_IMPEXP void GuiAddFavouriteTool(const char* name, const char* description); BRIDGE_IMPEXP void GuiAddFavouriteCommand(const char* name, const char* shortcut); BRIDGE_IMPEXP void GuiSetFavouriteToolShortcut(const char* name, const char* shortcut); BRIDGE_IMPEXP void GuiFoldDisassembly(duint startAddress, duint length); BRIDGE_IMPEXP void GuiSelectInMemoryMap(duint addr); BRIDGE_IMPEXP void GuiGetActiveView(ACTIVEVIEW* activeView); BRIDGE_IMPEXP void GuiAddInfoLine(const char* infoLine); BRIDGE_IMPEXP void GuiProcessEvents(); BRIDGE_IMPEXP void* GuiTypeAddNode(void* parent, const TYPEDESCRIPTOR* type); BRIDGE_IMPEXP bool GuiTypeClear(); BRIDGE_IMPEXP void GuiUpdateTypeWidget(); BRIDGE_IMPEXP void GuiCloseApplication(); BRIDGE_IMPEXP void GuiFlushLog(); BRIDGE_IMPEXP void GuiReferenceAddCommand(const char* title, const char* command); BRIDGE_IMPEXP void GuiUpdateTraceBrowser(); BRIDGE_IMPEXP void GuiOpenTraceFile(const char* fileName); #ifdef __cplusplus } #endif #pragma pack(pop) #endif // _BRIDGEMAIN_H_ ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/capstone/arm.h ================================================ #ifndef CAPSTONE_ARM_H #define CAPSTONE_ARM_H /* Capstone Disassembly Engine */ /* By Nguyen Anh Quynh , 2013-2015 */ #ifdef __cplusplus extern "C" { #endif #include "platform.h" #ifdef _MSC_VER #pragma warning(disable:4201) #endif //> ARM shift type typedef enum arm_shifter { ARM_SFT_INVALID = 0, ARM_SFT_ASR, // shift with immediate const ARM_SFT_LSL, // shift with immediate const ARM_SFT_LSR, // shift with immediate const ARM_SFT_ROR, // shift with immediate const ARM_SFT_RRX, // shift with immediate const ARM_SFT_ASR_REG, // shift with register ARM_SFT_LSL_REG, // shift with register ARM_SFT_LSR_REG, // shift with register ARM_SFT_ROR_REG, // shift with register ARM_SFT_RRX_REG, // shift with register } arm_shifter; //> ARM condition code typedef enum arm_cc { ARM_CC_INVALID = 0, ARM_CC_EQ, // Equal Equal ARM_CC_NE, // Not equal Not equal, or unordered ARM_CC_HS, // Carry set >, ==, or unordered ARM_CC_LO, // Carry clear Less than ARM_CC_MI, // Minus, negative Less than ARM_CC_PL, // Plus, positive or zero >, ==, or unordered ARM_CC_VS, // Overflow Unordered ARM_CC_VC, // No overflow Not unordered ARM_CC_HI, // Unsigned higher Greater than, or unordered ARM_CC_LS, // Unsigned lower or same Less than or equal ARM_CC_GE, // Greater than or equal Greater than or equal ARM_CC_LT, // Less than Less than, or unordered ARM_CC_GT, // Greater than Greater than ARM_CC_LE, // Less than or equal <, ==, or unordered ARM_CC_AL // Always (unconditional) Always (unconditional) } arm_cc; typedef enum arm_sysreg { //> Special registers for MSR ARM_SYSREG_INVALID = 0, // SPSR* registers can be OR combined ARM_SYSREG_SPSR_C = 1, ARM_SYSREG_SPSR_X = 2, ARM_SYSREG_SPSR_S = 4, ARM_SYSREG_SPSR_F = 8, // CPSR* registers can be OR combined ARM_SYSREG_CPSR_C = 16, ARM_SYSREG_CPSR_X = 32, ARM_SYSREG_CPSR_S = 64, ARM_SYSREG_CPSR_F = 128, // independent registers ARM_SYSREG_APSR = 256, ARM_SYSREG_APSR_G, ARM_SYSREG_APSR_NZCVQ, ARM_SYSREG_APSR_NZCVQG, ARM_SYSREG_IAPSR, ARM_SYSREG_IAPSR_G, ARM_SYSREG_IAPSR_NZCVQG, ARM_SYSREG_IAPSR_NZCVQ, ARM_SYSREG_EAPSR, ARM_SYSREG_EAPSR_G, ARM_SYSREG_EAPSR_NZCVQG, ARM_SYSREG_EAPSR_NZCVQ, ARM_SYSREG_XPSR, ARM_SYSREG_XPSR_G, ARM_SYSREG_XPSR_NZCVQG, ARM_SYSREG_XPSR_NZCVQ, ARM_SYSREG_IPSR, ARM_SYSREG_EPSR, ARM_SYSREG_IEPSR, ARM_SYSREG_MSP, ARM_SYSREG_PSP, ARM_SYSREG_PRIMASK, ARM_SYSREG_BASEPRI, ARM_SYSREG_BASEPRI_MAX, ARM_SYSREG_FAULTMASK, ARM_SYSREG_CONTROL, // Banked Registers ARM_SYSREG_R8_USR, ARM_SYSREG_R9_USR, ARM_SYSREG_R10_USR, ARM_SYSREG_R11_USR, ARM_SYSREG_R12_USR, ARM_SYSREG_SP_USR, ARM_SYSREG_LR_USR, ARM_SYSREG_R8_FIQ, ARM_SYSREG_R9_FIQ, ARM_SYSREG_R10_FIQ, ARM_SYSREG_R11_FIQ, ARM_SYSREG_R12_FIQ, ARM_SYSREG_SP_FIQ, ARM_SYSREG_LR_FIQ, ARM_SYSREG_LR_IRQ, ARM_SYSREG_SP_IRQ, ARM_SYSREG_LR_SVC, ARM_SYSREG_SP_SVC, ARM_SYSREG_LR_ABT, ARM_SYSREG_SP_ABT, ARM_SYSREG_LR_UND, ARM_SYSREG_SP_UND, ARM_SYSREG_LR_MON, ARM_SYSREG_SP_MON, ARM_SYSREG_ELR_HYP, ARM_SYSREG_SP_HYP, ARM_SYSREG_SPSR_FIQ, ARM_SYSREG_SPSR_IRQ, ARM_SYSREG_SPSR_SVC, ARM_SYSREG_SPSR_ABT, ARM_SYSREG_SPSR_UND, ARM_SYSREG_SPSR_MON, ARM_SYSREG_SPSR_HYP, } arm_sysreg; //> The memory barrier constants map directly to the 4-bit encoding of //> the option field for Memory Barrier operations. typedef enum arm_mem_barrier { ARM_MB_INVALID = 0, ARM_MB_RESERVED_0, ARM_MB_OSHLD, ARM_MB_OSHST, ARM_MB_OSH, ARM_MB_RESERVED_4, ARM_MB_NSHLD, ARM_MB_NSHST, ARM_MB_NSH, ARM_MB_RESERVED_8, ARM_MB_ISHLD, ARM_MB_ISHST, ARM_MB_ISH, ARM_MB_RESERVED_12, ARM_MB_LD, ARM_MB_ST, ARM_MB_SY, } arm_mem_barrier; //> Operand type for instruction's operands typedef enum arm_op_type { ARM_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized). ARM_OP_REG, // = CS_OP_REG (Register operand). ARM_OP_IMM, // = CS_OP_IMM (Immediate operand). ARM_OP_MEM, // = CS_OP_MEM (Memory operand). ARM_OP_FP, // = CS_OP_FP (Floating-Point operand). ARM_OP_CIMM = 64, // C-Immediate (coprocessor registers) ARM_OP_PIMM, // P-Immediate (coprocessor registers) ARM_OP_SETEND, // operand for SETEND instruction ARM_OP_SYSREG, // MSR/MRS special register operand } arm_op_type; //> Operand type for SETEND instruction typedef enum arm_setend_type { ARM_SETEND_INVALID = 0, // Uninitialized. ARM_SETEND_BE, // BE operand. ARM_SETEND_LE, // LE operand } arm_setend_type; typedef enum arm_cpsmode_type { ARM_CPSMODE_INVALID = 0, ARM_CPSMODE_IE = 2, ARM_CPSMODE_ID = 3 } arm_cpsmode_type; //> Operand type for SETEND instruction typedef enum arm_cpsflag_type { ARM_CPSFLAG_INVALID = 0, ARM_CPSFLAG_F = 1, ARM_CPSFLAG_I = 2, ARM_CPSFLAG_A = 4, ARM_CPSFLAG_NONE = 16, // no flag } arm_cpsflag_type; //> Data type for elements of vector instructions. typedef enum arm_vectordata_type { ARM_VECTORDATA_INVALID = 0, // Integer type ARM_VECTORDATA_I8, ARM_VECTORDATA_I16, ARM_VECTORDATA_I32, ARM_VECTORDATA_I64, // Signed integer type ARM_VECTORDATA_S8, ARM_VECTORDATA_S16, ARM_VECTORDATA_S32, ARM_VECTORDATA_S64, // Unsigned integer type ARM_VECTORDATA_U8, ARM_VECTORDATA_U16, ARM_VECTORDATA_U32, ARM_VECTORDATA_U64, // Data type for VMUL/VMULL ARM_VECTORDATA_P8, // Floating type ARM_VECTORDATA_F32, ARM_VECTORDATA_F64, // Convert float <-> float ARM_VECTORDATA_F16F64, // f16.f64 ARM_VECTORDATA_F64F16, // f64.f16 ARM_VECTORDATA_F32F16, // f32.f16 ARM_VECTORDATA_F16F32, // f32.f16 ARM_VECTORDATA_F64F32, // f64.f32 ARM_VECTORDATA_F32F64, // f32.f64 // Convert integer <-> float ARM_VECTORDATA_S32F32, // s32.f32 ARM_VECTORDATA_U32F32, // u32.f32 ARM_VECTORDATA_F32S32, // f32.s32 ARM_VECTORDATA_F32U32, // f32.u32 ARM_VECTORDATA_F64S16, // f64.s16 ARM_VECTORDATA_F32S16, // f32.s16 ARM_VECTORDATA_F64S32, // f64.s32 ARM_VECTORDATA_S16F64, // s16.f64 ARM_VECTORDATA_S16F32, // s16.f64 ARM_VECTORDATA_S32F64, // s32.f64 ARM_VECTORDATA_U16F64, // u16.f64 ARM_VECTORDATA_U16F32, // u16.f32 ARM_VECTORDATA_U32F64, // u32.f64 ARM_VECTORDATA_F64U16, // f64.u16 ARM_VECTORDATA_F32U16, // f32.u16 ARM_VECTORDATA_F64U32, // f64.u32 } arm_vectordata_type; //> ARM registers typedef enum arm_reg { ARM_REG_INVALID = 0, ARM_REG_APSR, ARM_REG_APSR_NZCV, ARM_REG_CPSR, ARM_REG_FPEXC, ARM_REG_FPINST, ARM_REG_FPSCR, ARM_REG_FPSCR_NZCV, ARM_REG_FPSID, ARM_REG_ITSTATE, ARM_REG_LR, ARM_REG_PC, ARM_REG_SP, ARM_REG_SPSR, ARM_REG_D0, ARM_REG_D1, ARM_REG_D2, ARM_REG_D3, ARM_REG_D4, ARM_REG_D5, ARM_REG_D6, ARM_REG_D7, ARM_REG_D8, ARM_REG_D9, ARM_REG_D10, ARM_REG_D11, ARM_REG_D12, ARM_REG_D13, ARM_REG_D14, ARM_REG_D15, ARM_REG_D16, ARM_REG_D17, ARM_REG_D18, ARM_REG_D19, ARM_REG_D20, ARM_REG_D21, ARM_REG_D22, ARM_REG_D23, ARM_REG_D24, ARM_REG_D25, ARM_REG_D26, ARM_REG_D27, ARM_REG_D28, ARM_REG_D29, ARM_REG_D30, ARM_REG_D31, ARM_REG_FPINST2, ARM_REG_MVFR0, ARM_REG_MVFR1, ARM_REG_MVFR2, ARM_REG_Q0, ARM_REG_Q1, ARM_REG_Q2, ARM_REG_Q3, ARM_REG_Q4, ARM_REG_Q5, ARM_REG_Q6, ARM_REG_Q7, ARM_REG_Q8, ARM_REG_Q9, ARM_REG_Q10, ARM_REG_Q11, ARM_REG_Q12, ARM_REG_Q13, ARM_REG_Q14, ARM_REG_Q15, ARM_REG_R0, ARM_REG_R1, ARM_REG_R2, ARM_REG_R3, ARM_REG_R4, ARM_REG_R5, ARM_REG_R6, ARM_REG_R7, ARM_REG_R8, ARM_REG_R9, ARM_REG_R10, ARM_REG_R11, ARM_REG_R12, ARM_REG_S0, ARM_REG_S1, ARM_REG_S2, ARM_REG_S3, ARM_REG_S4, ARM_REG_S5, ARM_REG_S6, ARM_REG_S7, ARM_REG_S8, ARM_REG_S9, ARM_REG_S10, ARM_REG_S11, ARM_REG_S12, ARM_REG_S13, ARM_REG_S14, ARM_REG_S15, ARM_REG_S16, ARM_REG_S17, ARM_REG_S18, ARM_REG_S19, ARM_REG_S20, ARM_REG_S21, ARM_REG_S22, ARM_REG_S23, ARM_REG_S24, ARM_REG_S25, ARM_REG_S26, ARM_REG_S27, ARM_REG_S28, ARM_REG_S29, ARM_REG_S30, ARM_REG_S31, ARM_REG_ENDING, // <-- mark the end of the list or registers //> alias registers ARM_REG_R13 = ARM_REG_SP, ARM_REG_R14 = ARM_REG_LR, ARM_REG_R15 = ARM_REG_PC, ARM_REG_SB = ARM_REG_R9, ARM_REG_SL = ARM_REG_R10, ARM_REG_FP = ARM_REG_R11, ARM_REG_IP = ARM_REG_R12, } arm_reg; // Instruction's operand referring to memory // This is associated with ARM_OP_MEM operand type above typedef struct arm_op_mem { arm_reg base; // base register arm_reg index; // index register int scale; // scale for index register (can be 1, or -1) int disp; // displacement/offset value int lshift; // left-shift on index register, or 0 if irrelevant. } arm_op_mem; // Instruction operand typedef struct cs_arm_op { int vector_index; // Vector Index for some vector operands (or -1 if irrelevant) struct { arm_shifter type; unsigned int value; } shift; arm_op_type type; // operand type union { int reg; // register value for REG/SYSREG operand int32_t imm; // immediate value for C-IMM, P-IMM or IMM operand double fp; // floating point value for FP operand arm_op_mem mem; // base/index/scale/disp value for MEM operand arm_setend_type setend; // SETEND instruction's operand type }; // in some instructions, an operand can be subtracted or added to // the base register, bool subtracted; // if TRUE, this operand is subtracted. otherwise, it is added. // How is this operand accessed? (READ, WRITE or READ|WRITE) // This field is combined of cs_ac_type. // NOTE: this field is irrelevant if engine is compiled in DIET mode. uint8_t access; // Neon lane index for NEON instructions (or -1 if irrelevant) int8_t neon_lane; } cs_arm_op; // Instruction structure typedef struct cs_arm { bool usermode; // User-mode registers to be loaded (for LDM/STM instructions) int vector_size; // Scalar size for vector instructions arm_vectordata_type vector_data; // Data type for elements of vector instructions arm_cpsmode_type cps_mode; // CPS mode for CPS instruction arm_cpsflag_type cps_flag; // CPS mode for CPS instruction arm_cc cc; // conditional code for this insn bool update_flags; // does this insn update flags? bool writeback; // does this insn write-back? arm_mem_barrier mem_barrier; // Option for some memory barrier instructions // Number of operands of this instruction, // or 0 when instruction has no operand. uint8_t op_count; cs_arm_op operands[36]; // operands for this instruction. } cs_arm; //> ARM instruction typedef enum arm_insn { ARM_INS_INVALID = 0, ARM_INS_ADC, ARM_INS_ADD, ARM_INS_ADR, ARM_INS_AESD, ARM_INS_AESE, ARM_INS_AESIMC, ARM_INS_AESMC, ARM_INS_AND, ARM_INS_BFC, ARM_INS_BFI, ARM_INS_BIC, ARM_INS_BKPT, ARM_INS_BL, ARM_INS_BLX, ARM_INS_BX, ARM_INS_BXJ, ARM_INS_B, ARM_INS_CDP, ARM_INS_CDP2, ARM_INS_CLREX, ARM_INS_CLZ, ARM_INS_CMN, ARM_INS_CMP, ARM_INS_CPS, ARM_INS_CRC32B, ARM_INS_CRC32CB, ARM_INS_CRC32CH, ARM_INS_CRC32CW, ARM_INS_CRC32H, ARM_INS_CRC32W, ARM_INS_DBG, ARM_INS_DMB, ARM_INS_DSB, ARM_INS_EOR, ARM_INS_ERET, ARM_INS_VMOV, ARM_INS_FLDMDBX, ARM_INS_FLDMIAX, ARM_INS_VMRS, ARM_INS_FSTMDBX, ARM_INS_FSTMIAX, ARM_INS_HINT, ARM_INS_HLT, ARM_INS_HVC, ARM_INS_ISB, ARM_INS_LDA, ARM_INS_LDAB, ARM_INS_LDAEX, ARM_INS_LDAEXB, ARM_INS_LDAEXD, ARM_INS_LDAEXH, ARM_INS_LDAH, ARM_INS_LDC2L, ARM_INS_LDC2, ARM_INS_LDCL, ARM_INS_LDC, ARM_INS_LDMDA, ARM_INS_LDMDB, ARM_INS_LDM, ARM_INS_LDMIB, ARM_INS_LDRBT, ARM_INS_LDRB, ARM_INS_LDRD, ARM_INS_LDREX, ARM_INS_LDREXB, ARM_INS_LDREXD, ARM_INS_LDREXH, ARM_INS_LDRH, ARM_INS_LDRHT, ARM_INS_LDRSB, ARM_INS_LDRSBT, ARM_INS_LDRSH, ARM_INS_LDRSHT, ARM_INS_LDRT, ARM_INS_LDR, ARM_INS_MCR, ARM_INS_MCR2, ARM_INS_MCRR, ARM_INS_MCRR2, ARM_INS_MLA, ARM_INS_MLS, ARM_INS_MOV, ARM_INS_MOVT, ARM_INS_MOVW, ARM_INS_MRC, ARM_INS_MRC2, ARM_INS_MRRC, ARM_INS_MRRC2, ARM_INS_MRS, ARM_INS_MSR, ARM_INS_MUL, ARM_INS_MVN, ARM_INS_ORR, ARM_INS_PKHBT, ARM_INS_PKHTB, ARM_INS_PLDW, ARM_INS_PLD, ARM_INS_PLI, ARM_INS_QADD, ARM_INS_QADD16, ARM_INS_QADD8, ARM_INS_QASX, ARM_INS_QDADD, ARM_INS_QDSUB, ARM_INS_QSAX, ARM_INS_QSUB, ARM_INS_QSUB16, ARM_INS_QSUB8, ARM_INS_RBIT, ARM_INS_REV, ARM_INS_REV16, ARM_INS_REVSH, ARM_INS_RFEDA, ARM_INS_RFEDB, ARM_INS_RFEIA, ARM_INS_RFEIB, ARM_INS_RSB, ARM_INS_RSC, ARM_INS_SADD16, ARM_INS_SADD8, ARM_INS_SASX, ARM_INS_SBC, ARM_INS_SBFX, ARM_INS_SDIV, ARM_INS_SEL, ARM_INS_SETEND, ARM_INS_SHA1C, ARM_INS_SHA1H, ARM_INS_SHA1M, ARM_INS_SHA1P, ARM_INS_SHA1SU0, ARM_INS_SHA1SU1, ARM_INS_SHA256H, ARM_INS_SHA256H2, ARM_INS_SHA256SU0, ARM_INS_SHA256SU1, ARM_INS_SHADD16, ARM_INS_SHADD8, ARM_INS_SHASX, ARM_INS_SHSAX, ARM_INS_SHSUB16, ARM_INS_SHSUB8, ARM_INS_SMC, ARM_INS_SMLABB, ARM_INS_SMLABT, ARM_INS_SMLAD, ARM_INS_SMLADX, ARM_INS_SMLAL, ARM_INS_SMLALBB, ARM_INS_SMLALBT, ARM_INS_SMLALD, ARM_INS_SMLALDX, ARM_INS_SMLALTB, ARM_INS_SMLALTT, ARM_INS_SMLATB, ARM_INS_SMLATT, ARM_INS_SMLAWB, ARM_INS_SMLAWT, ARM_INS_SMLSD, ARM_INS_SMLSDX, ARM_INS_SMLSLD, ARM_INS_SMLSLDX, ARM_INS_SMMLA, ARM_INS_SMMLAR, ARM_INS_SMMLS, ARM_INS_SMMLSR, ARM_INS_SMMUL, ARM_INS_SMMULR, ARM_INS_SMUAD, ARM_INS_SMUADX, ARM_INS_SMULBB, ARM_INS_SMULBT, ARM_INS_SMULL, ARM_INS_SMULTB, ARM_INS_SMULTT, ARM_INS_SMULWB, ARM_INS_SMULWT, ARM_INS_SMUSD, ARM_INS_SMUSDX, ARM_INS_SRSDA, ARM_INS_SRSDB, ARM_INS_SRSIA, ARM_INS_SRSIB, ARM_INS_SSAT, ARM_INS_SSAT16, ARM_INS_SSAX, ARM_INS_SSUB16, ARM_INS_SSUB8, ARM_INS_STC2L, ARM_INS_STC2, ARM_INS_STCL, ARM_INS_STC, ARM_INS_STL, ARM_INS_STLB, ARM_INS_STLEX, ARM_INS_STLEXB, ARM_INS_STLEXD, ARM_INS_STLEXH, ARM_INS_STLH, ARM_INS_STMDA, ARM_INS_STMDB, ARM_INS_STM, ARM_INS_STMIB, ARM_INS_STRBT, ARM_INS_STRB, ARM_INS_STRD, ARM_INS_STREX, ARM_INS_STREXB, ARM_INS_STREXD, ARM_INS_STREXH, ARM_INS_STRH, ARM_INS_STRHT, ARM_INS_STRT, ARM_INS_STR, ARM_INS_SUB, ARM_INS_SVC, ARM_INS_SWP, ARM_INS_SWPB, ARM_INS_SXTAB, ARM_INS_SXTAB16, ARM_INS_SXTAH, ARM_INS_SXTB, ARM_INS_SXTB16, ARM_INS_SXTH, ARM_INS_TEQ, ARM_INS_TRAP, ARM_INS_TST, ARM_INS_UADD16, ARM_INS_UADD8, ARM_INS_UASX, ARM_INS_UBFX, ARM_INS_UDF, ARM_INS_UDIV, ARM_INS_UHADD16, ARM_INS_UHADD8, ARM_INS_UHASX, ARM_INS_UHSAX, ARM_INS_UHSUB16, ARM_INS_UHSUB8, ARM_INS_UMAAL, ARM_INS_UMLAL, ARM_INS_UMULL, ARM_INS_UQADD16, ARM_INS_UQADD8, ARM_INS_UQASX, ARM_INS_UQSAX, ARM_INS_UQSUB16, ARM_INS_UQSUB8, ARM_INS_USAD8, ARM_INS_USADA8, ARM_INS_USAT, ARM_INS_USAT16, ARM_INS_USAX, ARM_INS_USUB16, ARM_INS_USUB8, ARM_INS_UXTAB, ARM_INS_UXTAB16, ARM_INS_UXTAH, ARM_INS_UXTB, ARM_INS_UXTB16, ARM_INS_UXTH, ARM_INS_VABAL, ARM_INS_VABA, ARM_INS_VABDL, ARM_INS_VABD, ARM_INS_VABS, ARM_INS_VACGE, ARM_INS_VACGT, ARM_INS_VADD, ARM_INS_VADDHN, ARM_INS_VADDL, ARM_INS_VADDW, ARM_INS_VAND, ARM_INS_VBIC, ARM_INS_VBIF, ARM_INS_VBIT, ARM_INS_VBSL, ARM_INS_VCEQ, ARM_INS_VCGE, ARM_INS_VCGT, ARM_INS_VCLE, ARM_INS_VCLS, ARM_INS_VCLT, ARM_INS_VCLZ, ARM_INS_VCMP, ARM_INS_VCMPE, ARM_INS_VCNT, ARM_INS_VCVTA, ARM_INS_VCVTB, ARM_INS_VCVT, ARM_INS_VCVTM, ARM_INS_VCVTN, ARM_INS_VCVTP, ARM_INS_VCVTT, ARM_INS_VDIV, ARM_INS_VDUP, ARM_INS_VEOR, ARM_INS_VEXT, ARM_INS_VFMA, ARM_INS_VFMS, ARM_INS_VFNMA, ARM_INS_VFNMS, ARM_INS_VHADD, ARM_INS_VHSUB, ARM_INS_VLD1, ARM_INS_VLD2, ARM_INS_VLD3, ARM_INS_VLD4, ARM_INS_VLDMDB, ARM_INS_VLDMIA, ARM_INS_VLDR, ARM_INS_VMAXNM, ARM_INS_VMAX, ARM_INS_VMINNM, ARM_INS_VMIN, ARM_INS_VMLA, ARM_INS_VMLAL, ARM_INS_VMLS, ARM_INS_VMLSL, ARM_INS_VMOVL, ARM_INS_VMOVN, ARM_INS_VMSR, ARM_INS_VMUL, ARM_INS_VMULL, ARM_INS_VMVN, ARM_INS_VNEG, ARM_INS_VNMLA, ARM_INS_VNMLS, ARM_INS_VNMUL, ARM_INS_VORN, ARM_INS_VORR, ARM_INS_VPADAL, ARM_INS_VPADDL, ARM_INS_VPADD, ARM_INS_VPMAX, ARM_INS_VPMIN, ARM_INS_VQABS, ARM_INS_VQADD, ARM_INS_VQDMLAL, ARM_INS_VQDMLSL, ARM_INS_VQDMULH, ARM_INS_VQDMULL, ARM_INS_VQMOVUN, ARM_INS_VQMOVN, ARM_INS_VQNEG, ARM_INS_VQRDMULH, ARM_INS_VQRSHL, ARM_INS_VQRSHRN, ARM_INS_VQRSHRUN, ARM_INS_VQSHL, ARM_INS_VQSHLU, ARM_INS_VQSHRN, ARM_INS_VQSHRUN, ARM_INS_VQSUB, ARM_INS_VRADDHN, ARM_INS_VRECPE, ARM_INS_VRECPS, ARM_INS_VREV16, ARM_INS_VREV32, ARM_INS_VREV64, ARM_INS_VRHADD, ARM_INS_VRINTA, ARM_INS_VRINTM, ARM_INS_VRINTN, ARM_INS_VRINTP, ARM_INS_VRINTR, ARM_INS_VRINTX, ARM_INS_VRINTZ, ARM_INS_VRSHL, ARM_INS_VRSHRN, ARM_INS_VRSHR, ARM_INS_VRSQRTE, ARM_INS_VRSQRTS, ARM_INS_VRSRA, ARM_INS_VRSUBHN, ARM_INS_VSELEQ, ARM_INS_VSELGE, ARM_INS_VSELGT, ARM_INS_VSELVS, ARM_INS_VSHLL, ARM_INS_VSHL, ARM_INS_VSHRN, ARM_INS_VSHR, ARM_INS_VSLI, ARM_INS_VSQRT, ARM_INS_VSRA, ARM_INS_VSRI, ARM_INS_VST1, ARM_INS_VST2, ARM_INS_VST3, ARM_INS_VST4, ARM_INS_VSTMDB, ARM_INS_VSTMIA, ARM_INS_VSTR, ARM_INS_VSUB, ARM_INS_VSUBHN, ARM_INS_VSUBL, ARM_INS_VSUBW, ARM_INS_VSWP, ARM_INS_VTBL, ARM_INS_VTBX, ARM_INS_VCVTR, ARM_INS_VTRN, ARM_INS_VTST, ARM_INS_VUZP, ARM_INS_VZIP, ARM_INS_ADDW, ARM_INS_ASR, ARM_INS_DCPS1, ARM_INS_DCPS2, ARM_INS_DCPS3, ARM_INS_IT, ARM_INS_LSL, ARM_INS_LSR, ARM_INS_ORN, ARM_INS_ROR, ARM_INS_RRX, ARM_INS_SUBW, ARM_INS_TBB, ARM_INS_TBH, ARM_INS_CBNZ, ARM_INS_CBZ, ARM_INS_POP, ARM_INS_PUSH, // special instructions ARM_INS_NOP, ARM_INS_YIELD, ARM_INS_WFE, ARM_INS_WFI, ARM_INS_SEV, ARM_INS_SEVL, ARM_INS_VPUSH, ARM_INS_VPOP, ARM_INS_ENDING, // <-- mark the end of the list of instructions } arm_insn; //> Group of ARM instructions typedef enum arm_insn_group { ARM_GRP_INVALID = 0, // = CS_GRP_INVALID //> Generic groups // all jump instructions (conditional+direct+indirect jumps) ARM_GRP_JUMP, // = CS_GRP_JUMP ARM_GRP_CALL, // = CS_GRP_CALL ARM_GRP_INT = 4, // = CS_GRP_INT ARM_GRP_PRIVILEGE = 6, // = CS_GRP_PRIVILEGE //> Architecture-specific groups ARM_GRP_CRYPTO = 128, ARM_GRP_DATABARRIER, ARM_GRP_DIVIDE, ARM_GRP_FPARMV8, ARM_GRP_MULTPRO, ARM_GRP_NEON, ARM_GRP_T2EXTRACTPACK, ARM_GRP_THUMB2DSP, ARM_GRP_TRUSTZONE, ARM_GRP_V4T, ARM_GRP_V5T, ARM_GRP_V5TE, ARM_GRP_V6, ARM_GRP_V6T2, ARM_GRP_V7, ARM_GRP_V8, ARM_GRP_VFP2, ARM_GRP_VFP3, ARM_GRP_VFP4, ARM_GRP_ARM, ARM_GRP_MCLASS, ARM_GRP_NOTMCLASS, ARM_GRP_THUMB, ARM_GRP_THUMB1ONLY, ARM_GRP_THUMB2, ARM_GRP_PREV8, ARM_GRP_FPVMLX, ARM_GRP_MULOPS, ARM_GRP_CRC, ARM_GRP_DPVFP, ARM_GRP_V6M, ARM_GRP_VIRTUALIZATION, ARM_GRP_ENDING, } arm_insn_group; #ifdef __cplusplus } #endif #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/capstone/arm64.h ================================================ #ifndef CAPSTONE_ARM64_H #define CAPSTONE_ARM64_H /* Capstone Disassembly Engine */ /* By Nguyen Anh Quynh , 2013-2015 */ #ifdef __cplusplus extern "C" { #endif #include "platform.h" #ifdef _MSC_VER #pragma warning(disable:4201) #endif //> ARM64 shift type typedef enum arm64_shifter { ARM64_SFT_INVALID = 0, ARM64_SFT_LSL = 1, ARM64_SFT_MSL = 2, ARM64_SFT_LSR = 3, ARM64_SFT_ASR = 4, ARM64_SFT_ROR = 5, } arm64_shifter; //> ARM64 extender type typedef enum arm64_extender { ARM64_EXT_INVALID = 0, ARM64_EXT_UXTB = 1, ARM64_EXT_UXTH = 2, ARM64_EXT_UXTW = 3, ARM64_EXT_UXTX = 4, ARM64_EXT_SXTB = 5, ARM64_EXT_SXTH = 6, ARM64_EXT_SXTW = 7, ARM64_EXT_SXTX = 8, } arm64_extender; //> ARM64 condition code typedef enum arm64_cc { ARM64_CC_INVALID = 0, ARM64_CC_EQ = 1, // Equal ARM64_CC_NE = 2, // Not equal: Not equal, or unordered ARM64_CC_HS = 3, // Unsigned higher or same: >, ==, or unordered ARM64_CC_LO = 4, // Unsigned lower or same: Less than ARM64_CC_MI = 5, // Minus, negative: Less than ARM64_CC_PL = 6, // Plus, positive or zero: >, ==, or unordered ARM64_CC_VS = 7, // Overflow: Unordered ARM64_CC_VC = 8, // No overflow: Ordered ARM64_CC_HI = 9, // Unsigned higher: Greater than, or unordered ARM64_CC_LS = 10, // Unsigned lower or same: Less than or equal ARM64_CC_GE = 11, // Greater than or equal: Greater than or equal ARM64_CC_LT = 12, // Less than: Less than, or unordered ARM64_CC_GT = 13, // Signed greater than: Greater than ARM64_CC_LE = 14, // Signed less than or equal: <, ==, or unordered ARM64_CC_AL = 15, // Always (unconditional): Always (unconditional) ARM64_CC_NV = 16, // Always (unconditional): Always (unconditional) // Note the NV exists purely to disassemble 0b1111. Execution // is "always". } arm64_cc; //> System registers typedef enum arm64_sysreg { //> System registers for MRS ARM64_SYSREG_INVALID = 0, ARM64_SYSREG_MDCCSR_EL0 = 0x9808, // 10 011 0000 0001 000 ARM64_SYSREG_DBGDTRRX_EL0 = 0x9828, // 10 011 0000 0101 000 ARM64_SYSREG_MDRAR_EL1 = 0x8080, // 10 000 0001 0000 000 ARM64_SYSREG_OSLSR_EL1 = 0x808c, // 10 000 0001 0001 100 ARM64_SYSREG_DBGAUTHSTATUS_EL1 = 0x83f6, // 10 000 0111 1110 110 ARM64_SYSREG_PMCEID0_EL0 = 0xdce6, // 11 011 1001 1100 110 ARM64_SYSREG_PMCEID1_EL0 = 0xdce7, // 11 011 1001 1100 111 ARM64_SYSREG_MIDR_EL1 = 0xc000, // 11 000 0000 0000 000 ARM64_SYSREG_CCSIDR_EL1 = 0xc800, // 11 001 0000 0000 000 ARM64_SYSREG_CLIDR_EL1 = 0xc801, // 11 001 0000 0000 001 ARM64_SYSREG_CTR_EL0 = 0xd801, // 11 011 0000 0000 001 ARM64_SYSREG_MPIDR_EL1 = 0xc005, // 11 000 0000 0000 101 ARM64_SYSREG_REVIDR_EL1 = 0xc006, // 11 000 0000 0000 110 ARM64_SYSREG_AIDR_EL1 = 0xc807, // 11 001 0000 0000 111 ARM64_SYSREG_DCZID_EL0 = 0xd807, // 11 011 0000 0000 111 ARM64_SYSREG_ID_PFR0_EL1 = 0xc008, // 11 000 0000 0001 000 ARM64_SYSREG_ID_PFR1_EL1 = 0xc009, // 11 000 0000 0001 001 ARM64_SYSREG_ID_DFR0_EL1 = 0xc00a, // 11 000 0000 0001 010 ARM64_SYSREG_ID_AFR0_EL1 = 0xc00b, // 11 000 0000 0001 011 ARM64_SYSREG_ID_MMFR0_EL1 = 0xc00c, // 11 000 0000 0001 100 ARM64_SYSREG_ID_MMFR1_EL1 = 0xc00d, // 11 000 0000 0001 101 ARM64_SYSREG_ID_MMFR2_EL1 = 0xc00e, // 11 000 0000 0001 110 ARM64_SYSREG_ID_MMFR3_EL1 = 0xc00f, // 11 000 0000 0001 111 ARM64_SYSREG_ID_ISAR0_EL1 = 0xc010, // 11 000 0000 0010 000 ARM64_SYSREG_ID_ISAR1_EL1 = 0xc011, // 11 000 0000 0010 001 ARM64_SYSREG_ID_ISAR2_EL1 = 0xc012, // 11 000 0000 0010 010 ARM64_SYSREG_ID_ISAR3_EL1 = 0xc013, // 11 000 0000 0010 011 ARM64_SYSREG_ID_ISAR4_EL1 = 0xc014, // 11 000 0000 0010 100 ARM64_SYSREG_ID_ISAR5_EL1 = 0xc015, // 11 000 0000 0010 101 ARM64_SYSREG_ID_A64PFR0_EL1 = 0xc020, // 11 000 0000 0100 000 ARM64_SYSREG_ID_A64PFR1_EL1 = 0xc021, // 11 000 0000 0100 001 ARM64_SYSREG_ID_A64DFR0_EL1 = 0xc028, // 11 000 0000 0101 000 ARM64_SYSREG_ID_A64DFR1_EL1 = 0xc029, // 11 000 0000 0101 001 ARM64_SYSREG_ID_A64AFR0_EL1 = 0xc02c, // 11 000 0000 0101 100 ARM64_SYSREG_ID_A64AFR1_EL1 = 0xc02d, // 11 000 0000 0101 101 ARM64_SYSREG_ID_A64ISAR0_EL1 = 0xc030, // 11 000 0000 0110 000 ARM64_SYSREG_ID_A64ISAR1_EL1 = 0xc031, // 11 000 0000 0110 001 ARM64_SYSREG_ID_A64MMFR0_EL1 = 0xc038, // 11 000 0000 0111 000 ARM64_SYSREG_ID_A64MMFR1_EL1 = 0xc039, // 11 000 0000 0111 001 ARM64_SYSREG_MVFR0_EL1 = 0xc018, // 11 000 0000 0011 000 ARM64_SYSREG_MVFR1_EL1 = 0xc019, // 11 000 0000 0011 001 ARM64_SYSREG_MVFR2_EL1 = 0xc01a, // 11 000 0000 0011 010 ARM64_SYSREG_RVBAR_EL1 = 0xc601, // 11 000 1100 0000 001 ARM64_SYSREG_RVBAR_EL2 = 0xe601, // 11 100 1100 0000 001 ARM64_SYSREG_RVBAR_EL3 = 0xf601, // 11 110 1100 0000 001 ARM64_SYSREG_ISR_EL1 = 0xc608, // 11 000 1100 0001 000 ARM64_SYSREG_CNTPCT_EL0 = 0xdf01, // 11 011 1110 0000 001 ARM64_SYSREG_CNTVCT_EL0 = 0xdf02, // 11 011 1110 0000 010 // Trace registers ARM64_SYSREG_TRCSTATR = 0x8818, // 10 001 0000 0011 000 ARM64_SYSREG_TRCIDR8 = 0x8806, // 10 001 0000 0000 110 ARM64_SYSREG_TRCIDR9 = 0x880e, // 10 001 0000 0001 110 ARM64_SYSREG_TRCIDR10 = 0x8816, // 10 001 0000 0010 110 ARM64_SYSREG_TRCIDR11 = 0x881e, // 10 001 0000 0011 110 ARM64_SYSREG_TRCIDR12 = 0x8826, // 10 001 0000 0100 110 ARM64_SYSREG_TRCIDR13 = 0x882e, // 10 001 0000 0101 110 ARM64_SYSREG_TRCIDR0 = 0x8847, // 10 001 0000 1000 111 ARM64_SYSREG_TRCIDR1 = 0x884f, // 10 001 0000 1001 111 ARM64_SYSREG_TRCIDR2 = 0x8857, // 10 001 0000 1010 111 ARM64_SYSREG_TRCIDR3 = 0x885f, // 10 001 0000 1011 111 ARM64_SYSREG_TRCIDR4 = 0x8867, // 10 001 0000 1100 111 ARM64_SYSREG_TRCIDR5 = 0x886f, // 10 001 0000 1101 111 ARM64_SYSREG_TRCIDR6 = 0x8877, // 10 001 0000 1110 111 ARM64_SYSREG_TRCIDR7 = 0x887f, // 10 001 0000 1111 111 ARM64_SYSREG_TRCOSLSR = 0x888c, // 10 001 0001 0001 100 ARM64_SYSREG_TRCPDSR = 0x88ac, // 10 001 0001 0101 100 ARM64_SYSREG_TRCDEVAFF0 = 0x8bd6, // 10 001 0111 1010 110 ARM64_SYSREG_TRCDEVAFF1 = 0x8bde, // 10 001 0111 1011 110 ARM64_SYSREG_TRCLSR = 0x8bee, // 10 001 0111 1101 110 ARM64_SYSREG_TRCAUTHSTATUS = 0x8bf6, // 10 001 0111 1110 110 ARM64_SYSREG_TRCDEVARCH = 0x8bfe, // 10 001 0111 1111 110 ARM64_SYSREG_TRCDEVID = 0x8b97, // 10 001 0111 0010 111 ARM64_SYSREG_TRCDEVTYPE = 0x8b9f, // 10 001 0111 0011 111 ARM64_SYSREG_TRCPIDR4 = 0x8ba7, // 10 001 0111 0100 111 ARM64_SYSREG_TRCPIDR5 = 0x8baf, // 10 001 0111 0101 111 ARM64_SYSREG_TRCPIDR6 = 0x8bb7, // 10 001 0111 0110 111 ARM64_SYSREG_TRCPIDR7 = 0x8bbf, // 10 001 0111 0111 111 ARM64_SYSREG_TRCPIDR0 = 0x8bc7, // 10 001 0111 1000 111 ARM64_SYSREG_TRCPIDR1 = 0x8bcf, // 10 001 0111 1001 111 ARM64_SYSREG_TRCPIDR2 = 0x8bd7, // 10 001 0111 1010 111 ARM64_SYSREG_TRCPIDR3 = 0x8bdf, // 10 001 0111 1011 111 ARM64_SYSREG_TRCCIDR0 = 0x8be7, // 10 001 0111 1100 111 ARM64_SYSREG_TRCCIDR1 = 0x8bef, // 10 001 0111 1101 111 ARM64_SYSREG_TRCCIDR2 = 0x8bf7, // 10 001 0111 1110 111 ARM64_SYSREG_TRCCIDR3 = 0x8bff, // 10 001 0111 1111 111 // GICv3 registers ARM64_SYSREG_ICC_IAR1_EL1 = 0xc660, // 11 000 1100 1100 000 ARM64_SYSREG_ICC_IAR0_EL1 = 0xc640, // 11 000 1100 1000 000 ARM64_SYSREG_ICC_HPPIR1_EL1 = 0xc662, // 11 000 1100 1100 010 ARM64_SYSREG_ICC_HPPIR0_EL1 = 0xc642, // 11 000 1100 1000 010 ARM64_SYSREG_ICC_RPR_EL1 = 0xc65b, // 11 000 1100 1011 011 ARM64_SYSREG_ICH_VTR_EL2 = 0xe659, // 11 100 1100 1011 001 ARM64_SYSREG_ICH_EISR_EL2 = 0xe65b, // 11 100 1100 1011 011 ARM64_SYSREG_ICH_ELSR_EL2 = 0xe65d, // 11 100 1100 1011 101 } arm64_sysreg; typedef enum arm64_msr_reg { //> System registers for MSR ARM64_SYSREG_DBGDTRTX_EL0 = 0x9828, // 10 011 0000 0101 000 ARM64_SYSREG_OSLAR_EL1 = 0x8084, // 10 000 0001 0000 100 ARM64_SYSREG_PMSWINC_EL0 = 0xdce4, // 11 011 1001 1100 100 // Trace Registers ARM64_SYSREG_TRCOSLAR = 0x8884, // 10 001 0001 0000 100 ARM64_SYSREG_TRCLAR = 0x8be6, // 10 001 0111 1100 110 // GICv3 registers ARM64_SYSREG_ICC_EOIR1_EL1 = 0xc661, // 11 000 1100 1100 001 ARM64_SYSREG_ICC_EOIR0_EL1 = 0xc641, // 11 000 1100 1000 001 ARM64_SYSREG_ICC_DIR_EL1 = 0xc659, // 11 000 1100 1011 001 ARM64_SYSREG_ICC_SGI1R_EL1 = 0xc65d, // 11 000 1100 1011 101 ARM64_SYSREG_ICC_ASGI1R_EL1 = 0xc65e, // 11 000 1100 1011 110 ARM64_SYSREG_ICC_SGI0R_EL1 = 0xc65f, // 11 000 1100 1011 111 } arm64_msr_reg; //> System PState Field (MSR instruction) typedef enum arm64_pstate { ARM64_PSTATE_INVALID = 0, ARM64_PSTATE_SPSEL = 0x05, ARM64_PSTATE_DAIFSET = 0x1e, ARM64_PSTATE_DAIFCLR = 0x1f } arm64_pstate; //> Vector arrangement specifier (for FloatingPoint/Advanced SIMD insn) typedef enum arm64_vas { ARM64_VAS_INVALID = 0, ARM64_VAS_8B, ARM64_VAS_16B, ARM64_VAS_4H, ARM64_VAS_8H, ARM64_VAS_2S, ARM64_VAS_4S, ARM64_VAS_1D, ARM64_VAS_2D, ARM64_VAS_1Q, } arm64_vas; //> Vector element size specifier typedef enum arm64_vess { ARM64_VESS_INVALID = 0, ARM64_VESS_B, ARM64_VESS_H, ARM64_VESS_S, ARM64_VESS_D, } arm64_vess; //> Memory barrier operands typedef enum arm64_barrier_op { ARM64_BARRIER_INVALID = 0, ARM64_BARRIER_OSHLD = 0x1, ARM64_BARRIER_OSHST = 0x2, ARM64_BARRIER_OSH = 0x3, ARM64_BARRIER_NSHLD = 0x5, ARM64_BARRIER_NSHST = 0x6, ARM64_BARRIER_NSH = 0x7, ARM64_BARRIER_ISHLD = 0x9, ARM64_BARRIER_ISHST = 0xa, ARM64_BARRIER_ISH = 0xb, ARM64_BARRIER_LD = 0xd, ARM64_BARRIER_ST = 0xe, ARM64_BARRIER_SY = 0xf } arm64_barrier_op; //> Operand type for instruction's operands typedef enum arm64_op_type { ARM64_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized). ARM64_OP_REG, // = CS_OP_REG (Register operand). ARM64_OP_IMM, // = CS_OP_IMM (Immediate operand). ARM64_OP_MEM, // = CS_OP_MEM (Memory operand). ARM64_OP_FP, // = CS_OP_FP (Floating-Point operand). ARM64_OP_CIMM = 64, // C-Immediate ARM64_OP_REG_MRS, // MRS register operand. ARM64_OP_REG_MSR, // MSR register operand. ARM64_OP_PSTATE, // PState operand. ARM64_OP_SYS, // SYS operand for IC/DC/AT/TLBI instructions. ARM64_OP_PREFETCH, // Prefetch operand (PRFM). ARM64_OP_BARRIER, // Memory barrier operand (ISB/DMB/DSB instructions). } arm64_op_type; //> TLBI operations typedef enum arm64_tlbi_op { ARM64_TLBI_INVALID = 0, ARM64_TLBI_VMALLE1IS, ARM64_TLBI_VAE1IS, ARM64_TLBI_ASIDE1IS, ARM64_TLBI_VAAE1IS, ARM64_TLBI_VALE1IS, ARM64_TLBI_VAALE1IS, ARM64_TLBI_ALLE2IS, ARM64_TLBI_VAE2IS, ARM64_TLBI_ALLE1IS, ARM64_TLBI_VALE2IS, ARM64_TLBI_VMALLS12E1IS, ARM64_TLBI_ALLE3IS, ARM64_TLBI_VAE3IS, ARM64_TLBI_VALE3IS, ARM64_TLBI_IPAS2E1IS, ARM64_TLBI_IPAS2LE1IS, ARM64_TLBI_IPAS2E1, ARM64_TLBI_IPAS2LE1, ARM64_TLBI_VMALLE1, ARM64_TLBI_VAE1, ARM64_TLBI_ASIDE1, ARM64_TLBI_VAAE1, ARM64_TLBI_VALE1, ARM64_TLBI_VAALE1, ARM64_TLBI_ALLE2, ARM64_TLBI_VAE2, ARM64_TLBI_ALLE1, ARM64_TLBI_VALE2, ARM64_TLBI_VMALLS12E1, ARM64_TLBI_ALLE3, ARM64_TLBI_VAE3, ARM64_TLBI_VALE3, } arm64_tlbi_op; //> AT operations typedef enum arm64_at_op { ARM64_AT_S1E1R, ARM64_AT_S1E1W, ARM64_AT_S1E0R, ARM64_AT_S1E0W, ARM64_AT_S1E2R, ARM64_AT_S1E2W, ARM64_AT_S12E1R, ARM64_AT_S12E1W, ARM64_AT_S12E0R, ARM64_AT_S12E0W, ARM64_AT_S1E3R, ARM64_AT_S1E3W, } arm64_at_op; //> DC operations typedef enum arm64_dc_op { ARM64_DC_INVALID = 0, ARM64_DC_ZVA, ARM64_DC_IVAC, ARM64_DC_ISW, ARM64_DC_CVAC, ARM64_DC_CSW, ARM64_DC_CVAU, ARM64_DC_CIVAC, ARM64_DC_CISW, } arm64_dc_op; //> IC operations typedef enum arm64_ic_op { ARM64_IC_INVALID = 0, ARM64_IC_IALLUIS, ARM64_IC_IALLU, ARM64_IC_IVAU, } arm64_ic_op; //> Prefetch operations (PRFM) typedef enum arm64_prefetch_op { ARM64_PRFM_INVALID = 0, ARM64_PRFM_PLDL1KEEP = 0x00 + 1, ARM64_PRFM_PLDL1STRM = 0x01 + 1, ARM64_PRFM_PLDL2KEEP = 0x02 + 1, ARM64_PRFM_PLDL2STRM = 0x03 + 1, ARM64_PRFM_PLDL3KEEP = 0x04 + 1, ARM64_PRFM_PLDL3STRM = 0x05 + 1, ARM64_PRFM_PLIL1KEEP = 0x08 + 1, ARM64_PRFM_PLIL1STRM = 0x09 + 1, ARM64_PRFM_PLIL2KEEP = 0x0a + 1, ARM64_PRFM_PLIL2STRM = 0x0b + 1, ARM64_PRFM_PLIL3KEEP = 0x0c + 1, ARM64_PRFM_PLIL3STRM = 0x0d + 1, ARM64_PRFM_PSTL1KEEP = 0x10 + 1, ARM64_PRFM_PSTL1STRM = 0x11 + 1, ARM64_PRFM_PSTL2KEEP = 0x12 + 1, ARM64_PRFM_PSTL2STRM = 0x13 + 1, ARM64_PRFM_PSTL3KEEP = 0x14 + 1, ARM64_PRFM_PSTL3STRM = 0x15 + 1, } arm64_prefetch_op; //> ARM64 registers typedef enum arm64_reg { ARM64_REG_INVALID = 0, ARM64_REG_X29, ARM64_REG_X30, ARM64_REG_NZCV, ARM64_REG_SP, ARM64_REG_WSP, ARM64_REG_WZR, ARM64_REG_XZR, ARM64_REG_B0, ARM64_REG_B1, ARM64_REG_B2, ARM64_REG_B3, ARM64_REG_B4, ARM64_REG_B5, ARM64_REG_B6, ARM64_REG_B7, ARM64_REG_B8, ARM64_REG_B9, ARM64_REG_B10, ARM64_REG_B11, ARM64_REG_B12, ARM64_REG_B13, ARM64_REG_B14, ARM64_REG_B15, ARM64_REG_B16, ARM64_REG_B17, ARM64_REG_B18, ARM64_REG_B19, ARM64_REG_B20, ARM64_REG_B21, ARM64_REG_B22, ARM64_REG_B23, ARM64_REG_B24, ARM64_REG_B25, ARM64_REG_B26, ARM64_REG_B27, ARM64_REG_B28, ARM64_REG_B29, ARM64_REG_B30, ARM64_REG_B31, ARM64_REG_D0, ARM64_REG_D1, ARM64_REG_D2, ARM64_REG_D3, ARM64_REG_D4, ARM64_REG_D5, ARM64_REG_D6, ARM64_REG_D7, ARM64_REG_D8, ARM64_REG_D9, ARM64_REG_D10, ARM64_REG_D11, ARM64_REG_D12, ARM64_REG_D13, ARM64_REG_D14, ARM64_REG_D15, ARM64_REG_D16, ARM64_REG_D17, ARM64_REG_D18, ARM64_REG_D19, ARM64_REG_D20, ARM64_REG_D21, ARM64_REG_D22, ARM64_REG_D23, ARM64_REG_D24, ARM64_REG_D25, ARM64_REG_D26, ARM64_REG_D27, ARM64_REG_D28, ARM64_REG_D29, ARM64_REG_D30, ARM64_REG_D31, ARM64_REG_H0, ARM64_REG_H1, ARM64_REG_H2, ARM64_REG_H3, ARM64_REG_H4, ARM64_REG_H5, ARM64_REG_H6, ARM64_REG_H7, ARM64_REG_H8, ARM64_REG_H9, ARM64_REG_H10, ARM64_REG_H11, ARM64_REG_H12, ARM64_REG_H13, ARM64_REG_H14, ARM64_REG_H15, ARM64_REG_H16, ARM64_REG_H17, ARM64_REG_H18, ARM64_REG_H19, ARM64_REG_H20, ARM64_REG_H21, ARM64_REG_H22, ARM64_REG_H23, ARM64_REG_H24, ARM64_REG_H25, ARM64_REG_H26, ARM64_REG_H27, ARM64_REG_H28, ARM64_REG_H29, ARM64_REG_H30, ARM64_REG_H31, ARM64_REG_Q0, ARM64_REG_Q1, ARM64_REG_Q2, ARM64_REG_Q3, ARM64_REG_Q4, ARM64_REG_Q5, ARM64_REG_Q6, ARM64_REG_Q7, ARM64_REG_Q8, ARM64_REG_Q9, ARM64_REG_Q10, ARM64_REG_Q11, ARM64_REG_Q12, ARM64_REG_Q13, ARM64_REG_Q14, ARM64_REG_Q15, ARM64_REG_Q16, ARM64_REG_Q17, ARM64_REG_Q18, ARM64_REG_Q19, ARM64_REG_Q20, ARM64_REG_Q21, ARM64_REG_Q22, ARM64_REG_Q23, ARM64_REG_Q24, ARM64_REG_Q25, ARM64_REG_Q26, ARM64_REG_Q27, ARM64_REG_Q28, ARM64_REG_Q29, ARM64_REG_Q30, ARM64_REG_Q31, ARM64_REG_S0, ARM64_REG_S1, ARM64_REG_S2, ARM64_REG_S3, ARM64_REG_S4, ARM64_REG_S5, ARM64_REG_S6, ARM64_REG_S7, ARM64_REG_S8, ARM64_REG_S9, ARM64_REG_S10, ARM64_REG_S11, ARM64_REG_S12, ARM64_REG_S13, ARM64_REG_S14, ARM64_REG_S15, ARM64_REG_S16, ARM64_REG_S17, ARM64_REG_S18, ARM64_REG_S19, ARM64_REG_S20, ARM64_REG_S21, ARM64_REG_S22, ARM64_REG_S23, ARM64_REG_S24, ARM64_REG_S25, ARM64_REG_S26, ARM64_REG_S27, ARM64_REG_S28, ARM64_REG_S29, ARM64_REG_S30, ARM64_REG_S31, ARM64_REG_W0, ARM64_REG_W1, ARM64_REG_W2, ARM64_REG_W3, ARM64_REG_W4, ARM64_REG_W5, ARM64_REG_W6, ARM64_REG_W7, ARM64_REG_W8, ARM64_REG_W9, ARM64_REG_W10, ARM64_REG_W11, ARM64_REG_W12, ARM64_REG_W13, ARM64_REG_W14, ARM64_REG_W15, ARM64_REG_W16, ARM64_REG_W17, ARM64_REG_W18, ARM64_REG_W19, ARM64_REG_W20, ARM64_REG_W21, ARM64_REG_W22, ARM64_REG_W23, ARM64_REG_W24, ARM64_REG_W25, ARM64_REG_W26, ARM64_REG_W27, ARM64_REG_W28, ARM64_REG_W29, ARM64_REG_W30, ARM64_REG_X0, ARM64_REG_X1, ARM64_REG_X2, ARM64_REG_X3, ARM64_REG_X4, ARM64_REG_X5, ARM64_REG_X6, ARM64_REG_X7, ARM64_REG_X8, ARM64_REG_X9, ARM64_REG_X10, ARM64_REG_X11, ARM64_REG_X12, ARM64_REG_X13, ARM64_REG_X14, ARM64_REG_X15, ARM64_REG_X16, ARM64_REG_X17, ARM64_REG_X18, ARM64_REG_X19, ARM64_REG_X20, ARM64_REG_X21, ARM64_REG_X22, ARM64_REG_X23, ARM64_REG_X24, ARM64_REG_X25, ARM64_REG_X26, ARM64_REG_X27, ARM64_REG_X28, ARM64_REG_V0, ARM64_REG_V1, ARM64_REG_V2, ARM64_REG_V3, ARM64_REG_V4, ARM64_REG_V5, ARM64_REG_V6, ARM64_REG_V7, ARM64_REG_V8, ARM64_REG_V9, ARM64_REG_V10, ARM64_REG_V11, ARM64_REG_V12, ARM64_REG_V13, ARM64_REG_V14, ARM64_REG_V15, ARM64_REG_V16, ARM64_REG_V17, ARM64_REG_V18, ARM64_REG_V19, ARM64_REG_V20, ARM64_REG_V21, ARM64_REG_V22, ARM64_REG_V23, ARM64_REG_V24, ARM64_REG_V25, ARM64_REG_V26, ARM64_REG_V27, ARM64_REG_V28, ARM64_REG_V29, ARM64_REG_V30, ARM64_REG_V31, ARM64_REG_ENDING, // <-- mark the end of the list of registers //> alias registers ARM64_REG_IP1 = ARM64_REG_X16, ARM64_REG_IP0 = ARM64_REG_X17, ARM64_REG_FP = ARM64_REG_X29, ARM64_REG_LR = ARM64_REG_X30, } arm64_reg; // Instruction's operand referring to memory // This is associated with ARM64_OP_MEM operand type above typedef struct arm64_op_mem { arm64_reg base; // base register arm64_reg index; // index register int32_t disp; // displacement/offset value } arm64_op_mem; // Instruction operand typedef struct cs_arm64_op { int vector_index; // Vector Index for some vector operands (or -1 if irrelevant) arm64_vas vas; // Vector Arrangement Specifier arm64_vess vess; // Vector Element Size Specifier struct { arm64_shifter type; // shifter type of this operand unsigned int value; // shifter value of this operand } shift; arm64_extender ext; // extender type of this operand arm64_op_type type; // operand type union { arm64_reg reg; // register value for REG operand int64_t imm; // immediate value, or index for C-IMM or IMM operand double fp; // floating point value for FP operand arm64_op_mem mem; // base/index/scale/disp value for MEM operand arm64_pstate pstate; // PState field of MSR instruction. unsigned int sys; // IC/DC/AT/TLBI operation (see arm64_ic_op, arm64_dc_op, arm64_at_op, arm64_tlbi_op) arm64_prefetch_op prefetch; // PRFM operation. arm64_barrier_op barrier; // Memory barrier operation (ISB/DMB/DSB instructions). }; // How is this operand accessed? (READ, WRITE or READ|WRITE) // This field is combined of cs_ac_type. // NOTE: this field is irrelevant if engine is compiled in DIET mode. uint8_t access; } cs_arm64_op; // Instruction structure typedef struct cs_arm64 { arm64_cc cc; // conditional code for this insn bool update_flags; // does this insn update flags? bool writeback; // does this insn request writeback? 'True' means 'yes' // Number of operands of this instruction, // or 0 when instruction has no operand. uint8_t op_count; cs_arm64_op operands[8]; // operands for this instruction. } cs_arm64; //> ARM64 instruction typedef enum arm64_insn { ARM64_INS_INVALID = 0, ARM64_INS_ABS, ARM64_INS_ADC, ARM64_INS_ADDHN, ARM64_INS_ADDHN2, ARM64_INS_ADDP, ARM64_INS_ADD, ARM64_INS_ADDV, ARM64_INS_ADR, ARM64_INS_ADRP, ARM64_INS_AESD, ARM64_INS_AESE, ARM64_INS_AESIMC, ARM64_INS_AESMC, ARM64_INS_AND, ARM64_INS_ASR, ARM64_INS_B, ARM64_INS_BFM, ARM64_INS_BIC, ARM64_INS_BIF, ARM64_INS_BIT, ARM64_INS_BL, ARM64_INS_BLR, ARM64_INS_BR, ARM64_INS_BRK, ARM64_INS_BSL, ARM64_INS_CBNZ, ARM64_INS_CBZ, ARM64_INS_CCMN, ARM64_INS_CCMP, ARM64_INS_CLREX, ARM64_INS_CLS, ARM64_INS_CLZ, ARM64_INS_CMEQ, ARM64_INS_CMGE, ARM64_INS_CMGT, ARM64_INS_CMHI, ARM64_INS_CMHS, ARM64_INS_CMLE, ARM64_INS_CMLT, ARM64_INS_CMTST, ARM64_INS_CNT, ARM64_INS_MOV, ARM64_INS_CRC32B, ARM64_INS_CRC32CB, ARM64_INS_CRC32CH, ARM64_INS_CRC32CW, ARM64_INS_CRC32CX, ARM64_INS_CRC32H, ARM64_INS_CRC32W, ARM64_INS_CRC32X, ARM64_INS_CSEL, ARM64_INS_CSINC, ARM64_INS_CSINV, ARM64_INS_CSNEG, ARM64_INS_DCPS1, ARM64_INS_DCPS2, ARM64_INS_DCPS3, ARM64_INS_DMB, ARM64_INS_DRPS, ARM64_INS_DSB, ARM64_INS_DUP, ARM64_INS_EON, ARM64_INS_EOR, ARM64_INS_ERET, ARM64_INS_EXTR, ARM64_INS_EXT, ARM64_INS_FABD, ARM64_INS_FABS, ARM64_INS_FACGE, ARM64_INS_FACGT, ARM64_INS_FADD, ARM64_INS_FADDP, ARM64_INS_FCCMP, ARM64_INS_FCCMPE, ARM64_INS_FCMEQ, ARM64_INS_FCMGE, ARM64_INS_FCMGT, ARM64_INS_FCMLE, ARM64_INS_FCMLT, ARM64_INS_FCMP, ARM64_INS_FCMPE, ARM64_INS_FCSEL, ARM64_INS_FCVTAS, ARM64_INS_FCVTAU, ARM64_INS_FCVT, ARM64_INS_FCVTL, ARM64_INS_FCVTL2, ARM64_INS_FCVTMS, ARM64_INS_FCVTMU, ARM64_INS_FCVTNS, ARM64_INS_FCVTNU, ARM64_INS_FCVTN, ARM64_INS_FCVTN2, ARM64_INS_FCVTPS, ARM64_INS_FCVTPU, ARM64_INS_FCVTXN, ARM64_INS_FCVTXN2, ARM64_INS_FCVTZS, ARM64_INS_FCVTZU, ARM64_INS_FDIV, ARM64_INS_FMADD, ARM64_INS_FMAX, ARM64_INS_FMAXNM, ARM64_INS_FMAXNMP, ARM64_INS_FMAXNMV, ARM64_INS_FMAXP, ARM64_INS_FMAXV, ARM64_INS_FMIN, ARM64_INS_FMINNM, ARM64_INS_FMINNMP, ARM64_INS_FMINNMV, ARM64_INS_FMINP, ARM64_INS_FMINV, ARM64_INS_FMLA, ARM64_INS_FMLS, ARM64_INS_FMOV, ARM64_INS_FMSUB, ARM64_INS_FMUL, ARM64_INS_FMULX, ARM64_INS_FNEG, ARM64_INS_FNMADD, ARM64_INS_FNMSUB, ARM64_INS_FNMUL, ARM64_INS_FRECPE, ARM64_INS_FRECPS, ARM64_INS_FRECPX, ARM64_INS_FRINTA, ARM64_INS_FRINTI, ARM64_INS_FRINTM, ARM64_INS_FRINTN, ARM64_INS_FRINTP, ARM64_INS_FRINTX, ARM64_INS_FRINTZ, ARM64_INS_FRSQRTE, ARM64_INS_FRSQRTS, ARM64_INS_FSQRT, ARM64_INS_FSUB, ARM64_INS_HINT, ARM64_INS_HLT, ARM64_INS_HVC, ARM64_INS_INS, ARM64_INS_ISB, ARM64_INS_LD1, ARM64_INS_LD1R, ARM64_INS_LD2R, ARM64_INS_LD2, ARM64_INS_LD3R, ARM64_INS_LD3, ARM64_INS_LD4, ARM64_INS_LD4R, ARM64_INS_LDARB, ARM64_INS_LDARH, ARM64_INS_LDAR, ARM64_INS_LDAXP, ARM64_INS_LDAXRB, ARM64_INS_LDAXRH, ARM64_INS_LDAXR, ARM64_INS_LDNP, ARM64_INS_LDP, ARM64_INS_LDPSW, ARM64_INS_LDRB, ARM64_INS_LDR, ARM64_INS_LDRH, ARM64_INS_LDRSB, ARM64_INS_LDRSH, ARM64_INS_LDRSW, ARM64_INS_LDTRB, ARM64_INS_LDTRH, ARM64_INS_LDTRSB, ARM64_INS_LDTRSH, ARM64_INS_LDTRSW, ARM64_INS_LDTR, ARM64_INS_LDURB, ARM64_INS_LDUR, ARM64_INS_LDURH, ARM64_INS_LDURSB, ARM64_INS_LDURSH, ARM64_INS_LDURSW, ARM64_INS_LDXP, ARM64_INS_LDXRB, ARM64_INS_LDXRH, ARM64_INS_LDXR, ARM64_INS_LSL, ARM64_INS_LSR, ARM64_INS_MADD, ARM64_INS_MLA, ARM64_INS_MLS, ARM64_INS_MOVI, ARM64_INS_MOVK, ARM64_INS_MOVN, ARM64_INS_MOVZ, ARM64_INS_MRS, ARM64_INS_MSR, ARM64_INS_MSUB, ARM64_INS_MUL, ARM64_INS_MVNI, ARM64_INS_NEG, ARM64_INS_NOT, ARM64_INS_ORN, ARM64_INS_ORR, ARM64_INS_PMULL2, ARM64_INS_PMULL, ARM64_INS_PMUL, ARM64_INS_PRFM, ARM64_INS_PRFUM, ARM64_INS_RADDHN, ARM64_INS_RADDHN2, ARM64_INS_RBIT, ARM64_INS_RET, ARM64_INS_REV16, ARM64_INS_REV32, ARM64_INS_REV64, ARM64_INS_REV, ARM64_INS_ROR, ARM64_INS_RSHRN2, ARM64_INS_RSHRN, ARM64_INS_RSUBHN, ARM64_INS_RSUBHN2, ARM64_INS_SABAL2, ARM64_INS_SABAL, ARM64_INS_SABA, ARM64_INS_SABDL2, ARM64_INS_SABDL, ARM64_INS_SABD, ARM64_INS_SADALP, ARM64_INS_SADDLP, ARM64_INS_SADDLV, ARM64_INS_SADDL2, ARM64_INS_SADDL, ARM64_INS_SADDW2, ARM64_INS_SADDW, ARM64_INS_SBC, ARM64_INS_SBFM, ARM64_INS_SCVTF, ARM64_INS_SDIV, ARM64_INS_SHA1C, ARM64_INS_SHA1H, ARM64_INS_SHA1M, ARM64_INS_SHA1P, ARM64_INS_SHA1SU0, ARM64_INS_SHA1SU1, ARM64_INS_SHA256H2, ARM64_INS_SHA256H, ARM64_INS_SHA256SU0, ARM64_INS_SHA256SU1, ARM64_INS_SHADD, ARM64_INS_SHLL2, ARM64_INS_SHLL, ARM64_INS_SHL, ARM64_INS_SHRN2, ARM64_INS_SHRN, ARM64_INS_SHSUB, ARM64_INS_SLI, ARM64_INS_SMADDL, ARM64_INS_SMAXP, ARM64_INS_SMAXV, ARM64_INS_SMAX, ARM64_INS_SMC, ARM64_INS_SMINP, ARM64_INS_SMINV, ARM64_INS_SMIN, ARM64_INS_SMLAL2, ARM64_INS_SMLAL, ARM64_INS_SMLSL2, ARM64_INS_SMLSL, ARM64_INS_SMOV, ARM64_INS_SMSUBL, ARM64_INS_SMULH, ARM64_INS_SMULL2, ARM64_INS_SMULL, ARM64_INS_SQABS, ARM64_INS_SQADD, ARM64_INS_SQDMLAL, ARM64_INS_SQDMLAL2, ARM64_INS_SQDMLSL, ARM64_INS_SQDMLSL2, ARM64_INS_SQDMULH, ARM64_INS_SQDMULL, ARM64_INS_SQDMULL2, ARM64_INS_SQNEG, ARM64_INS_SQRDMULH, ARM64_INS_SQRSHL, ARM64_INS_SQRSHRN, ARM64_INS_SQRSHRN2, ARM64_INS_SQRSHRUN, ARM64_INS_SQRSHRUN2, ARM64_INS_SQSHLU, ARM64_INS_SQSHL, ARM64_INS_SQSHRN, ARM64_INS_SQSHRN2, ARM64_INS_SQSHRUN, ARM64_INS_SQSHRUN2, ARM64_INS_SQSUB, ARM64_INS_SQXTN2, ARM64_INS_SQXTN, ARM64_INS_SQXTUN2, ARM64_INS_SQXTUN, ARM64_INS_SRHADD, ARM64_INS_SRI, ARM64_INS_SRSHL, ARM64_INS_SRSHR, ARM64_INS_SRSRA, ARM64_INS_SSHLL2, ARM64_INS_SSHLL, ARM64_INS_SSHL, ARM64_INS_SSHR, ARM64_INS_SSRA, ARM64_INS_SSUBL2, ARM64_INS_SSUBL, ARM64_INS_SSUBW2, ARM64_INS_SSUBW, ARM64_INS_ST1, ARM64_INS_ST2, ARM64_INS_ST3, ARM64_INS_ST4, ARM64_INS_STLRB, ARM64_INS_STLRH, ARM64_INS_STLR, ARM64_INS_STLXP, ARM64_INS_STLXRB, ARM64_INS_STLXRH, ARM64_INS_STLXR, ARM64_INS_STNP, ARM64_INS_STP, ARM64_INS_STRB, ARM64_INS_STR, ARM64_INS_STRH, ARM64_INS_STTRB, ARM64_INS_STTRH, ARM64_INS_STTR, ARM64_INS_STURB, ARM64_INS_STUR, ARM64_INS_STURH, ARM64_INS_STXP, ARM64_INS_STXRB, ARM64_INS_STXRH, ARM64_INS_STXR, ARM64_INS_SUBHN, ARM64_INS_SUBHN2, ARM64_INS_SUB, ARM64_INS_SUQADD, ARM64_INS_SVC, ARM64_INS_SYSL, ARM64_INS_SYS, ARM64_INS_TBL, ARM64_INS_TBNZ, ARM64_INS_TBX, ARM64_INS_TBZ, ARM64_INS_TRN1, ARM64_INS_TRN2, ARM64_INS_UABAL2, ARM64_INS_UABAL, ARM64_INS_UABA, ARM64_INS_UABDL2, ARM64_INS_UABDL, ARM64_INS_UABD, ARM64_INS_UADALP, ARM64_INS_UADDLP, ARM64_INS_UADDLV, ARM64_INS_UADDL2, ARM64_INS_UADDL, ARM64_INS_UADDW2, ARM64_INS_UADDW, ARM64_INS_UBFM, ARM64_INS_UCVTF, ARM64_INS_UDIV, ARM64_INS_UHADD, ARM64_INS_UHSUB, ARM64_INS_UMADDL, ARM64_INS_UMAXP, ARM64_INS_UMAXV, ARM64_INS_UMAX, ARM64_INS_UMINP, ARM64_INS_UMINV, ARM64_INS_UMIN, ARM64_INS_UMLAL2, ARM64_INS_UMLAL, ARM64_INS_UMLSL2, ARM64_INS_UMLSL, ARM64_INS_UMOV, ARM64_INS_UMSUBL, ARM64_INS_UMULH, ARM64_INS_UMULL2, ARM64_INS_UMULL, ARM64_INS_UQADD, ARM64_INS_UQRSHL, ARM64_INS_UQRSHRN, ARM64_INS_UQRSHRN2, ARM64_INS_UQSHL, ARM64_INS_UQSHRN, ARM64_INS_UQSHRN2, ARM64_INS_UQSUB, ARM64_INS_UQXTN2, ARM64_INS_UQXTN, ARM64_INS_URECPE, ARM64_INS_URHADD, ARM64_INS_URSHL, ARM64_INS_URSHR, ARM64_INS_URSQRTE, ARM64_INS_URSRA, ARM64_INS_USHLL2, ARM64_INS_USHLL, ARM64_INS_USHL, ARM64_INS_USHR, ARM64_INS_USQADD, ARM64_INS_USRA, ARM64_INS_USUBL2, ARM64_INS_USUBL, ARM64_INS_USUBW2, ARM64_INS_USUBW, ARM64_INS_UZP1, ARM64_INS_UZP2, ARM64_INS_XTN2, ARM64_INS_XTN, ARM64_INS_ZIP1, ARM64_INS_ZIP2, // alias insn ARM64_INS_MNEG, ARM64_INS_UMNEGL, ARM64_INS_SMNEGL, ARM64_INS_NOP, ARM64_INS_YIELD, ARM64_INS_WFE, ARM64_INS_WFI, ARM64_INS_SEV, ARM64_INS_SEVL, ARM64_INS_NGC, ARM64_INS_SBFIZ, ARM64_INS_UBFIZ, ARM64_INS_SBFX, ARM64_INS_UBFX, ARM64_INS_BFI, ARM64_INS_BFXIL, ARM64_INS_CMN, ARM64_INS_MVN, ARM64_INS_TST, ARM64_INS_CSET, ARM64_INS_CINC, ARM64_INS_CSETM, ARM64_INS_CINV, ARM64_INS_CNEG, ARM64_INS_SXTB, ARM64_INS_SXTH, ARM64_INS_SXTW, ARM64_INS_CMP, ARM64_INS_UXTB, ARM64_INS_UXTH, ARM64_INS_UXTW, ARM64_INS_IC, ARM64_INS_DC, ARM64_INS_AT, ARM64_INS_TLBI, ARM64_INS_NEGS, ARM64_INS_NGCS, ARM64_INS_ENDING, // <-- mark the end of the list of insn } arm64_insn; //> Group of ARM64 instructions typedef enum arm64_insn_group { ARM64_GRP_INVALID = 0, // = CS_GRP_INVALID //> Generic groups // all jump instructions (conditional+direct+indirect jumps) ARM64_GRP_JUMP, // = CS_GRP_JUMP ARM64_GRP_CALL, ARM64_GRP_RET, ARM64_GRP_INT, ARM64_GRP_PRIVILEGE = 6, // = CS_GRP_PRIVILEGE //> Architecture-specific groups ARM64_GRP_CRYPTO = 128, ARM64_GRP_FPARMV8, ARM64_GRP_NEON, ARM64_GRP_CRC, ARM64_GRP_ENDING, // <-- mark the end of the list of groups } arm64_insn_group; #ifdef __cplusplus } #endif #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/capstone/capstone.h ================================================ #ifndef CAPSTONE_ENGINE_H #define CAPSTONE_ENGINE_H /* Capstone Disassembly Engine */ /* By Nguyen Anh Quynh , 2013-2016 */ #ifdef __cplusplus extern "C" { #endif #include #if defined(CAPSTONE_HAS_OSXKERNEL) #include #else #include #include #endif #include "platform.h" #ifdef _MSC_VER #pragma warning(disable:4201) #pragma warning(disable:4100) #define CAPSTONE_API __cdecl #ifdef CAPSTONE_SHARED #define CAPSTONE_EXPORT __declspec(dllexport) #else // defined(CAPSTONE_STATIC) #define CAPSTONE_EXPORT #endif #else #define CAPSTONE_API #ifdef __GNUC__ #define CAPSTONE_EXPORT __attribute__((visibility("default"))) #else #define CAPSTONE_EXPORT #endif #endif #ifdef __GNUC__ #define CAPSTONE_DEPRECATED __attribute__((deprecated)) #elif defined(_MSC_VER) #define CAPSTONE_DEPRECATED __declspec(deprecated) #else #pragma message("WARNING: You need to implement CAPSTONE_DEPRECATED for this compiler") #define CAPSTONE_DEPRECATED #endif // Capstone API version #define CS_API_MAJOR 4 #define CS_API_MINOR 0 // Version for bleeding edge code of the Github's "next" branch. // Use this if you want the absolutely latest developement code. // This version number will be bumped up whenever we have a new major change. #define CS_NEXT_VERSION 4 // Capstone package version #define CS_VERSION_MAJOR CS_API_MAJOR #define CS_VERSION_MINOR CS_API_MINOR #define CS_VERSION_EXTRA 0 // Macro to create combined version which can be compared to // result of cs_version() API. #define CS_MAKE_VERSION(major, minor) ((major << 8) + minor) // Maximum size of an instruction mnemonic string. #define CS_MNEMONIC_SIZE 32 // Handle using with all API typedef size_t csh; // Architecture type typedef enum cs_arch { CS_ARCH_ARM = 0, // ARM architecture (including Thumb, Thumb-2) CS_ARCH_ARM64, // ARM-64, also called AArch64 CS_ARCH_MIPS, // Mips architecture CS_ARCH_X86, // X86 architecture (including x86 & x86-64) CS_ARCH_PPC, // PowerPC architecture CS_ARCH_SPARC, // Sparc architecture CS_ARCH_SYSZ, // SystemZ architecture CS_ARCH_XCORE, // XCore architecture CS_ARCH_M68K, // 68K architecture CS_ARCH_MAX, CS_ARCH_ALL = 0xFFFF, // All architectures - for cs_support() } cs_arch; // Support value to verify diet mode of the engine. // If cs_support(CS_SUPPORT_DIET) return True, the engine was compiled // in diet mode. #define CS_SUPPORT_DIET (CS_ARCH_ALL + 1) // Support value to verify X86 reduce mode of the engine. // If cs_support(CS_SUPPORT_X86_REDUCE) return True, the engine was compiled // in X86 reduce mode. #define CS_SUPPORT_X86_REDUCE (CS_ARCH_ALL + 2) // Mode type typedef enum cs_mode { CS_MODE_LITTLE_ENDIAN = 0, // little-endian mode (default mode) CS_MODE_ARM = 0, // 32-bit ARM CS_MODE_16 = 1 << 1, // 16-bit mode (X86) CS_MODE_32 = 1 << 2, // 32-bit mode (X86) CS_MODE_64 = 1 << 3, // 64-bit mode (X86, PPC) CS_MODE_THUMB = 1 << 4, // ARM's Thumb mode, including Thumb-2 CS_MODE_MCLASS = 1 << 5, // ARM's Cortex-M series CS_MODE_V8 = 1 << 6, // ARMv8 A32 encodings for ARM CS_MODE_MICRO = 1 << 4, // MicroMips mode (MIPS) CS_MODE_MIPS3 = 1 << 5, // Mips III ISA CS_MODE_MIPS32R6 = 1 << 6, // Mips32r6 ISA CS_MODE_V9 = 1 << 4, // SparcV9 mode (Sparc) CS_MODE_QPX = 1 << 4, // Quad Processing eXtensions mode (PPC) CS_MODE_M68K_000 = 1 << 1, // M68K 68000 mode CS_MODE_M68K_010 = 1 << 2, // M68K 68010 mode CS_MODE_M68K_020 = 1 << 3, // M68K 68020 mode CS_MODE_M68K_030 = 1 << 4, // M68K 68030 mode CS_MODE_M68K_040 = 1 << 5, // M68K 68040 mode CS_MODE_M68K_060 = 1 << 6, // M68K 68060 mode CS_MODE_BIG_ENDIAN = 1 << 31, // big-endian mode CS_MODE_MIPS32 = CS_MODE_32, // Mips32 ISA (Mips) CS_MODE_MIPS64 = CS_MODE_64, // Mips64 ISA (Mips) } cs_mode; typedef void* (CAPSTONE_API* cs_malloc_t)(size_t size); typedef void* (CAPSTONE_API* cs_calloc_t)(size_t nmemb, size_t size); typedef void* (CAPSTONE_API* cs_realloc_t)(void* ptr, size_t size); typedef void (CAPSTONE_API* cs_free_t)(void* ptr); typedef int (CAPSTONE_API* cs_vsnprintf_t)(char* str, size_t size, const char* format, va_list ap); // User-defined dynamic memory related functions: malloc/calloc/realloc/free/vsnprintf() // By default, Capstone uses system's malloc(), calloc(), realloc(), free() & vsnprintf(). typedef struct cs_opt_mem { cs_malloc_t malloc; cs_calloc_t calloc; cs_realloc_t realloc; cs_free_t free; cs_vsnprintf_t vsnprintf; } cs_opt_mem; // Customize mnemonic for instructions with alternative name. // To reset existing customized instruction to its default mnemonic, // call cs_option(CS_OPT_MNEMONIC) again with the same @id and NULL value // for @mnemonic. typedef struct cs_opt_mnem { // ID of instruction to be customized. unsigned int id; // Customized instruction mnemonic. const char* mnemonic; } cs_opt_mnem; // Runtime option for the disassembled engine typedef enum cs_opt_type { CS_OPT_INVALID = 0, // No option specified CS_OPT_SYNTAX, // Assembly output syntax CS_OPT_DETAIL, // Break down instruction structure into details CS_OPT_MODE, // Change engine's mode at run-time CS_OPT_MEM, // User-defined dynamic memory related functions CS_OPT_SKIPDATA, // Skip data when disassembling. Then engine is in SKIPDATA mode. CS_OPT_SKIPDATA_SETUP, // Setup user-defined function for SKIPDATA option CS_OPT_MNEMONIC, // Customize instruction mnemonic CS_OPT_UNSIGNED, // print immediate operands in unsigned form } cs_opt_type; // Runtime option value (associated with option type above) typedef enum cs_opt_value { CS_OPT_OFF = 0, // Turn OFF an option - default for CS_OPT_DETAIL, CS_OPT_SKIPDATA, CS_OPT_UNSIGNED. CS_OPT_ON = 3, // Turn ON an option (CS_OPT_DETAIL, CS_OPT_SKIPDATA). CS_OPT_SYNTAX_DEFAULT = 0, // Default asm syntax (CS_OPT_SYNTAX). CS_OPT_SYNTAX_INTEL, // X86 Intel asm syntax - default on X86 (CS_OPT_SYNTAX). CS_OPT_SYNTAX_ATT, // X86 ATT asm syntax (CS_OPT_SYNTAX). CS_OPT_SYNTAX_NOREGNAME, // Prints register name with only number (CS_OPT_SYNTAX) CS_OPT_SYNTAX_MASM, // X86 Intel Masm syntax (CS_OPT_SYNTAX). } cs_opt_value; //> Common instruction operand types - to be consistent across all architectures. typedef enum cs_op_type { CS_OP_INVALID = 0, // uninitialized/invalid operand. CS_OP_REG, // Register operand. CS_OP_IMM, // Immediate operand. CS_OP_MEM, // Memory operand. CS_OP_FP, // Floating-Point operand. } cs_op_type; //> Common instruction operand access types - to be consistent across all architectures. //> It is possible to combine access types, for example: CS_AC_READ | CS_AC_WRITE typedef enum cs_ac_type { CS_AC_INVALID = 0, // Uninitialized/invalid access type. CS_AC_READ = 1 << 0, // Operand read from memory or register. CS_AC_WRITE = 1 << 1, // Operand write to memory or register. } cs_ac_type; //> Common instruction groups - to be consistent across all architectures. typedef enum cs_group_type { CS_GRP_INVALID = 0, // uninitialized/invalid group. CS_GRP_JUMP, // all jump instructions (conditional+direct+indirect jumps) CS_GRP_CALL, // all call instructions CS_GRP_RET, // all return instructions CS_GRP_INT, // all interrupt instructions (int+syscall) CS_GRP_IRET, // all interrupt return instructions CS_GRP_PRIVILEGE, // all privileged instructions } cs_group_type; /* User-defined callback function for SKIPDATA option. See tests/test_skipdata.c for sample code demonstrating this API. @code: the input buffer containing code to be disassembled. This is the same buffer passed to cs_disasm(). @code_size: size (in bytes) of the above @code buffer. @offset: the position of the currently-examining byte in the input buffer @code mentioned above. @user_data: user-data passed to cs_option() via @user_data field in cs_opt_skipdata struct below. @return: return number of bytes to skip, or 0 to immediately stop disassembling. */ typedef size_t (CAPSTONE_API* cs_skipdata_cb_t)(const uint8_t* code, size_t code_size, size_t offset, void* user_data); // User-customized setup for SKIPDATA option typedef struct cs_opt_skipdata { // Capstone considers data to skip as special "instructions". // User can specify the string for this instruction's "mnemonic" here. // By default (if @mnemonic is NULL), Capstone use ".byte". const char* mnemonic; // User-defined callback function to be called when Capstone hits data. // If the returned value from this callback is positive (>0), Capstone // will skip exactly that number of bytes & continue. Otherwise, if // the callback returns 0, Capstone stops disassembling and returns // immediately from cs_disasm() // NOTE: if this callback pointer is NULL, Capstone would skip a number // of bytes depending on architectures, as following: // Arm: 2 bytes (Thumb mode) or 4 bytes. // Arm64: 4 bytes. // Mips: 4 bytes. // PowerPC: 4 bytes. // Sparc: 4 bytes. // SystemZ: 2 bytes. // X86: 1 bytes. // XCore: 2 bytes. cs_skipdata_cb_t callback; // default value is NULL // User-defined data to be passed to @callback function pointer. void* user_data; } cs_opt_skipdata; #include "arm.h" #include "arm64.h" #include "m68k.h" #include "mips.h" #include "ppc.h" #include "sparc.h" #include "systemz.h" #include "x86.h" #include "xcore.h" // NOTE: All information in cs_detail is only available when CS_OPT_DETAIL = CS_OPT_ON typedef struct cs_detail { uint16_t regs_read[12]; // list of implicit registers read by this insn uint8_t regs_read_count; // number of implicit registers read by this insn uint16_t regs_write[20]; // list of implicit registers modified by this insn uint8_t regs_write_count; // number of implicit registers modified by this insn uint8_t groups[8]; // list of group this instruction belong to uint8_t groups_count; // number of groups this insn belongs to // Architecture-specific instruction info union { cs_x86 x86; // X86 architecture, including 16-bit, 32-bit & 64-bit mode cs_arm64 arm64; // ARM64 architecture (aka AArch64) cs_arm arm; // ARM architecture (including Thumb/Thumb2) cs_m68k m68k; // M68K architecture cs_mips mips; // MIPS architecture cs_ppc ppc; // PowerPC architecture cs_sparc sparc; // Sparc architecture cs_sysz sysz; // SystemZ architecture cs_xcore xcore; // XCore architecture }; } cs_detail; // Detail information of disassembled instruction typedef struct cs_insn { // Instruction ID (basically a numeric ID for the instruction mnemonic) // Find the instruction id in the '[ARCH]_insn' enum in the header file // of corresponding architecture, such as 'arm_insn' in arm.h for ARM, // 'x86_insn' in x86.h for X86, etc... // This information is available even when CS_OPT_DETAIL = CS_OPT_OFF // NOTE: in Skipdata mode, "data" instruction has 0 for this id field. unsigned int id; // Address (EIP) of this instruction // This information is available even when CS_OPT_DETAIL = CS_OPT_OFF uint64_t address; // Size of this instruction // This information is available even when CS_OPT_DETAIL = CS_OPT_OFF uint16_t size; // Machine bytes of this instruction, with number of bytes indicated by @size above // This information is available even when CS_OPT_DETAIL = CS_OPT_OFF uint8_t bytes[16]; // Ascii text of instruction mnemonic // This information is available even when CS_OPT_DETAIL = CS_OPT_OFF char mnemonic[CS_MNEMONIC_SIZE]; // Ascii text of instruction operands // This information is available even when CS_OPT_DETAIL = CS_OPT_OFF char op_str[160]; // Pointer to cs_detail. // NOTE: detail pointer is only valid when both requirements below are met: // (1) CS_OP_DETAIL = CS_OPT_ON // (2) Engine is not in Skipdata mode (CS_OP_SKIPDATA option set to CS_OPT_ON) // // NOTE 2: when in Skipdata mode, or when detail mode is OFF, even if this pointer // is not NULL, its content is still irrelevant. cs_detail* detail; } cs_insn; // Calculate the offset of a disassembled instruction in its buffer, given its position // in its array of disassembled insn // NOTE: this macro works with position (>=1), not index #define CS_INSN_OFFSET(insns, post) (insns[post - 1].address - insns[0].address) // All type of errors encountered by Capstone API. // These are values returned by cs_errno() typedef enum cs_err { CS_ERR_OK = 0, // No error: everything was fine CS_ERR_MEM, // Out-Of-Memory error: cs_open(), cs_disasm(), cs_disasm_iter() CS_ERR_ARCH, // Unsupported architecture: cs_open() CS_ERR_HANDLE, // Invalid handle: cs_op_count(), cs_op_index() CS_ERR_CSH, // Invalid csh argument: cs_close(), cs_errno(), cs_option() CS_ERR_MODE, // Invalid/unsupported mode: cs_open() CS_ERR_OPTION, // Invalid/unsupported option: cs_option() CS_ERR_DETAIL, // Information is unavailable because detail option is OFF CS_ERR_MEMSETUP, // Dynamic memory management uninitialized (see CS_OPT_MEM) CS_ERR_VERSION, // Unsupported version (bindings) CS_ERR_DIET, // Access irrelevant data in "diet" engine CS_ERR_SKIPDATA, // Access irrelevant data for "data" instruction in SKIPDATA mode CS_ERR_X86_ATT, // X86 AT&T syntax is unsupported (opt-out at compile time) CS_ERR_X86_INTEL, // X86 Intel syntax is unsupported (opt-out at compile time) CS_ERR_X86_MASM, // X86 Intel syntax is unsupported (opt-out at compile time) } cs_err; /* Return combined API version & major and minor version numbers. @major: major number of API version @minor: minor number of API version @return hexical number as (major << 8 | minor), which encodes both major & minor versions. NOTE: This returned value can be compared with version number made with macro CS_MAKE_VERSION For example, second API version would return 1 in @major, and 1 in @minor The return value would be 0x0101 NOTE: if you only care about returned value, but not major and minor values, set both @major & @minor arguments to NULL. */ CAPSTONE_EXPORT unsigned int CAPSTONE_API cs_version(int* major, int* minor); /* This API can be used to either ask for archs supported by this library, or check to see if the library was compile with 'diet' option (or called in 'diet' mode). To check if a particular arch is supported by this library, set @query to arch mode (CS_ARCH_* value). To verify if this library supports all the archs, use CS_ARCH_ALL. To check if this library is in 'diet' mode, set @query to CS_SUPPORT_DIET. @return True if this library supports the given arch, or in 'diet' mode. */ CAPSTONE_EXPORT bool CAPSTONE_API cs_support(int query); /* Initialize CS handle: this must be done before any usage of CS. @arch: architecture type (CS_ARCH_*) @mode: hardware mode. This is combined of CS_MODE_* @handle: pointer to handle, which will be updated at return time @return CS_ERR_OK on success, or other value on failure (refer to cs_err enum for detailed error). */ CAPSTONE_EXPORT cs_err CAPSTONE_API cs_open(cs_arch arch, cs_mode mode, csh* handle); /* Close CS handle: MUST do to release the handle when it is not used anymore. NOTE: this must be only called when there is no longer usage of Capstone, not even access to cs_insn array. The reason is the this API releases some cached memory, thus access to any Capstone API after cs_close() might crash your application. In fact,this API invalidate @handle by ZERO out its value (i.e *handle = 0). @handle: pointer to a handle returned by cs_open() @return CS_ERR_OK on success, or other value on failure (refer to cs_err enum for detailed error). */ CAPSTONE_EXPORT cs_err CAPSTONE_API cs_close(csh* handle); /* Set option for disassembling engine at runtime @handle: handle returned by cs_open() @type: type of option to be set @value: option value corresponding with @type @return: CS_ERR_OK on success, or other value on failure. Refer to cs_err enum for detailed error. NOTE: in the case of CS_OPT_MEM, handle's value can be anything, so that cs_option(handle, CS_OPT_MEM, value) can (i.e must) be called even before cs_open() */ CAPSTONE_EXPORT cs_err CAPSTONE_API cs_option(csh handle, cs_opt_type type, size_t value); /* Report the last error number when some API function fail. Like glibc's errno, cs_errno might not retain its old value once accessed. @handle: handle returned by cs_open() @return: error code of cs_err enum type (CS_ERR_*, see above) */ CAPSTONE_EXPORT cs_err CAPSTONE_API cs_errno(csh handle); /* Return a string describing given error code. @code: error code (see CS_ERR_* above) @return: returns a pointer to a string that describes the error code passed in the argument @code */ CAPSTONE_EXPORT const char* CAPSTONE_API cs_strerror(cs_err code); /* Disassemble binary code, given the code buffer, size, address and number of instructions to be decoded. This API dynamically allocate memory to contain disassembled instruction. Resulted instructions will be put into @*insn NOTE 1: this API will automatically determine memory needed to contain output disassembled instructions in @insn. NOTE 2: caller must free the allocated memory itself to avoid memory leaking. NOTE 3: for system with scarce memory to be dynamically allocated such as OS kernel or firmware, the API cs_disasm_iter() might be a better choice than cs_disasm(). The reason is that with cs_disasm(), based on limited available memory, we have to calculate in advance how many instructions to be disassembled, which complicates things. This is especially troublesome for the case @count=0, when cs_disasm() runs uncontrollably (until either end of input buffer, or when it encounters an invalid instruction). @handle: handle returned by cs_open() @code: buffer containing raw binary code to be disassembled. @code_size: size of the above code buffer. @address: address of the first instruction in given raw code buffer. @insn: array of instructions filled in by this API. NOTE: @insn will be allocated by this function, and should be freed with cs_free() API. @count: number of instructions to be disassembled, or 0 to get all of them @return: the number of successfully disassembled instructions, or 0 if this function failed to disassemble the given code On failure, call cs_errno() for error code. */ CAPSTONE_EXPORT size_t CAPSTONE_API cs_disasm(csh handle, const uint8_t* code, size_t code_size, uint64_t address, size_t count, cs_insn** insn); /* Deprecated function - to be retired in the next version! Use cs_disasm() instead of cs_disasm_ex() */ CAPSTONE_EXPORT CAPSTONE_DEPRECATED size_t CAPSTONE_API cs_disasm_ex(csh handle, const uint8_t* code, size_t code_size, uint64_t address, size_t count, cs_insn** insn); /* Free memory allocated by cs_malloc() or cs_disasm() (argument @insn) @insn: pointer returned by @insn argument in cs_disasm() or cs_malloc() @count: number of cs_insn structures returned by cs_disasm(), or 1 to free memory allocated by cs_malloc(). */ CAPSTONE_EXPORT void CAPSTONE_API cs_free(cs_insn* insn, size_t count); /* Allocate memory for 1 instruction to be used by cs_disasm_iter(). @handle: handle returned by cs_open() NOTE: when no longer in use, you can reclaim the memory allocated for this instruction with cs_free(insn, 1) */ CAPSTONE_EXPORT cs_insn* CAPSTONE_API cs_malloc(csh handle); /* Fast API to disassemble binary code, given the code buffer, size, address and number of instructions to be decoded. This API put the resulted instruction into a given cache in @insn. See tests/test_iter.c for sample code demonstrating this API. NOTE 1: this API will update @code, @size & @address to point to the next instruction in the input buffer. Therefore, it is convenient to use cs_disasm_iter() inside a loop to quickly iterate all the instructions. While decoding one instruction at a time can also be achieved with cs_disasm(count=1), some benchmarks shown that cs_disasm_iter() can be 30% faster on random input. NOTE 2: the cache in @insn can be created with cs_malloc() API. NOTE 3: for system with scarce memory to be dynamically allocated such as OS kernel or firmware, this API is recommended over cs_disasm(), which allocates memory based on the number of instructions to be disassembled. The reason is that with cs_disasm(), based on limited available memory, we have to calculate in advance how many instructions to be disassembled, which complicates things. This is especially troublesome for the case @count=0, when cs_disasm() runs uncontrollably (until either end of input buffer, or when it encounters an invalid instruction). @handle: handle returned by cs_open() @code: buffer containing raw binary code to be disassembled @code_size: size of above code @address: address of the first insn in given raw code buffer @insn: pointer to instruction to be filled in by this API. @return: true if this API successfully decode 1 instruction, or false otherwise. On failure, call cs_errno() for error code. */ CAPSTONE_EXPORT bool CAPSTONE_API cs_disasm_iter(csh handle, const uint8_t** code, size_t* size, uint64_t* address, cs_insn* insn); /* Return friendly name of register in a string. Find the instruction id from header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...) WARN: when in 'diet' mode, this API is irrelevant because engine does not store register name. @handle: handle returned by cs_open() @reg_id: register id @return: string name of the register, or NULL if @reg_id is invalid. */ CAPSTONE_EXPORT const char* CAPSTONE_API cs_reg_name(csh handle, unsigned int reg_id); /* Return friendly name of an instruction in a string. Find the instruction id from header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...) WARN: when in 'diet' mode, this API is irrelevant because the engine does not store instruction name. @handle: handle returned by cs_open() @insn_id: instruction id @return: string name of the instruction, or NULL if @insn_id is invalid. */ CAPSTONE_EXPORT const char* CAPSTONE_API cs_insn_name(csh handle, unsigned int insn_id); /* Return friendly name of a group id (that an instruction can belong to) Find the group id from header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...) WARN: when in 'diet' mode, this API is irrelevant because the engine does not store group name. @handle: handle returned by cs_open() @group_id: group id @return: string name of the group, or NULL if @group_id is invalid. */ CAPSTONE_EXPORT const char* CAPSTONE_API cs_group_name(csh handle, unsigned int group_id); /* Check if a disassembled instruction belong to a particular group. Find the group id from header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...) Internally, this simply verifies if @group_id matches any member of insn->groups array. NOTE: this API is only valid when detail option is ON (which is OFF by default). WARN: when in 'diet' mode, this API is irrelevant because the engine does not update @groups array. @handle: handle returned by cs_open() @insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter() @group_id: group that you want to check if this instruction belong to. @return: true if this instruction indeed belongs to aboved group, or false otherwise. */ CAPSTONE_EXPORT bool CAPSTONE_API cs_insn_group(csh handle, const cs_insn* insn, unsigned int group_id); /* Check if a disassembled instruction IMPLICITLY used a particular register. Find the register id from header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...) Internally, this simply verifies if @reg_id matches any member of insn->regs_read array. NOTE: this API is only valid when detail option is ON (which is OFF by default) WARN: when in 'diet' mode, this API is irrelevant because the engine does not update @regs_read array. @insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter() @reg_id: register that you want to check if this instruction used it. @return: true if this instruction indeed implicitly used aboved register, or false otherwise. */ CAPSTONE_EXPORT bool CAPSTONE_API cs_reg_read(csh handle, const cs_insn* insn, unsigned int reg_id); /* Check if a disassembled instruction IMPLICITLY modified a particular register. Find the register id from header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...) Internally, this simply verifies if @reg_id matches any member of insn->regs_write array. NOTE: this API is only valid when detail option is ON (which is OFF by default) WARN: when in 'diet' mode, this API is irrelevant because the engine does not update @regs_write array. @insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter() @reg_id: register that you want to check if this instruction modified it. @return: true if this instruction indeed implicitly modified aboved register, or false otherwise. */ CAPSTONE_EXPORT bool CAPSTONE_API cs_reg_write(csh handle, const cs_insn* insn, unsigned int reg_id); /* Count the number of operands of a given type. Find the operand type in header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...) NOTE: this API is only valid when detail option is ON (which is OFF by default) @handle: handle returned by cs_open() @insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter() @op_type: Operand type to be found. @return: number of operands of given type @op_type in instruction @insn, or -1 on failure. */ CAPSTONE_EXPORT int CAPSTONE_API cs_op_count(csh handle, const cs_insn* insn, unsigned int op_type); /* Retrieve the position of operand of given type in .operands[] array. Later, the operand can be accessed using the returned position. Find the operand type in header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...) NOTE: this API is only valid when detail option is ON (which is OFF by default) @handle: handle returned by cs_open() @insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter() @op_type: Operand type to be found. @position: position of the operand to be found. This must be in the range [1, cs_op_count(handle, insn, op_type)] @return: index of operand of given type @op_type in .operands[] array in instruction @insn, or -1 on failure. */ CAPSTONE_EXPORT int CAPSTONE_API cs_op_index(csh handle, const cs_insn* insn, unsigned int op_type, unsigned int position); // Type of array to keep the list of registers typedef uint16_t cs_regs[64]; /* Retrieve all the registers accessed by an instruction, either explicitly or implicitly. WARN: when in 'diet' mode, this API is irrelevant because engine does not store registers. @handle: handle returned by cs_open() @insn: disassembled instruction structure returned from cs_disasm() or cs_disasm_iter() @regs_read: on return, this array contains all registers read by instruction. @regs_read_count: number of registers kept inside @regs_read array. @regs_write: on return, this array contains all registers written by instruction. @regs_write_count: number of registers kept inside @regs_write array. @return CS_ERR_OK on success, or other value on failure (refer to cs_err enum for detailed error). */ CAPSTONE_EXPORT cs_err CAPSTONE_API cs_regs_access(csh handle, const cs_insn* insn, cs_regs regs_read, uint8_t* regs_read_count, cs_regs regs_write, uint8_t* regs_write_count); #ifdef __cplusplus } #endif #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/capstone/m68k.h ================================================ #ifndef CAPSTONE_M68K_H #define CAPSTONE_M68K_H /* Capstone Disassembly Engine */ /* By Daniel Collin , 2015-2016 */ #ifdef __cplusplus extern "C" { #endif #include "platform.h" #ifdef _MSC_VER #pragma warning(disable:4201) #endif #define M68K_OPERAND_COUNT 4 //> M68K registers and special registers typedef enum m68k_reg { M68K_REG_INVALID = 0, M68K_REG_D0, M68K_REG_D1, M68K_REG_D2, M68K_REG_D3, M68K_REG_D4, M68K_REG_D5, M68K_REG_D6, M68K_REG_D7, M68K_REG_A0, M68K_REG_A1, M68K_REG_A2, M68K_REG_A3, M68K_REG_A4, M68K_REG_A5, M68K_REG_A6, M68K_REG_A7, M68K_REG_FP0, M68K_REG_FP1, M68K_REG_FP2, M68K_REG_FP3, M68K_REG_FP4, M68K_REG_FP5, M68K_REG_FP6, M68K_REG_FP7, M68K_REG_PC, M68K_REG_SR, M68K_REG_CCR, M68K_REG_SFC, M68K_REG_DFC, M68K_REG_USP, M68K_REG_VBR, M68K_REG_CACR, M68K_REG_CAAR, M68K_REG_MSP, M68K_REG_ISP, M68K_REG_TC, M68K_REG_ITT0, M68K_REG_ITT1, M68K_REG_DTT0, M68K_REG_DTT1, M68K_REG_MMUSR, M68K_REG_URP, M68K_REG_SRP, M68K_REG_FPCR, M68K_REG_FPSR, M68K_REG_FPIAR, M68K_REG_ENDING, // <-- mark the end of the list of registers } m68k_reg; //> M68K Addressing Modes typedef enum m68k_address_mode { M68K_AM_NONE = 0, // No address mode. M68K_AM_REG_DIRECT_DATA, // Register Direct - Data M68K_AM_REG_DIRECT_ADDR, // Register Direct - Address M68K_AM_REGI_ADDR, // Register Indirect - Address M68K_AM_REGI_ADDR_POST_INC, // Register Indirect - Address with Postincrement M68K_AM_REGI_ADDR_PRE_DEC, // Register Indirect - Address with Predecrement M68K_AM_REGI_ADDR_DISP, // Register Indirect - Address with Displacement M68K_AM_AREGI_INDEX_8_BIT_DISP, // Address Register Indirect With Index- 8-bit displacement M68K_AM_AREGI_INDEX_BASE_DISP, // Address Register Indirect With Index- Base displacement M68K_AM_MEMI_POST_INDEX, // Memory indirect - Postindex M68K_AM_MEMI_PRE_INDEX, // Memory indirect - Preindex M68K_AM_PCI_DISP, // Program Counter Indirect - with Displacement M68K_AM_PCI_INDEX_8_BIT_DISP, // Program Counter Indirect with Index - with 8-Bit Displacement M68K_AM_PCI_INDEX_BASE_DISP, // Program Counter Indirect with Index - with Base Displacement M68K_AM_PC_MEMI_POST_INDEX, // Program Counter Memory Indirect - Postindexed M68K_AM_PC_MEMI_PRE_INDEX, // Program Counter Memory Indirect - Preindexed M68K_AM_ABSOLUTE_DATA_SHORT, // Absolute Data Addressing - Short M68K_AM_ABSOLUTE_DATA_LONG, // Absolute Data Addressing - Long M68K_AM_IMMEDIATE, // Immediate value } m68k_address_mode; //> Operand type for instruction's operands typedef enum m68k_op_type { M68K_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized). M68K_OP_REG, // = CS_OP_REG (Register operand). M68K_OP_IMM, // = CS_OP_IMM (Immediate operand). M68K_OP_MEM, // = CS_OP_MEM (Memory operand). M68K_OP_FP_SINGLE, // single precision Floating-Point operand M68K_OP_FP_DOUBLE, // double precision Floating-Point operand M68K_OP_REG_BITS, // Register bits move M68K_OP_REG_PAIR, // Register pair in the same op (upper 4 bits for first reg, lower for second) } m68k_op_type; // Instruction's operand referring to memory // This is associated with M68K_OP_MEM operand type above typedef struct m68k_op_mem { m68k_reg base_reg; // base register (or M68K_REG_INVALID if irrelevant) m68k_reg index_reg; // index register (or M68K_REG_INVALID if irrelevant) m68k_reg in_base_reg; // indirect base register (or M68K_REG_INVALID if irrelevant) uint32_t in_disp; // indirect displacement uint32_t out_disp; // other displacement int16_t disp; // displacement value uint8_t scale; // scale for index register uint8_t bitfield; // set to true if the two values below should be used uint8_t width; // used for bf* instructions uint8_t offset; // used for bf* instructions uint8_t index_size; // 0 = w, 1 = l } m68k_op_mem; // Instruction operand typedef struct cs_m68k_op { union { uint64_t imm; // immediate value for IMM operand double dimm; // double imm float simm; // float imm m68k_reg reg; // register value for REG operand struct // register pair in one operand { m68k_reg reg_0; m68k_reg reg_1; } reg_pair; m68k_op_mem mem; // data when operand is targeting memory uint32_t register_bits; // register bits for movem etc. (always in d0-d7, a0-a7, fp0 - fp7 order) }; m68k_op_type type; m68k_address_mode address_mode; // M68K addressing mode for this op } cs_m68k_op; // Operation size of the CPU instructions typedef enum m68k_cpu_size { M68K_CPU_SIZE_NONE = 0, // unsized or unspecified M68K_CPU_SIZE_BYTE = 1, // 1 byte in size M68K_CPU_SIZE_WORD = 2, // 2 bytes in size M68K_CPU_SIZE_LONG = 4, // 4 bytes in size } m68k_cpu_size; // Operation size of the FPU instructions (Notice that FPU instruction can also use CPU sizes if needed) typedef enum m68k_fpu_size { M68K_FPU_SIZE_NONE = 0, // unsized like fsave/frestore M68K_FPU_SIZE_SINGLE = 4, // 4 byte in size (single float) M68K_FPU_SIZE_DOUBLE = 8, // 8 byte in size (double) M68K_FPU_SIZE_EXTENDED = 12, // 12 byte in size (extended real format) } m68k_fpu_size; // Type of size that is being used for the current instruction typedef enum m68k_size_type { M68K_SIZE_TYPE_INVALID = 0, M68K_SIZE_TYPE_CPU, M68K_SIZE_TYPE_FPU, } m68k_size_type; // Operation size of the current instruction (NOT the actually size of instruction) typedef struct m68k_op_size { m68k_size_type type; union { m68k_cpu_size cpu_size; m68k_fpu_size fpu_size; }; } m68k_op_size; // The M68K instruction and it's operands typedef struct cs_m68k { // Number of operands of this instruction or 0 when instruction has no operand. cs_m68k_op operands[M68K_OPERAND_COUNT]; // operands for this instruction. m68k_op_size op_size; // size of data operand works on in bytes (.b, .w, .l, etc) uint8_t op_count; // number of operands for the instruction } cs_m68k; //> M68K instruction typedef enum m68k_insn { M68K_INS_INVALID = 0, M68K_INS_ABCD, M68K_INS_ADD, M68K_INS_ADDA, M68K_INS_ADDI, M68K_INS_ADDQ, M68K_INS_ADDX, M68K_INS_AND, M68K_INS_ANDI, M68K_INS_ASL, M68K_INS_ASR, M68K_INS_BHS, M68K_INS_BLO, M68K_INS_BHI, M68K_INS_BLS, M68K_INS_BCC, M68K_INS_BCS, M68K_INS_BNE, M68K_INS_BEQ, M68K_INS_BVC, M68K_INS_BVS, M68K_INS_BPL, M68K_INS_BMI, M68K_INS_BGE, M68K_INS_BLT, M68K_INS_BGT, M68K_INS_BLE, M68K_INS_BRA, M68K_INS_BSR, M68K_INS_BCHG, M68K_INS_BCLR, M68K_INS_BSET, M68K_INS_BTST, M68K_INS_BFCHG, M68K_INS_BFCLR, M68K_INS_BFEXTS, M68K_INS_BFEXTU, M68K_INS_BFFFO, M68K_INS_BFINS, M68K_INS_BFSET, M68K_INS_BFTST, M68K_INS_BKPT, M68K_INS_CALLM, M68K_INS_CAS, M68K_INS_CAS2, M68K_INS_CHK, M68K_INS_CHK2, M68K_INS_CLR, M68K_INS_CMP, M68K_INS_CMPA, M68K_INS_CMPI, M68K_INS_CMPM, M68K_INS_CMP2, M68K_INS_CINVL, M68K_INS_CINVP, M68K_INS_CINVA, M68K_INS_CPUSHL, M68K_INS_CPUSHP, M68K_INS_CPUSHA, M68K_INS_DBT, M68K_INS_DBF, M68K_INS_DBHI, M68K_INS_DBLS, M68K_INS_DBCC, M68K_INS_DBCS, M68K_INS_DBNE, M68K_INS_DBEQ, M68K_INS_DBVC, M68K_INS_DBVS, M68K_INS_DBPL, M68K_INS_DBMI, M68K_INS_DBGE, M68K_INS_DBLT, M68K_INS_DBGT, M68K_INS_DBLE, M68K_INS_DBRA, M68K_INS_DIVS, M68K_INS_DIVSL, M68K_INS_DIVU, M68K_INS_DIVUL, M68K_INS_EOR, M68K_INS_EORI, M68K_INS_EXG, M68K_INS_EXT, M68K_INS_EXTB, M68K_INS_FABS, M68K_INS_FSABS, M68K_INS_FDABS, M68K_INS_FACOS, M68K_INS_FADD, M68K_INS_FSADD, M68K_INS_FDADD, M68K_INS_FASIN, M68K_INS_FATAN, M68K_INS_FATANH, M68K_INS_FBF, M68K_INS_FBEQ, M68K_INS_FBOGT, M68K_INS_FBOGE, M68K_INS_FBOLT, M68K_INS_FBOLE, M68K_INS_FBOGL, M68K_INS_FBOR, M68K_INS_FBUN, M68K_INS_FBUEQ, M68K_INS_FBUGT, M68K_INS_FBUGE, M68K_INS_FBULT, M68K_INS_FBULE, M68K_INS_FBNE, M68K_INS_FBT, M68K_INS_FBSF, M68K_INS_FBSEQ, M68K_INS_FBGT, M68K_INS_FBGE, M68K_INS_FBLT, M68K_INS_FBLE, M68K_INS_FBGL, M68K_INS_FBGLE, M68K_INS_FBNGLE, M68K_INS_FBNGL, M68K_INS_FBNLE, M68K_INS_FBNLT, M68K_INS_FBNGE, M68K_INS_FBNGT, M68K_INS_FBSNE, M68K_INS_FBST, M68K_INS_FCMP, M68K_INS_FCOS, M68K_INS_FCOSH, M68K_INS_FDBF, M68K_INS_FDBEQ, M68K_INS_FDBOGT, M68K_INS_FDBOGE, M68K_INS_FDBOLT, M68K_INS_FDBOLE, M68K_INS_FDBOGL, M68K_INS_FDBOR, M68K_INS_FDBUN, M68K_INS_FDBUEQ, M68K_INS_FDBUGT, M68K_INS_FDBUGE, M68K_INS_FDBULT, M68K_INS_FDBULE, M68K_INS_FDBNE, M68K_INS_FDBT, M68K_INS_FDBSF, M68K_INS_FDBSEQ, M68K_INS_FDBGT, M68K_INS_FDBGE, M68K_INS_FDBLT, M68K_INS_FDBLE, M68K_INS_FDBGL, M68K_INS_FDBGLE, M68K_INS_FDBNGLE, M68K_INS_FDBNGL, M68K_INS_FDBNLE, M68K_INS_FDBNLT, M68K_INS_FDBNGE, M68K_INS_FDBNGT, M68K_INS_FDBSNE, M68K_INS_FDBST, M68K_INS_FDIV, M68K_INS_FSDIV, M68K_INS_FDDIV, M68K_INS_FETOX, M68K_INS_FETOXM1, M68K_INS_FGETEXP, M68K_INS_FGETMAN, M68K_INS_FINT, M68K_INS_FINTRZ, M68K_INS_FLOG10, M68K_INS_FLOG2, M68K_INS_FLOGN, M68K_INS_FLOGNP1, M68K_INS_FMOD, M68K_INS_FMOVE, M68K_INS_FSMOVE, M68K_INS_FDMOVE, M68K_INS_FMOVECR, M68K_INS_FMOVEM, M68K_INS_FMUL, M68K_INS_FSMUL, M68K_INS_FDMUL, M68K_INS_FNEG, M68K_INS_FSNEG, M68K_INS_FDNEG, M68K_INS_FNOP, M68K_INS_FREM, M68K_INS_FRESTORE, M68K_INS_FSAVE, M68K_INS_FSCALE, M68K_INS_FSGLDIV, M68K_INS_FSGLMUL, M68K_INS_FSIN, M68K_INS_FSINCOS, M68K_INS_FSINH, M68K_INS_FSQRT, M68K_INS_FSSQRT, M68K_INS_FDSQRT, M68K_INS_FSF, M68K_INS_FSBEQ, M68K_INS_FSOGT, M68K_INS_FSOGE, M68K_INS_FSOLT, M68K_INS_FSOLE, M68K_INS_FSOGL, M68K_INS_FSOR, M68K_INS_FSUN, M68K_INS_FSUEQ, M68K_INS_FSUGT, M68K_INS_FSUGE, M68K_INS_FSULT, M68K_INS_FSULE, M68K_INS_FSNE, M68K_INS_FST, M68K_INS_FSSF, M68K_INS_FSSEQ, M68K_INS_FSGT, M68K_INS_FSGE, M68K_INS_FSLT, M68K_INS_FSLE, M68K_INS_FSGL, M68K_INS_FSGLE, M68K_INS_FSNGLE, M68K_INS_FSNGL, M68K_INS_FSNLE, M68K_INS_FSNLT, M68K_INS_FSNGE, M68K_INS_FSNGT, M68K_INS_FSSNE, M68K_INS_FSST, M68K_INS_FSUB, M68K_INS_FSSUB, M68K_INS_FDSUB, M68K_INS_FTAN, M68K_INS_FTANH, M68K_INS_FTENTOX, M68K_INS_FTRAPF, M68K_INS_FTRAPEQ, M68K_INS_FTRAPOGT, M68K_INS_FTRAPOGE, M68K_INS_FTRAPOLT, M68K_INS_FTRAPOLE, M68K_INS_FTRAPOGL, M68K_INS_FTRAPOR, M68K_INS_FTRAPUN, M68K_INS_FTRAPUEQ, M68K_INS_FTRAPUGT, M68K_INS_FTRAPUGE, M68K_INS_FTRAPULT, M68K_INS_FTRAPULE, M68K_INS_FTRAPNE, M68K_INS_FTRAPT, M68K_INS_FTRAPSF, M68K_INS_FTRAPSEQ, M68K_INS_FTRAPGT, M68K_INS_FTRAPGE, M68K_INS_FTRAPLT, M68K_INS_FTRAPLE, M68K_INS_FTRAPGL, M68K_INS_FTRAPGLE, M68K_INS_FTRAPNGLE, M68K_INS_FTRAPNGL, M68K_INS_FTRAPNLE, M68K_INS_FTRAPNLT, M68K_INS_FTRAPNGE, M68K_INS_FTRAPNGT, M68K_INS_FTRAPSNE, M68K_INS_FTRAPST, M68K_INS_FTST, M68K_INS_FTWOTOX, M68K_INS_HALT, M68K_INS_ILLEGAL, M68K_INS_JMP, M68K_INS_JSR, M68K_INS_LEA, M68K_INS_LINK, M68K_INS_LPSTOP, M68K_INS_LSL, M68K_INS_LSR, M68K_INS_MOVE, M68K_INS_MOVEA, M68K_INS_MOVEC, M68K_INS_MOVEM, M68K_INS_MOVEP, M68K_INS_MOVEQ, M68K_INS_MOVES, M68K_INS_MOVE16, M68K_INS_MULS, M68K_INS_MULU, M68K_INS_NBCD, M68K_INS_NEG, M68K_INS_NEGX, M68K_INS_NOP, M68K_INS_NOT, M68K_INS_OR, M68K_INS_ORI, M68K_INS_PACK, M68K_INS_PEA, M68K_INS_PFLUSH, M68K_INS_PFLUSHA, M68K_INS_PFLUSHAN, M68K_INS_PFLUSHN, M68K_INS_PLOADR, M68K_INS_PLOADW, M68K_INS_PLPAR, M68K_INS_PLPAW, M68K_INS_PMOVE, M68K_INS_PMOVEFD, M68K_INS_PTESTR, M68K_INS_PTESTW, M68K_INS_PULSE, M68K_INS_REMS, M68K_INS_REMU, M68K_INS_RESET, M68K_INS_ROL, M68K_INS_ROR, M68K_INS_ROXL, M68K_INS_ROXR, M68K_INS_RTD, M68K_INS_RTE, M68K_INS_RTM, M68K_INS_RTR, M68K_INS_RTS, M68K_INS_SBCD, M68K_INS_ST, M68K_INS_SF, M68K_INS_SHI, M68K_INS_SLS, M68K_INS_SCC, M68K_INS_SHS, M68K_INS_SCS, M68K_INS_SLO, M68K_INS_SNE, M68K_INS_SEQ, M68K_INS_SVC, M68K_INS_SVS, M68K_INS_SPL, M68K_INS_SMI, M68K_INS_SGE, M68K_INS_SLT, M68K_INS_SGT, M68K_INS_SLE, M68K_INS_STOP, M68K_INS_SUB, M68K_INS_SUBA, M68K_INS_SUBI, M68K_INS_SUBQ, M68K_INS_SUBX, M68K_INS_SWAP, M68K_INS_TAS, M68K_INS_TRAP, M68K_INS_TRAPV, M68K_INS_TRAPT, M68K_INS_TRAPF, M68K_INS_TRAPHI, M68K_INS_TRAPLS, M68K_INS_TRAPCC, M68K_INS_TRAPHS, M68K_INS_TRAPCS, M68K_INS_TRAPLO, M68K_INS_TRAPNE, M68K_INS_TRAPEQ, M68K_INS_TRAPVC, M68K_INS_TRAPVS, M68K_INS_TRAPPL, M68K_INS_TRAPMI, M68K_INS_TRAPGE, M68K_INS_TRAPLT, M68K_INS_TRAPGT, M68K_INS_TRAPLE, M68K_INS_TST, M68K_INS_UNLK, M68K_INS_UNPK, M68K_INS_ENDING, // <-- mark the end of the list of instructions } m68k_insn; //> Group of M68K instructions typedef enum m68k_group_type { M68K_GRP_INVALID = 0, // CS_GRUP_INVALID M68K_GRP_JUMP, // = CS_GRP_JUMP M68K_GRP_RET = 3, // = CS_GRP_RET M68K_GRP_IRET = 5, // = CS_GRP_IRET M68K_GRP_ENDING,// <-- mark the end of the list of groups } m68k_group_type; #ifdef __cplusplus } #endif #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/capstone/mips.h ================================================ #ifndef CAPSTONE_MIPS_H #define CAPSTONE_MIPS_H /* Capstone Disassembly Engine */ /* By Nguyen Anh Quynh , 2013-2015 */ #ifdef __cplusplus extern "C" { #endif #include "platform.h" // GCC MIPS toolchain has a default macro called "mips" which breaks // compilation #undef mips #ifdef _MSC_VER #pragma warning(disable:4201) #endif //> Operand type for instruction's operands typedef enum mips_op_type { MIPS_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized). MIPS_OP_REG, // = CS_OP_REG (Register operand). MIPS_OP_IMM, // = CS_OP_IMM (Immediate operand). MIPS_OP_MEM, // = CS_OP_MEM (Memory operand). } mips_op_type; //> MIPS registers typedef enum mips_reg { MIPS_REG_INVALID = 0, //> General purpose registers MIPS_REG_PC, MIPS_REG_0, MIPS_REG_1, MIPS_REG_2, MIPS_REG_3, MIPS_REG_4, MIPS_REG_5, MIPS_REG_6, MIPS_REG_7, MIPS_REG_8, MIPS_REG_9, MIPS_REG_10, MIPS_REG_11, MIPS_REG_12, MIPS_REG_13, MIPS_REG_14, MIPS_REG_15, MIPS_REG_16, MIPS_REG_17, MIPS_REG_18, MIPS_REG_19, MIPS_REG_20, MIPS_REG_21, MIPS_REG_22, MIPS_REG_23, MIPS_REG_24, MIPS_REG_25, MIPS_REG_26, MIPS_REG_27, MIPS_REG_28, MIPS_REG_29, MIPS_REG_30, MIPS_REG_31, //> DSP registers MIPS_REG_DSPCCOND, MIPS_REG_DSPCARRY, MIPS_REG_DSPEFI, MIPS_REG_DSPOUTFLAG, MIPS_REG_DSPOUTFLAG16_19, MIPS_REG_DSPOUTFLAG20, MIPS_REG_DSPOUTFLAG21, MIPS_REG_DSPOUTFLAG22, MIPS_REG_DSPOUTFLAG23, MIPS_REG_DSPPOS, MIPS_REG_DSPSCOUNT, //> ACC registers MIPS_REG_AC0, MIPS_REG_AC1, MIPS_REG_AC2, MIPS_REG_AC3, //> COP registers MIPS_REG_CC0, MIPS_REG_CC1, MIPS_REG_CC2, MIPS_REG_CC3, MIPS_REG_CC4, MIPS_REG_CC5, MIPS_REG_CC6, MIPS_REG_CC7, //> FPU registers MIPS_REG_F0, MIPS_REG_F1, MIPS_REG_F2, MIPS_REG_F3, MIPS_REG_F4, MIPS_REG_F5, MIPS_REG_F6, MIPS_REG_F7, MIPS_REG_F8, MIPS_REG_F9, MIPS_REG_F10, MIPS_REG_F11, MIPS_REG_F12, MIPS_REG_F13, MIPS_REG_F14, MIPS_REG_F15, MIPS_REG_F16, MIPS_REG_F17, MIPS_REG_F18, MIPS_REG_F19, MIPS_REG_F20, MIPS_REG_F21, MIPS_REG_F22, MIPS_REG_F23, MIPS_REG_F24, MIPS_REG_F25, MIPS_REG_F26, MIPS_REG_F27, MIPS_REG_F28, MIPS_REG_F29, MIPS_REG_F30, MIPS_REG_F31, MIPS_REG_FCC0, MIPS_REG_FCC1, MIPS_REG_FCC2, MIPS_REG_FCC3, MIPS_REG_FCC4, MIPS_REG_FCC5, MIPS_REG_FCC6, MIPS_REG_FCC7, //> AFPR128 MIPS_REG_W0, MIPS_REG_W1, MIPS_REG_W2, MIPS_REG_W3, MIPS_REG_W4, MIPS_REG_W5, MIPS_REG_W6, MIPS_REG_W7, MIPS_REG_W8, MIPS_REG_W9, MIPS_REG_W10, MIPS_REG_W11, MIPS_REG_W12, MIPS_REG_W13, MIPS_REG_W14, MIPS_REG_W15, MIPS_REG_W16, MIPS_REG_W17, MIPS_REG_W18, MIPS_REG_W19, MIPS_REG_W20, MIPS_REG_W21, MIPS_REG_W22, MIPS_REG_W23, MIPS_REG_W24, MIPS_REG_W25, MIPS_REG_W26, MIPS_REG_W27, MIPS_REG_W28, MIPS_REG_W29, MIPS_REG_W30, MIPS_REG_W31, MIPS_REG_HI, MIPS_REG_LO, MIPS_REG_P0, MIPS_REG_P1, MIPS_REG_P2, MIPS_REG_MPL0, MIPS_REG_MPL1, MIPS_REG_MPL2, MIPS_REG_ENDING, // <-- mark the end of the list or registers // alias registers MIPS_REG_ZERO = MIPS_REG_0, MIPS_REG_AT = MIPS_REG_1, MIPS_REG_V0 = MIPS_REG_2, MIPS_REG_V1 = MIPS_REG_3, MIPS_REG_A0 = MIPS_REG_4, MIPS_REG_A1 = MIPS_REG_5, MIPS_REG_A2 = MIPS_REG_6, MIPS_REG_A3 = MIPS_REG_7, MIPS_REG_T0 = MIPS_REG_8, MIPS_REG_T1 = MIPS_REG_9, MIPS_REG_T2 = MIPS_REG_10, MIPS_REG_T3 = MIPS_REG_11, MIPS_REG_T4 = MIPS_REG_12, MIPS_REG_T5 = MIPS_REG_13, MIPS_REG_T6 = MIPS_REG_14, MIPS_REG_T7 = MIPS_REG_15, MIPS_REG_S0 = MIPS_REG_16, MIPS_REG_S1 = MIPS_REG_17, MIPS_REG_S2 = MIPS_REG_18, MIPS_REG_S3 = MIPS_REG_19, MIPS_REG_S4 = MIPS_REG_20, MIPS_REG_S5 = MIPS_REG_21, MIPS_REG_S6 = MIPS_REG_22, MIPS_REG_S7 = MIPS_REG_23, MIPS_REG_T8 = MIPS_REG_24, MIPS_REG_T9 = MIPS_REG_25, MIPS_REG_K0 = MIPS_REG_26, MIPS_REG_K1 = MIPS_REG_27, MIPS_REG_GP = MIPS_REG_28, MIPS_REG_SP = MIPS_REG_29, MIPS_REG_FP = MIPS_REG_30, MIPS_REG_S8 = MIPS_REG_30, MIPS_REG_RA = MIPS_REG_31, MIPS_REG_HI0 = MIPS_REG_AC0, MIPS_REG_HI1 = MIPS_REG_AC1, MIPS_REG_HI2 = MIPS_REG_AC2, MIPS_REG_HI3 = MIPS_REG_AC3, MIPS_REG_LO0 = MIPS_REG_HI0, MIPS_REG_LO1 = MIPS_REG_HI1, MIPS_REG_LO2 = MIPS_REG_HI2, MIPS_REG_LO3 = MIPS_REG_HI3, } mips_reg; // Instruction's operand referring to memory // This is associated with MIPS_OP_MEM operand type above typedef struct mips_op_mem { mips_reg base; // base register int64_t disp; // displacement/offset value } mips_op_mem; // Instruction operand typedef struct cs_mips_op { mips_op_type type; // operand type union { mips_reg reg; // register value for REG operand int64_t imm; // immediate value for IMM operand mips_op_mem mem; // base/index/scale/disp value for MEM operand }; } cs_mips_op; // Instruction structure typedef struct cs_mips { // Number of operands of this instruction, // or 0 when instruction has no operand. uint8_t op_count; cs_mips_op operands[8]; // operands for this instruction. } cs_mips; //> MIPS instruction typedef enum mips_insn { MIPS_INS_INVALID = 0, MIPS_INS_ABSQ_S, MIPS_INS_ADD, MIPS_INS_ADDIUPC, MIPS_INS_ADDIUR1SP, MIPS_INS_ADDIUR2, MIPS_INS_ADDIUS5, MIPS_INS_ADDIUSP, MIPS_INS_ADDQH, MIPS_INS_ADDQH_R, MIPS_INS_ADDQ, MIPS_INS_ADDQ_S, MIPS_INS_ADDSC, MIPS_INS_ADDS_A, MIPS_INS_ADDS_S, MIPS_INS_ADDS_U, MIPS_INS_ADDU16, MIPS_INS_ADDUH, MIPS_INS_ADDUH_R, MIPS_INS_ADDU, MIPS_INS_ADDU_S, MIPS_INS_ADDVI, MIPS_INS_ADDV, MIPS_INS_ADDWC, MIPS_INS_ADD_A, MIPS_INS_ADDI, MIPS_INS_ADDIU, MIPS_INS_ALIGN, MIPS_INS_ALUIPC, MIPS_INS_AND, MIPS_INS_AND16, MIPS_INS_ANDI16, MIPS_INS_ANDI, MIPS_INS_APPEND, MIPS_INS_ASUB_S, MIPS_INS_ASUB_U, MIPS_INS_AUI, MIPS_INS_AUIPC, MIPS_INS_AVER_S, MIPS_INS_AVER_U, MIPS_INS_AVE_S, MIPS_INS_AVE_U, MIPS_INS_B16, MIPS_INS_BADDU, MIPS_INS_BAL, MIPS_INS_BALC, MIPS_INS_BALIGN, MIPS_INS_BBIT0, MIPS_INS_BBIT032, MIPS_INS_BBIT1, MIPS_INS_BBIT132, MIPS_INS_BC, MIPS_INS_BC0F, MIPS_INS_BC0FL, MIPS_INS_BC0T, MIPS_INS_BC0TL, MIPS_INS_BC1EQZ, MIPS_INS_BC1F, MIPS_INS_BC1FL, MIPS_INS_BC1NEZ, MIPS_INS_BC1T, MIPS_INS_BC1TL, MIPS_INS_BC2EQZ, MIPS_INS_BC2F, MIPS_INS_BC2FL, MIPS_INS_BC2NEZ, MIPS_INS_BC2T, MIPS_INS_BC2TL, MIPS_INS_BC3F, MIPS_INS_BC3FL, MIPS_INS_BC3T, MIPS_INS_BC3TL, MIPS_INS_BCLRI, MIPS_INS_BCLR, MIPS_INS_BEQ, MIPS_INS_BEQC, MIPS_INS_BEQL, MIPS_INS_BEQZ16, MIPS_INS_BEQZALC, MIPS_INS_BEQZC, MIPS_INS_BGEC, MIPS_INS_BGEUC, MIPS_INS_BGEZ, MIPS_INS_BGEZAL, MIPS_INS_BGEZALC, MIPS_INS_BGEZALL, MIPS_INS_BGEZALS, MIPS_INS_BGEZC, MIPS_INS_BGEZL, MIPS_INS_BGTZ, MIPS_INS_BGTZALC, MIPS_INS_BGTZC, MIPS_INS_BGTZL, MIPS_INS_BINSLI, MIPS_INS_BINSL, MIPS_INS_BINSRI, MIPS_INS_BINSR, MIPS_INS_BITREV, MIPS_INS_BITSWAP, MIPS_INS_BLEZ, MIPS_INS_BLEZALC, MIPS_INS_BLEZC, MIPS_INS_BLEZL, MIPS_INS_BLTC, MIPS_INS_BLTUC, MIPS_INS_BLTZ, MIPS_INS_BLTZAL, MIPS_INS_BLTZALC, MIPS_INS_BLTZALL, MIPS_INS_BLTZALS, MIPS_INS_BLTZC, MIPS_INS_BLTZL, MIPS_INS_BMNZI, MIPS_INS_BMNZ, MIPS_INS_BMZI, MIPS_INS_BMZ, MIPS_INS_BNE, MIPS_INS_BNEC, MIPS_INS_BNEGI, MIPS_INS_BNEG, MIPS_INS_BNEL, MIPS_INS_BNEZ16, MIPS_INS_BNEZALC, MIPS_INS_BNEZC, MIPS_INS_BNVC, MIPS_INS_BNZ, MIPS_INS_BOVC, MIPS_INS_BPOSGE32, MIPS_INS_BREAK, MIPS_INS_BREAK16, MIPS_INS_BSELI, MIPS_INS_BSEL, MIPS_INS_BSETI, MIPS_INS_BSET, MIPS_INS_BZ, MIPS_INS_BEQZ, MIPS_INS_B, MIPS_INS_BNEZ, MIPS_INS_BTEQZ, MIPS_INS_BTNEZ, MIPS_INS_CACHE, MIPS_INS_CEIL, MIPS_INS_CEQI, MIPS_INS_CEQ, MIPS_INS_CFC1, MIPS_INS_CFCMSA, MIPS_INS_CINS, MIPS_INS_CINS32, MIPS_INS_CLASS, MIPS_INS_CLEI_S, MIPS_INS_CLEI_U, MIPS_INS_CLE_S, MIPS_INS_CLE_U, MIPS_INS_CLO, MIPS_INS_CLTI_S, MIPS_INS_CLTI_U, MIPS_INS_CLT_S, MIPS_INS_CLT_U, MIPS_INS_CLZ, MIPS_INS_CMPGDU, MIPS_INS_CMPGU, MIPS_INS_CMPU, MIPS_INS_CMP, MIPS_INS_COPY_S, MIPS_INS_COPY_U, MIPS_INS_CTC1, MIPS_INS_CTCMSA, MIPS_INS_CVT, MIPS_INS_C, MIPS_INS_CMPI, MIPS_INS_DADD, MIPS_INS_DADDI, MIPS_INS_DADDIU, MIPS_INS_DADDU, MIPS_INS_DAHI, MIPS_INS_DALIGN, MIPS_INS_DATI, MIPS_INS_DAUI, MIPS_INS_DBITSWAP, MIPS_INS_DCLO, MIPS_INS_DCLZ, MIPS_INS_DDIV, MIPS_INS_DDIVU, MIPS_INS_DERET, MIPS_INS_DEXT, MIPS_INS_DEXTM, MIPS_INS_DEXTU, MIPS_INS_DI, MIPS_INS_DINS, MIPS_INS_DINSM, MIPS_INS_DINSU, MIPS_INS_DIV, MIPS_INS_DIVU, MIPS_INS_DIV_S, MIPS_INS_DIV_U, MIPS_INS_DLSA, MIPS_INS_DMFC0, MIPS_INS_DMFC1, MIPS_INS_DMFC2, MIPS_INS_DMOD, MIPS_INS_DMODU, MIPS_INS_DMTC0, MIPS_INS_DMTC1, MIPS_INS_DMTC2, MIPS_INS_DMUH, MIPS_INS_DMUHU, MIPS_INS_DMUL, MIPS_INS_DMULT, MIPS_INS_DMULTU, MIPS_INS_DMULU, MIPS_INS_DOTP_S, MIPS_INS_DOTP_U, MIPS_INS_DPADD_S, MIPS_INS_DPADD_U, MIPS_INS_DPAQX_SA, MIPS_INS_DPAQX_S, MIPS_INS_DPAQ_SA, MIPS_INS_DPAQ_S, MIPS_INS_DPAU, MIPS_INS_DPAX, MIPS_INS_DPA, MIPS_INS_DPOP, MIPS_INS_DPSQX_SA, MIPS_INS_DPSQX_S, MIPS_INS_DPSQ_SA, MIPS_INS_DPSQ_S, MIPS_INS_DPSUB_S, MIPS_INS_DPSUB_U, MIPS_INS_DPSU, MIPS_INS_DPSX, MIPS_INS_DPS, MIPS_INS_DROTR, MIPS_INS_DROTR32, MIPS_INS_DROTRV, MIPS_INS_DSBH, MIPS_INS_DSHD, MIPS_INS_DSLL, MIPS_INS_DSLL32, MIPS_INS_DSLLV, MIPS_INS_DSRA, MIPS_INS_DSRA32, MIPS_INS_DSRAV, MIPS_INS_DSRL, MIPS_INS_DSRL32, MIPS_INS_DSRLV, MIPS_INS_DSUB, MIPS_INS_DSUBU, MIPS_INS_EHB, MIPS_INS_EI, MIPS_INS_ERET, MIPS_INS_EXT, MIPS_INS_EXTP, MIPS_INS_EXTPDP, MIPS_INS_EXTPDPV, MIPS_INS_EXTPV, MIPS_INS_EXTRV_RS, MIPS_INS_EXTRV_R, MIPS_INS_EXTRV_S, MIPS_INS_EXTRV, MIPS_INS_EXTR_RS, MIPS_INS_EXTR_R, MIPS_INS_EXTR_S, MIPS_INS_EXTR, MIPS_INS_EXTS, MIPS_INS_EXTS32, MIPS_INS_ABS, MIPS_INS_FADD, MIPS_INS_FCAF, MIPS_INS_FCEQ, MIPS_INS_FCLASS, MIPS_INS_FCLE, MIPS_INS_FCLT, MIPS_INS_FCNE, MIPS_INS_FCOR, MIPS_INS_FCUEQ, MIPS_INS_FCULE, MIPS_INS_FCULT, MIPS_INS_FCUNE, MIPS_INS_FCUN, MIPS_INS_FDIV, MIPS_INS_FEXDO, MIPS_INS_FEXP2, MIPS_INS_FEXUPL, MIPS_INS_FEXUPR, MIPS_INS_FFINT_S, MIPS_INS_FFINT_U, MIPS_INS_FFQL, MIPS_INS_FFQR, MIPS_INS_FILL, MIPS_INS_FLOG2, MIPS_INS_FLOOR, MIPS_INS_FMADD, MIPS_INS_FMAX_A, MIPS_INS_FMAX, MIPS_INS_FMIN_A, MIPS_INS_FMIN, MIPS_INS_MOV, MIPS_INS_FMSUB, MIPS_INS_FMUL, MIPS_INS_MUL, MIPS_INS_NEG, MIPS_INS_FRCP, MIPS_INS_FRINT, MIPS_INS_FRSQRT, MIPS_INS_FSAF, MIPS_INS_FSEQ, MIPS_INS_FSLE, MIPS_INS_FSLT, MIPS_INS_FSNE, MIPS_INS_FSOR, MIPS_INS_FSQRT, MIPS_INS_SQRT, MIPS_INS_FSUB, MIPS_INS_SUB, MIPS_INS_FSUEQ, MIPS_INS_FSULE, MIPS_INS_FSULT, MIPS_INS_FSUNE, MIPS_INS_FSUN, MIPS_INS_FTINT_S, MIPS_INS_FTINT_U, MIPS_INS_FTQ, MIPS_INS_FTRUNC_S, MIPS_INS_FTRUNC_U, MIPS_INS_HADD_S, MIPS_INS_HADD_U, MIPS_INS_HSUB_S, MIPS_INS_HSUB_U, MIPS_INS_ILVEV, MIPS_INS_ILVL, MIPS_INS_ILVOD, MIPS_INS_ILVR, MIPS_INS_INS, MIPS_INS_INSERT, MIPS_INS_INSV, MIPS_INS_INSVE, MIPS_INS_J, MIPS_INS_JAL, MIPS_INS_JALR, MIPS_INS_JALRS16, MIPS_INS_JALRS, MIPS_INS_JALS, MIPS_INS_JALX, MIPS_INS_JIALC, MIPS_INS_JIC, MIPS_INS_JR, MIPS_INS_JR16, MIPS_INS_JRADDIUSP, MIPS_INS_JRC, MIPS_INS_JALRC, MIPS_INS_LB, MIPS_INS_LBU16, MIPS_INS_LBUX, MIPS_INS_LBU, MIPS_INS_LD, MIPS_INS_LDC1, MIPS_INS_LDC2, MIPS_INS_LDC3, MIPS_INS_LDI, MIPS_INS_LDL, MIPS_INS_LDPC, MIPS_INS_LDR, MIPS_INS_LDXC1, MIPS_INS_LH, MIPS_INS_LHU16, MIPS_INS_LHX, MIPS_INS_LHU, MIPS_INS_LI16, MIPS_INS_LL, MIPS_INS_LLD, MIPS_INS_LSA, MIPS_INS_LUXC1, MIPS_INS_LUI, MIPS_INS_LW, MIPS_INS_LW16, MIPS_INS_LWC1, MIPS_INS_LWC2, MIPS_INS_LWC3, MIPS_INS_LWL, MIPS_INS_LWM16, MIPS_INS_LWM32, MIPS_INS_LWPC, MIPS_INS_LWP, MIPS_INS_LWR, MIPS_INS_LWUPC, MIPS_INS_LWU, MIPS_INS_LWX, MIPS_INS_LWXC1, MIPS_INS_LWXS, MIPS_INS_LI, MIPS_INS_MADD, MIPS_INS_MADDF, MIPS_INS_MADDR_Q, MIPS_INS_MADDU, MIPS_INS_MADDV, MIPS_INS_MADD_Q, MIPS_INS_MAQ_SA, MIPS_INS_MAQ_S, MIPS_INS_MAXA, MIPS_INS_MAXI_S, MIPS_INS_MAXI_U, MIPS_INS_MAX_A, MIPS_INS_MAX, MIPS_INS_MAX_S, MIPS_INS_MAX_U, MIPS_INS_MFC0, MIPS_INS_MFC1, MIPS_INS_MFC2, MIPS_INS_MFHC1, MIPS_INS_MFHI, MIPS_INS_MFLO, MIPS_INS_MINA, MIPS_INS_MINI_S, MIPS_INS_MINI_U, MIPS_INS_MIN_A, MIPS_INS_MIN, MIPS_INS_MIN_S, MIPS_INS_MIN_U, MIPS_INS_MOD, MIPS_INS_MODSUB, MIPS_INS_MODU, MIPS_INS_MOD_S, MIPS_INS_MOD_U, MIPS_INS_MOVE, MIPS_INS_MOVEP, MIPS_INS_MOVF, MIPS_INS_MOVN, MIPS_INS_MOVT, MIPS_INS_MOVZ, MIPS_INS_MSUB, MIPS_INS_MSUBF, MIPS_INS_MSUBR_Q, MIPS_INS_MSUBU, MIPS_INS_MSUBV, MIPS_INS_MSUB_Q, MIPS_INS_MTC0, MIPS_INS_MTC1, MIPS_INS_MTC2, MIPS_INS_MTHC1, MIPS_INS_MTHI, MIPS_INS_MTHLIP, MIPS_INS_MTLO, MIPS_INS_MTM0, MIPS_INS_MTM1, MIPS_INS_MTM2, MIPS_INS_MTP0, MIPS_INS_MTP1, MIPS_INS_MTP2, MIPS_INS_MUH, MIPS_INS_MUHU, MIPS_INS_MULEQ_S, MIPS_INS_MULEU_S, MIPS_INS_MULQ_RS, MIPS_INS_MULQ_S, MIPS_INS_MULR_Q, MIPS_INS_MULSAQ_S, MIPS_INS_MULSA, MIPS_INS_MULT, MIPS_INS_MULTU, MIPS_INS_MULU, MIPS_INS_MULV, MIPS_INS_MUL_Q, MIPS_INS_MUL_S, MIPS_INS_NLOC, MIPS_INS_NLZC, MIPS_INS_NMADD, MIPS_INS_NMSUB, MIPS_INS_NOR, MIPS_INS_NORI, MIPS_INS_NOT16, MIPS_INS_NOT, MIPS_INS_OR, MIPS_INS_OR16, MIPS_INS_ORI, MIPS_INS_PACKRL, MIPS_INS_PAUSE, MIPS_INS_PCKEV, MIPS_INS_PCKOD, MIPS_INS_PCNT, MIPS_INS_PICK, MIPS_INS_POP, MIPS_INS_PRECEQU, MIPS_INS_PRECEQ, MIPS_INS_PRECEU, MIPS_INS_PRECRQU_S, MIPS_INS_PRECRQ, MIPS_INS_PRECRQ_RS, MIPS_INS_PRECR, MIPS_INS_PRECR_SRA, MIPS_INS_PRECR_SRA_R, MIPS_INS_PREF, MIPS_INS_PREPEND, MIPS_INS_RADDU, MIPS_INS_RDDSP, MIPS_INS_RDHWR, MIPS_INS_REPLV, MIPS_INS_REPL, MIPS_INS_RINT, MIPS_INS_ROTR, MIPS_INS_ROTRV, MIPS_INS_ROUND, MIPS_INS_SAT_S, MIPS_INS_SAT_U, MIPS_INS_SB, MIPS_INS_SB16, MIPS_INS_SC, MIPS_INS_SCD, MIPS_INS_SD, MIPS_INS_SDBBP, MIPS_INS_SDBBP16, MIPS_INS_SDC1, MIPS_INS_SDC2, MIPS_INS_SDC3, MIPS_INS_SDL, MIPS_INS_SDR, MIPS_INS_SDXC1, MIPS_INS_SEB, MIPS_INS_SEH, MIPS_INS_SELEQZ, MIPS_INS_SELNEZ, MIPS_INS_SEL, MIPS_INS_SEQ, MIPS_INS_SEQI, MIPS_INS_SH, MIPS_INS_SH16, MIPS_INS_SHF, MIPS_INS_SHILO, MIPS_INS_SHILOV, MIPS_INS_SHLLV, MIPS_INS_SHLLV_S, MIPS_INS_SHLL, MIPS_INS_SHLL_S, MIPS_INS_SHRAV, MIPS_INS_SHRAV_R, MIPS_INS_SHRA, MIPS_INS_SHRA_R, MIPS_INS_SHRLV, MIPS_INS_SHRL, MIPS_INS_SLDI, MIPS_INS_SLD, MIPS_INS_SLL, MIPS_INS_SLL16, MIPS_INS_SLLI, MIPS_INS_SLLV, MIPS_INS_SLT, MIPS_INS_SLTI, MIPS_INS_SLTIU, MIPS_INS_SLTU, MIPS_INS_SNE, MIPS_INS_SNEI, MIPS_INS_SPLATI, MIPS_INS_SPLAT, MIPS_INS_SRA, MIPS_INS_SRAI, MIPS_INS_SRARI, MIPS_INS_SRAR, MIPS_INS_SRAV, MIPS_INS_SRL, MIPS_INS_SRL16, MIPS_INS_SRLI, MIPS_INS_SRLRI, MIPS_INS_SRLR, MIPS_INS_SRLV, MIPS_INS_SSNOP, MIPS_INS_ST, MIPS_INS_SUBQH, MIPS_INS_SUBQH_R, MIPS_INS_SUBQ, MIPS_INS_SUBQ_S, MIPS_INS_SUBSUS_U, MIPS_INS_SUBSUU_S, MIPS_INS_SUBS_S, MIPS_INS_SUBS_U, MIPS_INS_SUBU16, MIPS_INS_SUBUH, MIPS_INS_SUBUH_R, MIPS_INS_SUBU, MIPS_INS_SUBU_S, MIPS_INS_SUBVI, MIPS_INS_SUBV, MIPS_INS_SUXC1, MIPS_INS_SW, MIPS_INS_SW16, MIPS_INS_SWC1, MIPS_INS_SWC2, MIPS_INS_SWC3, MIPS_INS_SWL, MIPS_INS_SWM16, MIPS_INS_SWM32, MIPS_INS_SWP, MIPS_INS_SWR, MIPS_INS_SWXC1, MIPS_INS_SYNC, MIPS_INS_SYNCI, MIPS_INS_SYSCALL, MIPS_INS_TEQ, MIPS_INS_TEQI, MIPS_INS_TGE, MIPS_INS_TGEI, MIPS_INS_TGEIU, MIPS_INS_TGEU, MIPS_INS_TLBP, MIPS_INS_TLBR, MIPS_INS_TLBWI, MIPS_INS_TLBWR, MIPS_INS_TLT, MIPS_INS_TLTI, MIPS_INS_TLTIU, MIPS_INS_TLTU, MIPS_INS_TNE, MIPS_INS_TNEI, MIPS_INS_TRUNC, MIPS_INS_V3MULU, MIPS_INS_VMM0, MIPS_INS_VMULU, MIPS_INS_VSHF, MIPS_INS_WAIT, MIPS_INS_WRDSP, MIPS_INS_WSBH, MIPS_INS_XOR, MIPS_INS_XOR16, MIPS_INS_XORI, //> some alias instructions MIPS_INS_NOP, MIPS_INS_NEGU, //> special instructions MIPS_INS_JALR_HB, // jump and link with Hazard Barrier MIPS_INS_JR_HB, // jump register with Hazard Barrier MIPS_INS_ENDING, } mips_insn; //> Group of MIPS instructions typedef enum mips_insn_group { MIPS_GRP_INVALID = 0, // = CS_GRP_INVALID //> Generic groups // all jump instructions (conditional+direct+indirect jumps) MIPS_GRP_JUMP, // = CS_GRP_JUMP // all call instructions MIPS_GRP_CALL, // = CS_GRP_CALL // all return instructions MIPS_GRP_RET, // = CS_GRP_RET // all interrupt instructions (int+syscall) MIPS_GRP_INT, // = CS_GRP_INT // all interrupt return instructions MIPS_GRP_IRET, // = CS_GRP_IRET // all privileged instructions MIPS_GRP_PRIVILEGE, // = CS_GRP_PRIVILEGE //> Architecture-specific groups MIPS_GRP_BITCOUNT = 128, MIPS_GRP_DSP, MIPS_GRP_DSPR2, MIPS_GRP_FPIDX, MIPS_GRP_MSA, MIPS_GRP_MIPS32R2, MIPS_GRP_MIPS64, MIPS_GRP_MIPS64R2, MIPS_GRP_SEINREG, MIPS_GRP_STDENC, MIPS_GRP_SWAP, MIPS_GRP_MICROMIPS, MIPS_GRP_MIPS16MODE, MIPS_GRP_FP64BIT, MIPS_GRP_NONANSFPMATH, MIPS_GRP_NOTFP64BIT, MIPS_GRP_NOTINMICROMIPS, MIPS_GRP_NOTNACL, MIPS_GRP_NOTMIPS32R6, MIPS_GRP_NOTMIPS64R6, MIPS_GRP_CNMIPS, MIPS_GRP_MIPS32, MIPS_GRP_MIPS32R6, MIPS_GRP_MIPS64R6, MIPS_GRP_MIPS2, MIPS_GRP_MIPS3, MIPS_GRP_MIPS3_32, MIPS_GRP_MIPS3_32R2, MIPS_GRP_MIPS4_32, MIPS_GRP_MIPS4_32R2, MIPS_GRP_MIPS5_32R2, MIPS_GRP_GP32BIT, MIPS_GRP_GP64BIT, MIPS_GRP_ENDING, } mips_insn_group; #ifdef __cplusplus } #endif #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/capstone/platform.h ================================================ /* Capstone Disassembly Engine */ /* By Axel Souchet & Nguyen Anh Quynh, 2014 */ #ifndef CAPSTONE_PLATFORM_H #define CAPSTONE_PLATFORM_H // handle C99 issue (for pre-2013 VisualStudio) #if !defined(__CYGWIN__) && !defined(__MINGW32__) && !defined(__MINGW64__) && (defined (WIN32) || defined (WIN64) || defined (_WIN32) || defined (_WIN64)) // MSVC // stdbool.h #if (_MSC_VER < 1800) || defined(_KERNEL_MODE) // this system does not have stdbool.h #ifndef __cplusplus typedef unsigned char bool; #define false 0 #define true 1 #endif // __cplusplus #else // VisualStudio 2013+ -> C99 is supported #include #endif // (_MSC_VER < 1800) || defined(_KERNEL_MODE) #else // not MSVC -> C99 is supported #include #endif // !defined(__CYGWIN__) && !defined(__MINGW32__) && !defined(__MINGW64__) && (defined (WIN32) || defined (WIN64) || defined (_WIN32) || defined (_WIN64)) // handle inttypes.h / stdint.h compatibility #if defined(_WIN32_WCE) && (_WIN32_WCE < 0x800) #include "windowsce/stdint.h" #endif // defined(_WIN32_WCE) && (_WIN32_WCE < 0x800) #if defined(CAPSTONE_HAS_OSXKERNEL) || (defined(_MSC_VER) && (_MSC_VER <= 1700 || defined(_KERNEL_MODE))) // this system does not have inttypes.h #if defined(_MSC_VER) && (_MSC_VER < 1600 || defined(_KERNEL_MODE)) // this system does not have stdint.h typedef signed char int8_t; typedef signed short int16_t; typedef signed int int32_t; typedef unsigned char uint8_t; typedef unsigned short uint16_t; typedef unsigned int uint32_t; typedef signed long long int64_t; typedef unsigned long long uint64_t; #define INT8_MIN (-127i8 - 1) #define INT16_MIN (-32767i16 - 1) #define INT32_MIN (-2147483647i32 - 1) #define INT64_MIN (-9223372036854775807i64 - 1) #define INT8_MAX 127i8 #define INT16_MAX 32767i16 #define INT32_MAX 2147483647i32 #define INT64_MAX 9223372036854775807i64 #define UINT8_MAX 0xffui8 #define UINT16_MAX 0xffffui16 #define UINT32_MAX 0xffffffffui32 #define UINT64_MAX 0xffffffffffffffffui64 #endif // defined(_MSC_VER) && (_MSC_VER <= 1700 || defined(_KERNEL_MODE)) #define __PRI_8_LENGTH_MODIFIER__ "hh" #define __PRI_64_LENGTH_MODIFIER__ "ll" #define PRId8 __PRI_8_LENGTH_MODIFIER__ "d" #define PRIi8 __PRI_8_LENGTH_MODIFIER__ "i" #define PRIo8 __PRI_8_LENGTH_MODIFIER__ "o" #define PRIu8 __PRI_8_LENGTH_MODIFIER__ "u" #define PRIx8 __PRI_8_LENGTH_MODIFIER__ "x" #define PRIX8 __PRI_8_LENGTH_MODIFIER__ "X" #define PRId16 "hd" #define PRIi16 "hi" #define PRIo16 "ho" #define PRIu16 "hu" #define PRIx16 "hx" #define PRIX16 "hX" #if defined(_MSC_VER) && _MSC_VER <= 1700 #define PRId32 "ld" #define PRIi32 "li" #define PRIo32 "lo" #define PRIu32 "lu" #define PRIx32 "lx" #define PRIX32 "lX" #else // OSX #define PRId32 "d" #define PRIi32 "i" #define PRIo32 "o" #define PRIu32 "u" #define PRIx32 "x" #define PRIX32 "X" #endif // defined(_MSC_VER) && _MSC_VER <= 1700 #if defined(_MSC_VER) && _MSC_VER <= 1700 // redefine functions from inttypes.h used in cstool #define strtoull _strtoui64 #endif #define PRId64 __PRI_64_LENGTH_MODIFIER__ "d" #define PRIi64 __PRI_64_LENGTH_MODIFIER__ "i" #define PRIo64 __PRI_64_LENGTH_MODIFIER__ "o" #define PRIu64 __PRI_64_LENGTH_MODIFIER__ "u" #define PRIx64 __PRI_64_LENGTH_MODIFIER__ "x" #define PRIX64 __PRI_64_LENGTH_MODIFIER__ "X" #else // this system has inttypes.h by default #include #endif // defined(CAPSTONE_HAS_OSXKERNEL) || (defined(_MSC_VER) && (_MSC_VER <= 1700 || defined(_KERNEL_MODE))) #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/capstone/ppc.h ================================================ #ifndef CAPSTONE_PPC_H #define CAPSTONE_PPC_H /* Capstone Disassembly Engine */ /* By Nguyen Anh Quynh , 2013-2015 */ #ifdef __cplusplus extern "C" { #endif #include "platform.h" #ifdef _MSC_VER #pragma warning(disable:4201) #endif //> PPC branch codes for some branch instructions typedef enum ppc_bc { PPC_BC_INVALID = 0, PPC_BC_LT = (0 << 5) | 12, PPC_BC_LE = (1 << 5) | 4, PPC_BC_EQ = (2 << 5) | 12, PPC_BC_GE = (0 << 5) | 4, PPC_BC_GT = (1 << 5) | 12, PPC_BC_NE = (2 << 5) | 4, PPC_BC_UN = (3 << 5) | 12, PPC_BC_NU = (3 << 5) | 4, // extra conditions PPC_BC_SO = (4 << 5) | 12, // summary overflow PPC_BC_NS = (4 << 5) | 4, // not summary overflow } ppc_bc; //> PPC branch hint for some branch instructions typedef enum ppc_bh { PPC_BH_INVALID = 0, // no hint PPC_BH_PLUS, // PLUS hint PPC_BH_MINUS, // MINUS hint } ppc_bh; //> Operand type for instruction's operands typedef enum ppc_op_type { PPC_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized). PPC_OP_REG, // = CS_OP_REG (Register operand). PPC_OP_IMM, // = CS_OP_IMM (Immediate operand). PPC_OP_MEM, // = CS_OP_MEM (Memory operand). PPC_OP_CRX = 64, // Condition Register field } ppc_op_type; //> PPC registers typedef enum ppc_reg { PPC_REG_INVALID = 0, PPC_REG_CARRY, PPC_REG_CR0, PPC_REG_CR1, PPC_REG_CR2, PPC_REG_CR3, PPC_REG_CR4, PPC_REG_CR5, PPC_REG_CR6, PPC_REG_CR7, PPC_REG_CTR, PPC_REG_F0, PPC_REG_F1, PPC_REG_F2, PPC_REG_F3, PPC_REG_F4, PPC_REG_F5, PPC_REG_F6, PPC_REG_F7, PPC_REG_F8, PPC_REG_F9, PPC_REG_F10, PPC_REG_F11, PPC_REG_F12, PPC_REG_F13, PPC_REG_F14, PPC_REG_F15, PPC_REG_F16, PPC_REG_F17, PPC_REG_F18, PPC_REG_F19, PPC_REG_F20, PPC_REG_F21, PPC_REG_F22, PPC_REG_F23, PPC_REG_F24, PPC_REG_F25, PPC_REG_F26, PPC_REG_F27, PPC_REG_F28, PPC_REG_F29, PPC_REG_F30, PPC_REG_F31, PPC_REG_LR, PPC_REG_R0, PPC_REG_R1, PPC_REG_R2, PPC_REG_R3, PPC_REG_R4, PPC_REG_R5, PPC_REG_R6, PPC_REG_R7, PPC_REG_R8, PPC_REG_R9, PPC_REG_R10, PPC_REG_R11, PPC_REG_R12, PPC_REG_R13, PPC_REG_R14, PPC_REG_R15, PPC_REG_R16, PPC_REG_R17, PPC_REG_R18, PPC_REG_R19, PPC_REG_R20, PPC_REG_R21, PPC_REG_R22, PPC_REG_R23, PPC_REG_R24, PPC_REG_R25, PPC_REG_R26, PPC_REG_R27, PPC_REG_R28, PPC_REG_R29, PPC_REG_R30, PPC_REG_R31, PPC_REG_V0, PPC_REG_V1, PPC_REG_V2, PPC_REG_V3, PPC_REG_V4, PPC_REG_V5, PPC_REG_V6, PPC_REG_V7, PPC_REG_V8, PPC_REG_V9, PPC_REG_V10, PPC_REG_V11, PPC_REG_V12, PPC_REG_V13, PPC_REG_V14, PPC_REG_V15, PPC_REG_V16, PPC_REG_V17, PPC_REG_V18, PPC_REG_V19, PPC_REG_V20, PPC_REG_V21, PPC_REG_V22, PPC_REG_V23, PPC_REG_V24, PPC_REG_V25, PPC_REG_V26, PPC_REG_V27, PPC_REG_V28, PPC_REG_V29, PPC_REG_V30, PPC_REG_V31, PPC_REG_VRSAVE, PPC_REG_VS0, PPC_REG_VS1, PPC_REG_VS2, PPC_REG_VS3, PPC_REG_VS4, PPC_REG_VS5, PPC_REG_VS6, PPC_REG_VS7, PPC_REG_VS8, PPC_REG_VS9, PPC_REG_VS10, PPC_REG_VS11, PPC_REG_VS12, PPC_REG_VS13, PPC_REG_VS14, PPC_REG_VS15, PPC_REG_VS16, PPC_REG_VS17, PPC_REG_VS18, PPC_REG_VS19, PPC_REG_VS20, PPC_REG_VS21, PPC_REG_VS22, PPC_REG_VS23, PPC_REG_VS24, PPC_REG_VS25, PPC_REG_VS26, PPC_REG_VS27, PPC_REG_VS28, PPC_REG_VS29, PPC_REG_VS30, PPC_REG_VS31, PPC_REG_VS32, PPC_REG_VS33, PPC_REG_VS34, PPC_REG_VS35, PPC_REG_VS36, PPC_REG_VS37, PPC_REG_VS38, PPC_REG_VS39, PPC_REG_VS40, PPC_REG_VS41, PPC_REG_VS42, PPC_REG_VS43, PPC_REG_VS44, PPC_REG_VS45, PPC_REG_VS46, PPC_REG_VS47, PPC_REG_VS48, PPC_REG_VS49, PPC_REG_VS50, PPC_REG_VS51, PPC_REG_VS52, PPC_REG_VS53, PPC_REG_VS54, PPC_REG_VS55, PPC_REG_VS56, PPC_REG_VS57, PPC_REG_VS58, PPC_REG_VS59, PPC_REG_VS60, PPC_REG_VS61, PPC_REG_VS62, PPC_REG_VS63, PPC_REG_Q0, PPC_REG_Q1, PPC_REG_Q2, PPC_REG_Q3, PPC_REG_Q4, PPC_REG_Q5, PPC_REG_Q6, PPC_REG_Q7, PPC_REG_Q8, PPC_REG_Q9, PPC_REG_Q10, PPC_REG_Q11, PPC_REG_Q12, PPC_REG_Q13, PPC_REG_Q14, PPC_REG_Q15, PPC_REG_Q16, PPC_REG_Q17, PPC_REG_Q18, PPC_REG_Q19, PPC_REG_Q20, PPC_REG_Q21, PPC_REG_Q22, PPC_REG_Q23, PPC_REG_Q24, PPC_REG_Q25, PPC_REG_Q26, PPC_REG_Q27, PPC_REG_Q28, PPC_REG_Q29, PPC_REG_Q30, PPC_REG_Q31, // extra registers for PPCMapping.c PPC_REG_RM, PPC_REG_CTR8, PPC_REG_LR8, PPC_REG_CR1EQ, PPC_REG_X2, PPC_REG_ENDING, // <-- mark the end of the list of registers } ppc_reg; // Instruction's operand referring to memory // This is associated with PPC_OP_MEM operand type above typedef struct ppc_op_mem { ppc_reg base; // base register int32_t disp; // displacement/offset value } ppc_op_mem; typedef struct ppc_op_crx { unsigned int scale; ppc_reg reg; ppc_bc cond; } ppc_op_crx; // Instruction operand typedef struct cs_ppc_op { ppc_op_type type; // operand type union { ppc_reg reg; // register value for REG operand int64_t imm; // immediate value for IMM operand ppc_op_mem mem; // base/disp value for MEM operand ppc_op_crx crx; // operand with condition register }; } cs_ppc_op; // Instruction structure typedef struct cs_ppc { // branch code for branch instructions ppc_bc bc; // branch hint for branch instructions ppc_bh bh; // if update_cr0 = True, then this 'dot' insn updates CR0 bool update_cr0; // Number of operands of this instruction, // or 0 when instruction has no operand. uint8_t op_count; cs_ppc_op operands[8]; // operands for this instruction. } cs_ppc; //> PPC instruction typedef enum ppc_insn { PPC_INS_INVALID = 0, PPC_INS_ADD, PPC_INS_ADDC, PPC_INS_ADDE, PPC_INS_ADDI, PPC_INS_ADDIC, PPC_INS_ADDIS, PPC_INS_ADDME, PPC_INS_ADDZE, PPC_INS_AND, PPC_INS_ANDC, PPC_INS_ANDIS, PPC_INS_ANDI, PPC_INS_ATTN, PPC_INS_B, PPC_INS_BA, PPC_INS_BC, PPC_INS_BCCTR, PPC_INS_BCCTRL, PPC_INS_BCL, PPC_INS_BCLR, PPC_INS_BCLRL, PPC_INS_BCTR, PPC_INS_BCTRL, PPC_INS_BCT, PPC_INS_BDNZ, PPC_INS_BDNZA, PPC_INS_BDNZL, PPC_INS_BDNZLA, PPC_INS_BDNZLR, PPC_INS_BDNZLRL, PPC_INS_BDZ, PPC_INS_BDZA, PPC_INS_BDZL, PPC_INS_BDZLA, PPC_INS_BDZLR, PPC_INS_BDZLRL, PPC_INS_BL, PPC_INS_BLA, PPC_INS_BLR, PPC_INS_BLRL, PPC_INS_BRINC, PPC_INS_CMPB, PPC_INS_CMPD, PPC_INS_CMPDI, PPC_INS_CMPLD, PPC_INS_CMPLDI, PPC_INS_CMPLW, PPC_INS_CMPLWI, PPC_INS_CMPW, PPC_INS_CMPWI, PPC_INS_CNTLZD, PPC_INS_CNTLZW, PPC_INS_CREQV, PPC_INS_CRXOR, PPC_INS_CRAND, PPC_INS_CRANDC, PPC_INS_CRNAND, PPC_INS_CRNOR, PPC_INS_CROR, PPC_INS_CRORC, PPC_INS_DCBA, PPC_INS_DCBF, PPC_INS_DCBI, PPC_INS_DCBST, PPC_INS_DCBT, PPC_INS_DCBTST, PPC_INS_DCBZ, PPC_INS_DCBZL, PPC_INS_DCCCI, PPC_INS_DIVD, PPC_INS_DIVDU, PPC_INS_DIVW, PPC_INS_DIVWU, PPC_INS_DSS, PPC_INS_DSSALL, PPC_INS_DST, PPC_INS_DSTST, PPC_INS_DSTSTT, PPC_INS_DSTT, PPC_INS_EQV, PPC_INS_EVABS, PPC_INS_EVADDIW, PPC_INS_EVADDSMIAAW, PPC_INS_EVADDSSIAAW, PPC_INS_EVADDUMIAAW, PPC_INS_EVADDUSIAAW, PPC_INS_EVADDW, PPC_INS_EVAND, PPC_INS_EVANDC, PPC_INS_EVCMPEQ, PPC_INS_EVCMPGTS, PPC_INS_EVCMPGTU, PPC_INS_EVCMPLTS, PPC_INS_EVCMPLTU, PPC_INS_EVCNTLSW, PPC_INS_EVCNTLZW, PPC_INS_EVDIVWS, PPC_INS_EVDIVWU, PPC_INS_EVEQV, PPC_INS_EVEXTSB, PPC_INS_EVEXTSH, PPC_INS_EVLDD, PPC_INS_EVLDDX, PPC_INS_EVLDH, PPC_INS_EVLDHX, PPC_INS_EVLDW, PPC_INS_EVLDWX, PPC_INS_EVLHHESPLAT, PPC_INS_EVLHHESPLATX, PPC_INS_EVLHHOSSPLAT, PPC_INS_EVLHHOSSPLATX, PPC_INS_EVLHHOUSPLAT, PPC_INS_EVLHHOUSPLATX, PPC_INS_EVLWHE, PPC_INS_EVLWHEX, PPC_INS_EVLWHOS, PPC_INS_EVLWHOSX, PPC_INS_EVLWHOU, PPC_INS_EVLWHOUX, PPC_INS_EVLWHSPLAT, PPC_INS_EVLWHSPLATX, PPC_INS_EVLWWSPLAT, PPC_INS_EVLWWSPLATX, PPC_INS_EVMERGEHI, PPC_INS_EVMERGEHILO, PPC_INS_EVMERGELO, PPC_INS_EVMERGELOHI, PPC_INS_EVMHEGSMFAA, PPC_INS_EVMHEGSMFAN, PPC_INS_EVMHEGSMIAA, PPC_INS_EVMHEGSMIAN, PPC_INS_EVMHEGUMIAA, PPC_INS_EVMHEGUMIAN, PPC_INS_EVMHESMF, PPC_INS_EVMHESMFA, PPC_INS_EVMHESMFAAW, PPC_INS_EVMHESMFANW, PPC_INS_EVMHESMI, PPC_INS_EVMHESMIA, PPC_INS_EVMHESMIAAW, PPC_INS_EVMHESMIANW, PPC_INS_EVMHESSF, PPC_INS_EVMHESSFA, PPC_INS_EVMHESSFAAW, PPC_INS_EVMHESSFANW, PPC_INS_EVMHESSIAAW, PPC_INS_EVMHESSIANW, PPC_INS_EVMHEUMI, PPC_INS_EVMHEUMIA, PPC_INS_EVMHEUMIAAW, PPC_INS_EVMHEUMIANW, PPC_INS_EVMHEUSIAAW, PPC_INS_EVMHEUSIANW, PPC_INS_EVMHOGSMFAA, PPC_INS_EVMHOGSMFAN, PPC_INS_EVMHOGSMIAA, PPC_INS_EVMHOGSMIAN, PPC_INS_EVMHOGUMIAA, PPC_INS_EVMHOGUMIAN, PPC_INS_EVMHOSMF, PPC_INS_EVMHOSMFA, PPC_INS_EVMHOSMFAAW, PPC_INS_EVMHOSMFANW, PPC_INS_EVMHOSMI, PPC_INS_EVMHOSMIA, PPC_INS_EVMHOSMIAAW, PPC_INS_EVMHOSMIANW, PPC_INS_EVMHOSSF, PPC_INS_EVMHOSSFA, PPC_INS_EVMHOSSFAAW, PPC_INS_EVMHOSSFANW, PPC_INS_EVMHOSSIAAW, PPC_INS_EVMHOSSIANW, PPC_INS_EVMHOUMI, PPC_INS_EVMHOUMIA, PPC_INS_EVMHOUMIAAW, PPC_INS_EVMHOUMIANW, PPC_INS_EVMHOUSIAAW, PPC_INS_EVMHOUSIANW, PPC_INS_EVMRA, PPC_INS_EVMWHSMF, PPC_INS_EVMWHSMFA, PPC_INS_EVMWHSMI, PPC_INS_EVMWHSMIA, PPC_INS_EVMWHSSF, PPC_INS_EVMWHSSFA, PPC_INS_EVMWHUMI, PPC_INS_EVMWHUMIA, PPC_INS_EVMWLSMIAAW, PPC_INS_EVMWLSMIANW, PPC_INS_EVMWLSSIAAW, PPC_INS_EVMWLSSIANW, PPC_INS_EVMWLUMI, PPC_INS_EVMWLUMIA, PPC_INS_EVMWLUMIAAW, PPC_INS_EVMWLUMIANW, PPC_INS_EVMWLUSIAAW, PPC_INS_EVMWLUSIANW, PPC_INS_EVMWSMF, PPC_INS_EVMWSMFA, PPC_INS_EVMWSMFAA, PPC_INS_EVMWSMFAN, PPC_INS_EVMWSMI, PPC_INS_EVMWSMIA, PPC_INS_EVMWSMIAA, PPC_INS_EVMWSMIAN, PPC_INS_EVMWSSF, PPC_INS_EVMWSSFA, PPC_INS_EVMWSSFAA, PPC_INS_EVMWSSFAN, PPC_INS_EVMWUMI, PPC_INS_EVMWUMIA, PPC_INS_EVMWUMIAA, PPC_INS_EVMWUMIAN, PPC_INS_EVNAND, PPC_INS_EVNEG, PPC_INS_EVNOR, PPC_INS_EVOR, PPC_INS_EVORC, PPC_INS_EVRLW, PPC_INS_EVRLWI, PPC_INS_EVRNDW, PPC_INS_EVSLW, PPC_INS_EVSLWI, PPC_INS_EVSPLATFI, PPC_INS_EVSPLATI, PPC_INS_EVSRWIS, PPC_INS_EVSRWIU, PPC_INS_EVSRWS, PPC_INS_EVSRWU, PPC_INS_EVSTDD, PPC_INS_EVSTDDX, PPC_INS_EVSTDH, PPC_INS_EVSTDHX, PPC_INS_EVSTDW, PPC_INS_EVSTDWX, PPC_INS_EVSTWHE, PPC_INS_EVSTWHEX, PPC_INS_EVSTWHO, PPC_INS_EVSTWHOX, PPC_INS_EVSTWWE, PPC_INS_EVSTWWEX, PPC_INS_EVSTWWO, PPC_INS_EVSTWWOX, PPC_INS_EVSUBFSMIAAW, PPC_INS_EVSUBFSSIAAW, PPC_INS_EVSUBFUMIAAW, PPC_INS_EVSUBFUSIAAW, PPC_INS_EVSUBFW, PPC_INS_EVSUBIFW, PPC_INS_EVXOR, PPC_INS_EXTSB, PPC_INS_EXTSH, PPC_INS_EXTSW, PPC_INS_EIEIO, PPC_INS_FABS, PPC_INS_FADD, PPC_INS_FADDS, PPC_INS_FCFID, PPC_INS_FCFIDS, PPC_INS_FCFIDU, PPC_INS_FCFIDUS, PPC_INS_FCMPU, PPC_INS_FCPSGN, PPC_INS_FCTID, PPC_INS_FCTIDUZ, PPC_INS_FCTIDZ, PPC_INS_FCTIW, PPC_INS_FCTIWUZ, PPC_INS_FCTIWZ, PPC_INS_FDIV, PPC_INS_FDIVS, PPC_INS_FMADD, PPC_INS_FMADDS, PPC_INS_FMR, PPC_INS_FMSUB, PPC_INS_FMSUBS, PPC_INS_FMUL, PPC_INS_FMULS, PPC_INS_FNABS, PPC_INS_FNEG, PPC_INS_FNMADD, PPC_INS_FNMADDS, PPC_INS_FNMSUB, PPC_INS_FNMSUBS, PPC_INS_FRE, PPC_INS_FRES, PPC_INS_FRIM, PPC_INS_FRIN, PPC_INS_FRIP, PPC_INS_FRIZ, PPC_INS_FRSP, PPC_INS_FRSQRTE, PPC_INS_FRSQRTES, PPC_INS_FSEL, PPC_INS_FSQRT, PPC_INS_FSQRTS, PPC_INS_FSUB, PPC_INS_FSUBS, PPC_INS_ICBI, PPC_INS_ICBT, PPC_INS_ICCCI, PPC_INS_ISEL, PPC_INS_ISYNC, PPC_INS_LA, PPC_INS_LBZ, PPC_INS_LBZCIX, PPC_INS_LBZU, PPC_INS_LBZUX, PPC_INS_LBZX, PPC_INS_LD, PPC_INS_LDARX, PPC_INS_LDBRX, PPC_INS_LDCIX, PPC_INS_LDU, PPC_INS_LDUX, PPC_INS_LDX, PPC_INS_LFD, PPC_INS_LFDU, PPC_INS_LFDUX, PPC_INS_LFDX, PPC_INS_LFIWAX, PPC_INS_LFIWZX, PPC_INS_LFS, PPC_INS_LFSU, PPC_INS_LFSUX, PPC_INS_LFSX, PPC_INS_LHA, PPC_INS_LHAU, PPC_INS_LHAUX, PPC_INS_LHAX, PPC_INS_LHBRX, PPC_INS_LHZ, PPC_INS_LHZCIX, PPC_INS_LHZU, PPC_INS_LHZUX, PPC_INS_LHZX, PPC_INS_LI, PPC_INS_LIS, PPC_INS_LMW, PPC_INS_LSWI, PPC_INS_LVEBX, PPC_INS_LVEHX, PPC_INS_LVEWX, PPC_INS_LVSL, PPC_INS_LVSR, PPC_INS_LVX, PPC_INS_LVXL, PPC_INS_LWA, PPC_INS_LWARX, PPC_INS_LWAUX, PPC_INS_LWAX, PPC_INS_LWBRX, PPC_INS_LWZ, PPC_INS_LWZCIX, PPC_INS_LWZU, PPC_INS_LWZUX, PPC_INS_LWZX, PPC_INS_LXSDX, PPC_INS_LXVD2X, PPC_INS_LXVDSX, PPC_INS_LXVW4X, PPC_INS_MBAR, PPC_INS_MCRF, PPC_INS_MCRFS, PPC_INS_MFCR, PPC_INS_MFCTR, PPC_INS_MFDCR, PPC_INS_MFFS, PPC_INS_MFLR, PPC_INS_MFMSR, PPC_INS_MFOCRF, PPC_INS_MFSPR, PPC_INS_MFSR, PPC_INS_MFSRIN, PPC_INS_MFTB, PPC_INS_MFVSCR, PPC_INS_MSYNC, PPC_INS_MTCRF, PPC_INS_MTCTR, PPC_INS_MTDCR, PPC_INS_MTFSB0, PPC_INS_MTFSB1, PPC_INS_MTFSF, PPC_INS_MTFSFI, PPC_INS_MTLR, PPC_INS_MTMSR, PPC_INS_MTMSRD, PPC_INS_MTOCRF, PPC_INS_MTSPR, PPC_INS_MTSR, PPC_INS_MTSRIN, PPC_INS_MTVSCR, PPC_INS_MULHD, PPC_INS_MULHDU, PPC_INS_MULHW, PPC_INS_MULHWU, PPC_INS_MULLD, PPC_INS_MULLI, PPC_INS_MULLW, PPC_INS_NAND, PPC_INS_NEG, PPC_INS_NOP, PPC_INS_ORI, PPC_INS_NOR, PPC_INS_OR, PPC_INS_ORC, PPC_INS_ORIS, PPC_INS_POPCNTD, PPC_INS_POPCNTW, PPC_INS_QVALIGNI, PPC_INS_QVESPLATI, PPC_INS_QVFABS, PPC_INS_QVFADD, PPC_INS_QVFADDS, PPC_INS_QVFCFID, PPC_INS_QVFCFIDS, PPC_INS_QVFCFIDU, PPC_INS_QVFCFIDUS, PPC_INS_QVFCMPEQ, PPC_INS_QVFCMPGT, PPC_INS_QVFCMPLT, PPC_INS_QVFCPSGN, PPC_INS_QVFCTID, PPC_INS_QVFCTIDU, PPC_INS_QVFCTIDUZ, PPC_INS_QVFCTIDZ, PPC_INS_QVFCTIW, PPC_INS_QVFCTIWU, PPC_INS_QVFCTIWUZ, PPC_INS_QVFCTIWZ, PPC_INS_QVFLOGICAL, PPC_INS_QVFMADD, PPC_INS_QVFMADDS, PPC_INS_QVFMR, PPC_INS_QVFMSUB, PPC_INS_QVFMSUBS, PPC_INS_QVFMUL, PPC_INS_QVFMULS, PPC_INS_QVFNABS, PPC_INS_QVFNEG, PPC_INS_QVFNMADD, PPC_INS_QVFNMADDS, PPC_INS_QVFNMSUB, PPC_INS_QVFNMSUBS, PPC_INS_QVFPERM, PPC_INS_QVFRE, PPC_INS_QVFRES, PPC_INS_QVFRIM, PPC_INS_QVFRIN, PPC_INS_QVFRIP, PPC_INS_QVFRIZ, PPC_INS_QVFRSP, PPC_INS_QVFRSQRTE, PPC_INS_QVFRSQRTES, PPC_INS_QVFSEL, PPC_INS_QVFSUB, PPC_INS_QVFSUBS, PPC_INS_QVFTSTNAN, PPC_INS_QVFXMADD, PPC_INS_QVFXMADDS, PPC_INS_QVFXMUL, PPC_INS_QVFXMULS, PPC_INS_QVFXXCPNMADD, PPC_INS_QVFXXCPNMADDS, PPC_INS_QVFXXMADD, PPC_INS_QVFXXMADDS, PPC_INS_QVFXXNPMADD, PPC_INS_QVFXXNPMADDS, PPC_INS_QVGPCI, PPC_INS_QVLFCDUX, PPC_INS_QVLFCDUXA, PPC_INS_QVLFCDX, PPC_INS_QVLFCDXA, PPC_INS_QVLFCSUX, PPC_INS_QVLFCSUXA, PPC_INS_QVLFCSX, PPC_INS_QVLFCSXA, PPC_INS_QVLFDUX, PPC_INS_QVLFDUXA, PPC_INS_QVLFDX, PPC_INS_QVLFDXA, PPC_INS_QVLFIWAX, PPC_INS_QVLFIWAXA, PPC_INS_QVLFIWZX, PPC_INS_QVLFIWZXA, PPC_INS_QVLFSUX, PPC_INS_QVLFSUXA, PPC_INS_QVLFSX, PPC_INS_QVLFSXA, PPC_INS_QVLPCLDX, PPC_INS_QVLPCLSX, PPC_INS_QVLPCRDX, PPC_INS_QVLPCRSX, PPC_INS_QVSTFCDUX, PPC_INS_QVSTFCDUXA, PPC_INS_QVSTFCDUXI, PPC_INS_QVSTFCDUXIA, PPC_INS_QVSTFCDX, PPC_INS_QVSTFCDXA, PPC_INS_QVSTFCDXI, PPC_INS_QVSTFCDXIA, PPC_INS_QVSTFCSUX, PPC_INS_QVSTFCSUXA, PPC_INS_QVSTFCSUXI, PPC_INS_QVSTFCSUXIA, PPC_INS_QVSTFCSX, PPC_INS_QVSTFCSXA, PPC_INS_QVSTFCSXI, PPC_INS_QVSTFCSXIA, PPC_INS_QVSTFDUX, PPC_INS_QVSTFDUXA, PPC_INS_QVSTFDUXI, PPC_INS_QVSTFDUXIA, PPC_INS_QVSTFDX, PPC_INS_QVSTFDXA, PPC_INS_QVSTFDXI, PPC_INS_QVSTFDXIA, PPC_INS_QVSTFIWX, PPC_INS_QVSTFIWXA, PPC_INS_QVSTFSUX, PPC_INS_QVSTFSUXA, PPC_INS_QVSTFSUXI, PPC_INS_QVSTFSUXIA, PPC_INS_QVSTFSX, PPC_INS_QVSTFSXA, PPC_INS_QVSTFSXI, PPC_INS_QVSTFSXIA, PPC_INS_RFCI, PPC_INS_RFDI, PPC_INS_RFI, PPC_INS_RFID, PPC_INS_RFMCI, PPC_INS_RLDCL, PPC_INS_RLDCR, PPC_INS_RLDIC, PPC_INS_RLDICL, PPC_INS_RLDICR, PPC_INS_RLDIMI, PPC_INS_RLWIMI, PPC_INS_RLWINM, PPC_INS_RLWNM, PPC_INS_SC, PPC_INS_SLBIA, PPC_INS_SLBIE, PPC_INS_SLBMFEE, PPC_INS_SLBMTE, PPC_INS_SLD, PPC_INS_SLW, PPC_INS_SRAD, PPC_INS_SRADI, PPC_INS_SRAW, PPC_INS_SRAWI, PPC_INS_SRD, PPC_INS_SRW, PPC_INS_STB, PPC_INS_STBCIX, PPC_INS_STBU, PPC_INS_STBUX, PPC_INS_STBX, PPC_INS_STD, PPC_INS_STDBRX, PPC_INS_STDCIX, PPC_INS_STDCX, PPC_INS_STDU, PPC_INS_STDUX, PPC_INS_STDX, PPC_INS_STFD, PPC_INS_STFDU, PPC_INS_STFDUX, PPC_INS_STFDX, PPC_INS_STFIWX, PPC_INS_STFS, PPC_INS_STFSU, PPC_INS_STFSUX, PPC_INS_STFSX, PPC_INS_STH, PPC_INS_STHBRX, PPC_INS_STHCIX, PPC_INS_STHU, PPC_INS_STHUX, PPC_INS_STHX, PPC_INS_STMW, PPC_INS_STSWI, PPC_INS_STVEBX, PPC_INS_STVEHX, PPC_INS_STVEWX, PPC_INS_STVX, PPC_INS_STVXL, PPC_INS_STW, PPC_INS_STWBRX, PPC_INS_STWCIX, PPC_INS_STWCX, PPC_INS_STWU, PPC_INS_STWUX, PPC_INS_STWX, PPC_INS_STXSDX, PPC_INS_STXVD2X, PPC_INS_STXVW4X, PPC_INS_SUBF, PPC_INS_SUBFC, PPC_INS_SUBFE, PPC_INS_SUBFIC, PPC_INS_SUBFME, PPC_INS_SUBFZE, PPC_INS_SYNC, PPC_INS_TD, PPC_INS_TDI, PPC_INS_TLBIA, PPC_INS_TLBIE, PPC_INS_TLBIEL, PPC_INS_TLBIVAX, PPC_INS_TLBLD, PPC_INS_TLBLI, PPC_INS_TLBRE, PPC_INS_TLBSX, PPC_INS_TLBSYNC, PPC_INS_TLBWE, PPC_INS_TRAP, PPC_INS_TW, PPC_INS_TWI, PPC_INS_VADDCUW, PPC_INS_VADDFP, PPC_INS_VADDSBS, PPC_INS_VADDSHS, PPC_INS_VADDSWS, PPC_INS_VADDUBM, PPC_INS_VADDUBS, PPC_INS_VADDUDM, PPC_INS_VADDUHM, PPC_INS_VADDUHS, PPC_INS_VADDUWM, PPC_INS_VADDUWS, PPC_INS_VAND, PPC_INS_VANDC, PPC_INS_VAVGSB, PPC_INS_VAVGSH, PPC_INS_VAVGSW, PPC_INS_VAVGUB, PPC_INS_VAVGUH, PPC_INS_VAVGUW, PPC_INS_VCFSX, PPC_INS_VCFUX, PPC_INS_VCLZB, PPC_INS_VCLZD, PPC_INS_VCLZH, PPC_INS_VCLZW, PPC_INS_VCMPBFP, PPC_INS_VCMPEQFP, PPC_INS_VCMPEQUB, PPC_INS_VCMPEQUD, PPC_INS_VCMPEQUH, PPC_INS_VCMPEQUW, PPC_INS_VCMPGEFP, PPC_INS_VCMPGTFP, PPC_INS_VCMPGTSB, PPC_INS_VCMPGTSD, PPC_INS_VCMPGTSH, PPC_INS_VCMPGTSW, PPC_INS_VCMPGTUB, PPC_INS_VCMPGTUD, PPC_INS_VCMPGTUH, PPC_INS_VCMPGTUW, PPC_INS_VCTSXS, PPC_INS_VCTUXS, PPC_INS_VEQV, PPC_INS_VEXPTEFP, PPC_INS_VLOGEFP, PPC_INS_VMADDFP, PPC_INS_VMAXFP, PPC_INS_VMAXSB, PPC_INS_VMAXSD, PPC_INS_VMAXSH, PPC_INS_VMAXSW, PPC_INS_VMAXUB, PPC_INS_VMAXUD, PPC_INS_VMAXUH, PPC_INS_VMAXUW, PPC_INS_VMHADDSHS, PPC_INS_VMHRADDSHS, PPC_INS_VMINUD, PPC_INS_VMINFP, PPC_INS_VMINSB, PPC_INS_VMINSD, PPC_INS_VMINSH, PPC_INS_VMINSW, PPC_INS_VMINUB, PPC_INS_VMINUH, PPC_INS_VMINUW, PPC_INS_VMLADDUHM, PPC_INS_VMRGHB, PPC_INS_VMRGHH, PPC_INS_VMRGHW, PPC_INS_VMRGLB, PPC_INS_VMRGLH, PPC_INS_VMRGLW, PPC_INS_VMSUMMBM, PPC_INS_VMSUMSHM, PPC_INS_VMSUMSHS, PPC_INS_VMSUMUBM, PPC_INS_VMSUMUHM, PPC_INS_VMSUMUHS, PPC_INS_VMULESB, PPC_INS_VMULESH, PPC_INS_VMULESW, PPC_INS_VMULEUB, PPC_INS_VMULEUH, PPC_INS_VMULEUW, PPC_INS_VMULOSB, PPC_INS_VMULOSH, PPC_INS_VMULOSW, PPC_INS_VMULOUB, PPC_INS_VMULOUH, PPC_INS_VMULOUW, PPC_INS_VMULUWM, PPC_INS_VNAND, PPC_INS_VNMSUBFP, PPC_INS_VNOR, PPC_INS_VOR, PPC_INS_VORC, PPC_INS_VPERM, PPC_INS_VPKPX, PPC_INS_VPKSHSS, PPC_INS_VPKSHUS, PPC_INS_VPKSWSS, PPC_INS_VPKSWUS, PPC_INS_VPKUHUM, PPC_INS_VPKUHUS, PPC_INS_VPKUWUM, PPC_INS_VPKUWUS, PPC_INS_VPOPCNTB, PPC_INS_VPOPCNTD, PPC_INS_VPOPCNTH, PPC_INS_VPOPCNTW, PPC_INS_VREFP, PPC_INS_VRFIM, PPC_INS_VRFIN, PPC_INS_VRFIP, PPC_INS_VRFIZ, PPC_INS_VRLB, PPC_INS_VRLD, PPC_INS_VRLH, PPC_INS_VRLW, PPC_INS_VRSQRTEFP, PPC_INS_VSEL, PPC_INS_VSL, PPC_INS_VSLB, PPC_INS_VSLD, PPC_INS_VSLDOI, PPC_INS_VSLH, PPC_INS_VSLO, PPC_INS_VSLW, PPC_INS_VSPLTB, PPC_INS_VSPLTH, PPC_INS_VSPLTISB, PPC_INS_VSPLTISH, PPC_INS_VSPLTISW, PPC_INS_VSPLTW, PPC_INS_VSR, PPC_INS_VSRAB, PPC_INS_VSRAD, PPC_INS_VSRAH, PPC_INS_VSRAW, PPC_INS_VSRB, PPC_INS_VSRD, PPC_INS_VSRH, PPC_INS_VSRO, PPC_INS_VSRW, PPC_INS_VSUBCUW, PPC_INS_VSUBFP, PPC_INS_VSUBSBS, PPC_INS_VSUBSHS, PPC_INS_VSUBSWS, PPC_INS_VSUBUBM, PPC_INS_VSUBUBS, PPC_INS_VSUBUDM, PPC_INS_VSUBUHM, PPC_INS_VSUBUHS, PPC_INS_VSUBUWM, PPC_INS_VSUBUWS, PPC_INS_VSUM2SWS, PPC_INS_VSUM4SBS, PPC_INS_VSUM4SHS, PPC_INS_VSUM4UBS, PPC_INS_VSUMSWS, PPC_INS_VUPKHPX, PPC_INS_VUPKHSB, PPC_INS_VUPKHSH, PPC_INS_VUPKLPX, PPC_INS_VUPKLSB, PPC_INS_VUPKLSH, PPC_INS_VXOR, PPC_INS_WAIT, PPC_INS_WRTEE, PPC_INS_WRTEEI, PPC_INS_XOR, PPC_INS_XORI, PPC_INS_XORIS, PPC_INS_XSABSDP, PPC_INS_XSADDDP, PPC_INS_XSCMPODP, PPC_INS_XSCMPUDP, PPC_INS_XSCPSGNDP, PPC_INS_XSCVDPSP, PPC_INS_XSCVDPSXDS, PPC_INS_XSCVDPSXWS, PPC_INS_XSCVDPUXDS, PPC_INS_XSCVDPUXWS, PPC_INS_XSCVSPDP, PPC_INS_XSCVSXDDP, PPC_INS_XSCVUXDDP, PPC_INS_XSDIVDP, PPC_INS_XSMADDADP, PPC_INS_XSMADDMDP, PPC_INS_XSMAXDP, PPC_INS_XSMINDP, PPC_INS_XSMSUBADP, PPC_INS_XSMSUBMDP, PPC_INS_XSMULDP, PPC_INS_XSNABSDP, PPC_INS_XSNEGDP, PPC_INS_XSNMADDADP, PPC_INS_XSNMADDMDP, PPC_INS_XSNMSUBADP, PPC_INS_XSNMSUBMDP, PPC_INS_XSRDPI, PPC_INS_XSRDPIC, PPC_INS_XSRDPIM, PPC_INS_XSRDPIP, PPC_INS_XSRDPIZ, PPC_INS_XSREDP, PPC_INS_XSRSQRTEDP, PPC_INS_XSSQRTDP, PPC_INS_XSSUBDP, PPC_INS_XSTDIVDP, PPC_INS_XSTSQRTDP, PPC_INS_XVABSDP, PPC_INS_XVABSSP, PPC_INS_XVADDDP, PPC_INS_XVADDSP, PPC_INS_XVCMPEQDP, PPC_INS_XVCMPEQSP, PPC_INS_XVCMPGEDP, PPC_INS_XVCMPGESP, PPC_INS_XVCMPGTDP, PPC_INS_XVCMPGTSP, PPC_INS_XVCPSGNDP, PPC_INS_XVCPSGNSP, PPC_INS_XVCVDPSP, PPC_INS_XVCVDPSXDS, PPC_INS_XVCVDPSXWS, PPC_INS_XVCVDPUXDS, PPC_INS_XVCVDPUXWS, PPC_INS_XVCVSPDP, PPC_INS_XVCVSPSXDS, PPC_INS_XVCVSPSXWS, PPC_INS_XVCVSPUXDS, PPC_INS_XVCVSPUXWS, PPC_INS_XVCVSXDDP, PPC_INS_XVCVSXDSP, PPC_INS_XVCVSXWDP, PPC_INS_XVCVSXWSP, PPC_INS_XVCVUXDDP, PPC_INS_XVCVUXDSP, PPC_INS_XVCVUXWDP, PPC_INS_XVCVUXWSP, PPC_INS_XVDIVDP, PPC_INS_XVDIVSP, PPC_INS_XVMADDADP, PPC_INS_XVMADDASP, PPC_INS_XVMADDMDP, PPC_INS_XVMADDMSP, PPC_INS_XVMAXDP, PPC_INS_XVMAXSP, PPC_INS_XVMINDP, PPC_INS_XVMINSP, PPC_INS_XVMSUBADP, PPC_INS_XVMSUBASP, PPC_INS_XVMSUBMDP, PPC_INS_XVMSUBMSP, PPC_INS_XVMULDP, PPC_INS_XVMULSP, PPC_INS_XVNABSDP, PPC_INS_XVNABSSP, PPC_INS_XVNEGDP, PPC_INS_XVNEGSP, PPC_INS_XVNMADDADP, PPC_INS_XVNMADDASP, PPC_INS_XVNMADDMDP, PPC_INS_XVNMADDMSP, PPC_INS_XVNMSUBADP, PPC_INS_XVNMSUBASP, PPC_INS_XVNMSUBMDP, PPC_INS_XVNMSUBMSP, PPC_INS_XVRDPI, PPC_INS_XVRDPIC, PPC_INS_XVRDPIM, PPC_INS_XVRDPIP, PPC_INS_XVRDPIZ, PPC_INS_XVREDP, PPC_INS_XVRESP, PPC_INS_XVRSPI, PPC_INS_XVRSPIC, PPC_INS_XVRSPIM, PPC_INS_XVRSPIP, PPC_INS_XVRSPIZ, PPC_INS_XVRSQRTEDP, PPC_INS_XVRSQRTESP, PPC_INS_XVSQRTDP, PPC_INS_XVSQRTSP, PPC_INS_XVSUBDP, PPC_INS_XVSUBSP, PPC_INS_XVTDIVDP, PPC_INS_XVTDIVSP, PPC_INS_XVTSQRTDP, PPC_INS_XVTSQRTSP, PPC_INS_XXLAND, PPC_INS_XXLANDC, PPC_INS_XXLEQV, PPC_INS_XXLNAND, PPC_INS_XXLNOR, PPC_INS_XXLOR, PPC_INS_XXLORC, PPC_INS_XXLXOR, PPC_INS_XXMRGHW, PPC_INS_XXMRGLW, PPC_INS_XXPERMDI, PPC_INS_XXSEL, PPC_INS_XXSLDWI, PPC_INS_XXSPLTW, PPC_INS_BCA, PPC_INS_BCLA, // extra & alias instructions PPC_INS_SLWI, PPC_INS_SRWI, PPC_INS_SLDI, PPC_INS_BTA, PPC_INS_CRSET, PPC_INS_CRNOT, PPC_INS_CRMOVE, PPC_INS_CRCLR, PPC_INS_MFBR0, PPC_INS_MFBR1, PPC_INS_MFBR2, PPC_INS_MFBR3, PPC_INS_MFBR4, PPC_INS_MFBR5, PPC_INS_MFBR6, PPC_INS_MFBR7, PPC_INS_MFXER, PPC_INS_MFRTCU, PPC_INS_MFRTCL, PPC_INS_MFDSCR, PPC_INS_MFDSISR, PPC_INS_MFDAR, PPC_INS_MFSRR2, PPC_INS_MFSRR3, PPC_INS_MFCFAR, PPC_INS_MFAMR, PPC_INS_MFPID, PPC_INS_MFTBLO, PPC_INS_MFTBHI, PPC_INS_MFDBATU, PPC_INS_MFDBATL, PPC_INS_MFIBATU, PPC_INS_MFIBATL, PPC_INS_MFDCCR, PPC_INS_MFICCR, PPC_INS_MFDEAR, PPC_INS_MFESR, PPC_INS_MFSPEFSCR, PPC_INS_MFTCR, PPC_INS_MFASR, PPC_INS_MFPVR, PPC_INS_MFTBU, PPC_INS_MTCR, PPC_INS_MTBR0, PPC_INS_MTBR1, PPC_INS_MTBR2, PPC_INS_MTBR3, PPC_INS_MTBR4, PPC_INS_MTBR5, PPC_INS_MTBR6, PPC_INS_MTBR7, PPC_INS_MTXER, PPC_INS_MTDSCR, PPC_INS_MTDSISR, PPC_INS_MTDAR, PPC_INS_MTSRR2, PPC_INS_MTSRR3, PPC_INS_MTCFAR, PPC_INS_MTAMR, PPC_INS_MTPID, PPC_INS_MTTBL, PPC_INS_MTTBU, PPC_INS_MTTBLO, PPC_INS_MTTBHI, PPC_INS_MTDBATU, PPC_INS_MTDBATL, PPC_INS_MTIBATU, PPC_INS_MTIBATL, PPC_INS_MTDCCR, PPC_INS_MTICCR, PPC_INS_MTDEAR, PPC_INS_MTESR, PPC_INS_MTSPEFSCR, PPC_INS_MTTCR, PPC_INS_NOT, PPC_INS_MR, PPC_INS_ROTLD, PPC_INS_ROTLDI, PPC_INS_CLRLDI, PPC_INS_ROTLWI, PPC_INS_CLRLWI, PPC_INS_ROTLW, PPC_INS_SUB, PPC_INS_SUBC, PPC_INS_LWSYNC, PPC_INS_PTESYNC, PPC_INS_TDLT, PPC_INS_TDEQ, PPC_INS_TDGT, PPC_INS_TDNE, PPC_INS_TDLLT, PPC_INS_TDLGT, PPC_INS_TDU, PPC_INS_TDLTI, PPC_INS_TDEQI, PPC_INS_TDGTI, PPC_INS_TDNEI, PPC_INS_TDLLTI, PPC_INS_TDLGTI, PPC_INS_TDUI, PPC_INS_TLBREHI, PPC_INS_TLBRELO, PPC_INS_TLBWEHI, PPC_INS_TLBWELO, PPC_INS_TWLT, PPC_INS_TWEQ, PPC_INS_TWGT, PPC_INS_TWNE, PPC_INS_TWLLT, PPC_INS_TWLGT, PPC_INS_TWU, PPC_INS_TWLTI, PPC_INS_TWEQI, PPC_INS_TWGTI, PPC_INS_TWNEI, PPC_INS_TWLLTI, PPC_INS_TWLGTI, PPC_INS_TWUI, PPC_INS_WAITRSV, PPC_INS_WAITIMPL, PPC_INS_XNOP, PPC_INS_XVMOVDP, PPC_INS_XVMOVSP, PPC_INS_XXSPLTD, PPC_INS_XXMRGHD, PPC_INS_XXMRGLD, PPC_INS_XXSWAPD, PPC_INS_BT, PPC_INS_BF, PPC_INS_BDNZT, PPC_INS_BDNZF, PPC_INS_BDZF, PPC_INS_BDZT, PPC_INS_BFA, PPC_INS_BDNZTA, PPC_INS_BDNZFA, PPC_INS_BDZTA, PPC_INS_BDZFA, PPC_INS_BTCTR, PPC_INS_BFCTR, PPC_INS_BTCTRL, PPC_INS_BFCTRL, PPC_INS_BTL, PPC_INS_BFL, PPC_INS_BDNZTL, PPC_INS_BDNZFL, PPC_INS_BDZTL, PPC_INS_BDZFL, PPC_INS_BTLA, PPC_INS_BFLA, PPC_INS_BDNZTLA, PPC_INS_BDNZFLA, PPC_INS_BDZTLA, PPC_INS_BDZFLA, PPC_INS_BTLR, PPC_INS_BFLR, PPC_INS_BDNZTLR, PPC_INS_BDZTLR, PPC_INS_BDZFLR, PPC_INS_BTLRL, PPC_INS_BFLRL, PPC_INS_BDNZTLRL, PPC_INS_BDNZFLRL, PPC_INS_BDZTLRL, PPC_INS_BDZFLRL, // QPX PPC_INS_QVFAND, PPC_INS_QVFCLR, PPC_INS_QVFANDC, PPC_INS_QVFCTFB, PPC_INS_QVFXOR, PPC_INS_QVFOR, PPC_INS_QVFNOR, PPC_INS_QVFEQU, PPC_INS_QVFNOT, PPC_INS_QVFORC, PPC_INS_QVFNAND, PPC_INS_QVFSET, PPC_INS_ENDING, // <-- mark the end of the list of instructions } ppc_insn; //> Group of PPC instructions typedef enum ppc_insn_group { PPC_GRP_INVALID = 0, // = CS_GRP_INVALID //> Generic groups // all jump instructions (conditional+direct+indirect jumps) PPC_GRP_JUMP, // = CS_GRP_JUMP //> Architecture-specific groups PPC_GRP_ALTIVEC = 128, PPC_GRP_MODE32, PPC_GRP_MODE64, PPC_GRP_BOOKE, PPC_GRP_NOTBOOKE, PPC_GRP_SPE, PPC_GRP_VSX, PPC_GRP_E500, PPC_GRP_PPC4XX, PPC_GRP_PPC6XX, PPC_GRP_ICBT, PPC_GRP_P8ALTIVEC, PPC_GRP_P8VECTOR, PPC_GRP_QPX, PPC_GRP_ENDING, // <-- mark the end of the list of groups } ppc_insn_group; #ifdef __cplusplus } #endif #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/capstone/sparc.h ================================================ #ifndef CAPSTONE_SPARC_H #define CAPSTONE_SPARC_H /* Capstone Disassembly Engine */ /* By Nguyen Anh Quynh , 2014-2015 */ #ifdef __cplusplus extern "C" { #endif #include "platform.h" // GCC SPARC toolchain has a default macro called "sparc" which breaks // compilation #undef sparc #ifdef _MSC_VER #pragma warning(disable:4201) #endif //> Enums corresponding to Sparc condition codes, both icc's and fcc's. typedef enum sparc_cc { SPARC_CC_INVALID = 0, // invalid CC (default) //> Integer condition codes SPARC_CC_ICC_A = 8 + 256, // Always SPARC_CC_ICC_N = 0 + 256, // Never SPARC_CC_ICC_NE = 9 + 256, // Not Equal SPARC_CC_ICC_E = 1 + 256, // Equal SPARC_CC_ICC_G = 10 + 256, // Greater SPARC_CC_ICC_LE = 2 + 256, // Less or Equal SPARC_CC_ICC_GE = 11 + 256, // Greater or Equal SPARC_CC_ICC_L = 3 + 256, // Less SPARC_CC_ICC_GU = 12 + 256, // Greater Unsigned SPARC_CC_ICC_LEU = 4 + 256, // Less or Equal Unsigned SPARC_CC_ICC_CC = 13 + 256, // Carry Clear/Great or Equal Unsigned SPARC_CC_ICC_CS = 5 + 256, // Carry Set/Less Unsigned SPARC_CC_ICC_POS = 14 + 256, // Positive SPARC_CC_ICC_NEG = 6 + 256, // Negative SPARC_CC_ICC_VC = 15 + 256, // Overflow Clear SPARC_CC_ICC_VS = 7 + 256, // Overflow Set //> Floating condition codes SPARC_CC_FCC_A = 8 + 16 + 256, // Always SPARC_CC_FCC_N = 0 + 16 + 256, // Never SPARC_CC_FCC_U = 7 + 16 + 256, // Unordered SPARC_CC_FCC_G = 6 + 16 + 256, // Greater SPARC_CC_FCC_UG = 5 + 16 + 256, // Unordered or Greater SPARC_CC_FCC_L = 4 + 16 + 256, // Less SPARC_CC_FCC_UL = 3 + 16 + 256, // Unordered or Less SPARC_CC_FCC_LG = 2 + 16 + 256, // Less or Greater SPARC_CC_FCC_NE = 1 + 16 + 256, // Not Equal SPARC_CC_FCC_E = 9 + 16 + 256, // Equal SPARC_CC_FCC_UE = 10 + 16 + 256, // Unordered or Equal SPARC_CC_FCC_GE = 11 + 16 + 256, // Greater or Equal SPARC_CC_FCC_UGE = 12 + 16 + 256, // Unordered or Greater or Equal SPARC_CC_FCC_LE = 13 + 16 + 256, // Less or Equal SPARC_CC_FCC_ULE = 14 + 16 + 256, // Unordered or Less or Equal SPARC_CC_FCC_O = 15 + 16 + 256, // Ordered } sparc_cc; //> Branch hint typedef enum sparc_hint { SPARC_HINT_INVALID = 0, // no hint SPARC_HINT_A = 1 << 0, // annul delay slot instruction SPARC_HINT_PT = 1 << 1, // branch taken SPARC_HINT_PN = 1 << 2, // branch NOT taken } sparc_hint; //> Operand type for instruction's operands typedef enum sparc_op_type { SPARC_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized). SPARC_OP_REG, // = CS_OP_REG (Register operand). SPARC_OP_IMM, // = CS_OP_IMM (Immediate operand). SPARC_OP_MEM, // = CS_OP_MEM (Memory operand). } sparc_op_type; //> SPARC registers typedef enum sparc_reg { SPARC_REG_INVALID = 0, SPARC_REG_F0, SPARC_REG_F1, SPARC_REG_F2, SPARC_REG_F3, SPARC_REG_F4, SPARC_REG_F5, SPARC_REG_F6, SPARC_REG_F7, SPARC_REG_F8, SPARC_REG_F9, SPARC_REG_F10, SPARC_REG_F11, SPARC_REG_F12, SPARC_REG_F13, SPARC_REG_F14, SPARC_REG_F15, SPARC_REG_F16, SPARC_REG_F17, SPARC_REG_F18, SPARC_REG_F19, SPARC_REG_F20, SPARC_REG_F21, SPARC_REG_F22, SPARC_REG_F23, SPARC_REG_F24, SPARC_REG_F25, SPARC_REG_F26, SPARC_REG_F27, SPARC_REG_F28, SPARC_REG_F29, SPARC_REG_F30, SPARC_REG_F31, SPARC_REG_F32, SPARC_REG_F34, SPARC_REG_F36, SPARC_REG_F38, SPARC_REG_F40, SPARC_REG_F42, SPARC_REG_F44, SPARC_REG_F46, SPARC_REG_F48, SPARC_REG_F50, SPARC_REG_F52, SPARC_REG_F54, SPARC_REG_F56, SPARC_REG_F58, SPARC_REG_F60, SPARC_REG_F62, SPARC_REG_FCC0, // Floating condition codes SPARC_REG_FCC1, SPARC_REG_FCC2, SPARC_REG_FCC3, SPARC_REG_FP, SPARC_REG_G0, SPARC_REG_G1, SPARC_REG_G2, SPARC_REG_G3, SPARC_REG_G4, SPARC_REG_G5, SPARC_REG_G6, SPARC_REG_G7, SPARC_REG_I0, SPARC_REG_I1, SPARC_REG_I2, SPARC_REG_I3, SPARC_REG_I4, SPARC_REG_I5, SPARC_REG_I7, SPARC_REG_ICC, // Integer condition codes SPARC_REG_L0, SPARC_REG_L1, SPARC_REG_L2, SPARC_REG_L3, SPARC_REG_L4, SPARC_REG_L5, SPARC_REG_L6, SPARC_REG_L7, SPARC_REG_O0, SPARC_REG_O1, SPARC_REG_O2, SPARC_REG_O3, SPARC_REG_O4, SPARC_REG_O5, SPARC_REG_O7, SPARC_REG_SP, SPARC_REG_Y, // special register SPARC_REG_XCC, SPARC_REG_ENDING, // <-- mark the end of the list of registers // extras SPARC_REG_O6 = SPARC_REG_SP, SPARC_REG_I6 = SPARC_REG_FP, } sparc_reg; // Instruction's operand referring to memory // This is associated with SPARC_OP_MEM operand type above typedef struct sparc_op_mem { uint8_t base; // base register, can be safely interpreted as // a value of type `sparc_reg`, but it is only // one byte wide uint8_t index; // index register, same conditions apply here int32_t disp; // displacement/offset value } sparc_op_mem; // Instruction operand typedef struct cs_sparc_op { sparc_op_type type; // operand type union { sparc_reg reg; // register value for REG operand int32_t imm; // immediate value for IMM operand sparc_op_mem mem; // base/disp value for MEM operand }; } cs_sparc_op; // Instruction structure typedef struct cs_sparc { sparc_cc cc; // code condition for this insn sparc_hint hint; // branch hint: encoding as bitwise OR of sparc_hint. // Number of operands of this instruction, // or 0 when instruction has no operand. uint8_t op_count; cs_sparc_op operands[4]; // operands for this instruction. } cs_sparc; //> SPARC instruction typedef enum sparc_insn { SPARC_INS_INVALID = 0, SPARC_INS_ADDCC, SPARC_INS_ADDX, SPARC_INS_ADDXCC, SPARC_INS_ADDXC, SPARC_INS_ADDXCCC, SPARC_INS_ADD, SPARC_INS_ALIGNADDR, SPARC_INS_ALIGNADDRL, SPARC_INS_ANDCC, SPARC_INS_ANDNCC, SPARC_INS_ANDN, SPARC_INS_AND, SPARC_INS_ARRAY16, SPARC_INS_ARRAY32, SPARC_INS_ARRAY8, SPARC_INS_B, SPARC_INS_JMP, SPARC_INS_BMASK, SPARC_INS_FB, SPARC_INS_BRGEZ, SPARC_INS_BRGZ, SPARC_INS_BRLEZ, SPARC_INS_BRLZ, SPARC_INS_BRNZ, SPARC_INS_BRZ, SPARC_INS_BSHUFFLE, SPARC_INS_CALL, SPARC_INS_CASX, SPARC_INS_CAS, SPARC_INS_CMASK16, SPARC_INS_CMASK32, SPARC_INS_CMASK8, SPARC_INS_CMP, SPARC_INS_EDGE16, SPARC_INS_EDGE16L, SPARC_INS_EDGE16LN, SPARC_INS_EDGE16N, SPARC_INS_EDGE32, SPARC_INS_EDGE32L, SPARC_INS_EDGE32LN, SPARC_INS_EDGE32N, SPARC_INS_EDGE8, SPARC_INS_EDGE8L, SPARC_INS_EDGE8LN, SPARC_INS_EDGE8N, SPARC_INS_FABSD, SPARC_INS_FABSQ, SPARC_INS_FABSS, SPARC_INS_FADDD, SPARC_INS_FADDQ, SPARC_INS_FADDS, SPARC_INS_FALIGNDATA, SPARC_INS_FAND, SPARC_INS_FANDNOT1, SPARC_INS_FANDNOT1S, SPARC_INS_FANDNOT2, SPARC_INS_FANDNOT2S, SPARC_INS_FANDS, SPARC_INS_FCHKSM16, SPARC_INS_FCMPD, SPARC_INS_FCMPEQ16, SPARC_INS_FCMPEQ32, SPARC_INS_FCMPGT16, SPARC_INS_FCMPGT32, SPARC_INS_FCMPLE16, SPARC_INS_FCMPLE32, SPARC_INS_FCMPNE16, SPARC_INS_FCMPNE32, SPARC_INS_FCMPQ, SPARC_INS_FCMPS, SPARC_INS_FDIVD, SPARC_INS_FDIVQ, SPARC_INS_FDIVS, SPARC_INS_FDMULQ, SPARC_INS_FDTOI, SPARC_INS_FDTOQ, SPARC_INS_FDTOS, SPARC_INS_FDTOX, SPARC_INS_FEXPAND, SPARC_INS_FHADDD, SPARC_INS_FHADDS, SPARC_INS_FHSUBD, SPARC_INS_FHSUBS, SPARC_INS_FITOD, SPARC_INS_FITOQ, SPARC_INS_FITOS, SPARC_INS_FLCMPD, SPARC_INS_FLCMPS, SPARC_INS_FLUSHW, SPARC_INS_FMEAN16, SPARC_INS_FMOVD, SPARC_INS_FMOVQ, SPARC_INS_FMOVRDGEZ, SPARC_INS_FMOVRQGEZ, SPARC_INS_FMOVRSGEZ, SPARC_INS_FMOVRDGZ, SPARC_INS_FMOVRQGZ, SPARC_INS_FMOVRSGZ, SPARC_INS_FMOVRDLEZ, SPARC_INS_FMOVRQLEZ, SPARC_INS_FMOVRSLEZ, SPARC_INS_FMOVRDLZ, SPARC_INS_FMOVRQLZ, SPARC_INS_FMOVRSLZ, SPARC_INS_FMOVRDNZ, SPARC_INS_FMOVRQNZ, SPARC_INS_FMOVRSNZ, SPARC_INS_FMOVRDZ, SPARC_INS_FMOVRQZ, SPARC_INS_FMOVRSZ, SPARC_INS_FMOVS, SPARC_INS_FMUL8SUX16, SPARC_INS_FMUL8ULX16, SPARC_INS_FMUL8X16, SPARC_INS_FMUL8X16AL, SPARC_INS_FMUL8X16AU, SPARC_INS_FMULD, SPARC_INS_FMULD8SUX16, SPARC_INS_FMULD8ULX16, SPARC_INS_FMULQ, SPARC_INS_FMULS, SPARC_INS_FNADDD, SPARC_INS_FNADDS, SPARC_INS_FNAND, SPARC_INS_FNANDS, SPARC_INS_FNEGD, SPARC_INS_FNEGQ, SPARC_INS_FNEGS, SPARC_INS_FNHADDD, SPARC_INS_FNHADDS, SPARC_INS_FNOR, SPARC_INS_FNORS, SPARC_INS_FNOT1, SPARC_INS_FNOT1S, SPARC_INS_FNOT2, SPARC_INS_FNOT2S, SPARC_INS_FONE, SPARC_INS_FONES, SPARC_INS_FOR, SPARC_INS_FORNOT1, SPARC_INS_FORNOT1S, SPARC_INS_FORNOT2, SPARC_INS_FORNOT2S, SPARC_INS_FORS, SPARC_INS_FPACK16, SPARC_INS_FPACK32, SPARC_INS_FPACKFIX, SPARC_INS_FPADD16, SPARC_INS_FPADD16S, SPARC_INS_FPADD32, SPARC_INS_FPADD32S, SPARC_INS_FPADD64, SPARC_INS_FPMERGE, SPARC_INS_FPSUB16, SPARC_INS_FPSUB16S, SPARC_INS_FPSUB32, SPARC_INS_FPSUB32S, SPARC_INS_FQTOD, SPARC_INS_FQTOI, SPARC_INS_FQTOS, SPARC_INS_FQTOX, SPARC_INS_FSLAS16, SPARC_INS_FSLAS32, SPARC_INS_FSLL16, SPARC_INS_FSLL32, SPARC_INS_FSMULD, SPARC_INS_FSQRTD, SPARC_INS_FSQRTQ, SPARC_INS_FSQRTS, SPARC_INS_FSRA16, SPARC_INS_FSRA32, SPARC_INS_FSRC1, SPARC_INS_FSRC1S, SPARC_INS_FSRC2, SPARC_INS_FSRC2S, SPARC_INS_FSRL16, SPARC_INS_FSRL32, SPARC_INS_FSTOD, SPARC_INS_FSTOI, SPARC_INS_FSTOQ, SPARC_INS_FSTOX, SPARC_INS_FSUBD, SPARC_INS_FSUBQ, SPARC_INS_FSUBS, SPARC_INS_FXNOR, SPARC_INS_FXNORS, SPARC_INS_FXOR, SPARC_INS_FXORS, SPARC_INS_FXTOD, SPARC_INS_FXTOQ, SPARC_INS_FXTOS, SPARC_INS_FZERO, SPARC_INS_FZEROS, SPARC_INS_JMPL, SPARC_INS_LDD, SPARC_INS_LD, SPARC_INS_LDQ, SPARC_INS_LDSB, SPARC_INS_LDSH, SPARC_INS_LDSW, SPARC_INS_LDUB, SPARC_INS_LDUH, SPARC_INS_LDX, SPARC_INS_LZCNT, SPARC_INS_MEMBAR, SPARC_INS_MOVDTOX, SPARC_INS_MOV, SPARC_INS_MOVRGEZ, SPARC_INS_MOVRGZ, SPARC_INS_MOVRLEZ, SPARC_INS_MOVRLZ, SPARC_INS_MOVRNZ, SPARC_INS_MOVRZ, SPARC_INS_MOVSTOSW, SPARC_INS_MOVSTOUW, SPARC_INS_MULX, SPARC_INS_NOP, SPARC_INS_ORCC, SPARC_INS_ORNCC, SPARC_INS_ORN, SPARC_INS_OR, SPARC_INS_PDIST, SPARC_INS_PDISTN, SPARC_INS_POPC, SPARC_INS_RD, SPARC_INS_RESTORE, SPARC_INS_RETT, SPARC_INS_SAVE, SPARC_INS_SDIVCC, SPARC_INS_SDIVX, SPARC_INS_SDIV, SPARC_INS_SETHI, SPARC_INS_SHUTDOWN, SPARC_INS_SIAM, SPARC_INS_SLLX, SPARC_INS_SLL, SPARC_INS_SMULCC, SPARC_INS_SMUL, SPARC_INS_SRAX, SPARC_INS_SRA, SPARC_INS_SRLX, SPARC_INS_SRL, SPARC_INS_STBAR, SPARC_INS_STB, SPARC_INS_STD, SPARC_INS_ST, SPARC_INS_STH, SPARC_INS_STQ, SPARC_INS_STX, SPARC_INS_SUBCC, SPARC_INS_SUBX, SPARC_INS_SUBXCC, SPARC_INS_SUB, SPARC_INS_SWAP, SPARC_INS_TADDCCTV, SPARC_INS_TADDCC, SPARC_INS_T, SPARC_INS_TSUBCCTV, SPARC_INS_TSUBCC, SPARC_INS_UDIVCC, SPARC_INS_UDIVX, SPARC_INS_UDIV, SPARC_INS_UMULCC, SPARC_INS_UMULXHI, SPARC_INS_UMUL, SPARC_INS_UNIMP, SPARC_INS_FCMPED, SPARC_INS_FCMPEQ, SPARC_INS_FCMPES, SPARC_INS_WR, SPARC_INS_XMULX, SPARC_INS_XMULXHI, SPARC_INS_XNORCC, SPARC_INS_XNOR, SPARC_INS_XORCC, SPARC_INS_XOR, // alias instructions SPARC_INS_RET, SPARC_INS_RETL, SPARC_INS_ENDING, // <-- mark the end of the list of instructions } sparc_insn; //> Group of SPARC instructions typedef enum sparc_insn_group { SPARC_GRP_INVALID = 0, // = CS_GRP_INVALID //> Generic groups // all jump instructions (conditional+direct+indirect jumps) SPARC_GRP_JUMP, // = CS_GRP_JUMP //> Architecture-specific groups SPARC_GRP_HARDQUAD = 128, SPARC_GRP_V9, SPARC_GRP_VIS, SPARC_GRP_VIS2, SPARC_GRP_VIS3, SPARC_GRP_32BIT, SPARC_GRP_64BIT, SPARC_GRP_ENDING, // <-- mark the end of the list of groups } sparc_insn_group; #ifdef __cplusplus } #endif #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/capstone/systemz.h ================================================ #ifndef CAPSTONE_SYSTEMZ_H #define CAPSTONE_SYSTEMZ_H /* Capstone Disassembly Engine */ /* By Nguyen Anh Quynh , 2014-2015 */ #ifdef __cplusplus extern "C" { #endif #include "platform.h" #ifdef _MSC_VER #pragma warning(disable:4201) #endif //> Enums corresponding to SystemZ condition codes typedef enum sysz_cc { SYSZ_CC_INVALID = 0, // invalid CC (default) SYSZ_CC_O, SYSZ_CC_H, SYSZ_CC_NLE, SYSZ_CC_L, SYSZ_CC_NHE, SYSZ_CC_LH, SYSZ_CC_NE, SYSZ_CC_E, SYSZ_CC_NLH, SYSZ_CC_HE, SYSZ_CC_NL, SYSZ_CC_LE, SYSZ_CC_NH, SYSZ_CC_NO, } sysz_cc; //> Operand type for instruction's operands typedef enum sysz_op_type { SYSZ_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized). SYSZ_OP_REG, // = CS_OP_REG (Register operand). SYSZ_OP_IMM, // = CS_OP_IMM (Immediate operand). SYSZ_OP_MEM, // = CS_OP_MEM (Memory operand). SYSZ_OP_ACREG = 64, // Access register operand. } sysz_op_type; //> SystemZ registers typedef enum sysz_reg { SYSZ_REG_INVALID = 0, SYSZ_REG_0, SYSZ_REG_1, SYSZ_REG_2, SYSZ_REG_3, SYSZ_REG_4, SYSZ_REG_5, SYSZ_REG_6, SYSZ_REG_7, SYSZ_REG_8, SYSZ_REG_9, SYSZ_REG_10, SYSZ_REG_11, SYSZ_REG_12, SYSZ_REG_13, SYSZ_REG_14, SYSZ_REG_15, SYSZ_REG_CC, SYSZ_REG_F0, SYSZ_REG_F1, SYSZ_REG_F2, SYSZ_REG_F3, SYSZ_REG_F4, SYSZ_REG_F5, SYSZ_REG_F6, SYSZ_REG_F7, SYSZ_REG_F8, SYSZ_REG_F9, SYSZ_REG_F10, SYSZ_REG_F11, SYSZ_REG_F12, SYSZ_REG_F13, SYSZ_REG_F14, SYSZ_REG_F15, SYSZ_REG_R0L, SYSZ_REG_ENDING, } sysz_reg; // Instruction's operand referring to memory // This is associated with SYSZ_OP_MEM operand type above typedef struct sysz_op_mem { uint8_t base; // base register, can be safely interpreted as // a value of type `sysz_reg`, but it is only // one byte wide uint8_t index; // index register, same conditions apply here uint64_t length; // BDLAddr operand int64_t disp; // displacement/offset value } sysz_op_mem; // Instruction operand typedef struct cs_sysz_op { sysz_op_type type; // operand type union { sysz_reg reg; // register value for REG operand int64_t imm; // immediate value for IMM operand sysz_op_mem mem; // base/disp value for MEM operand }; } cs_sysz_op; // Instruction structure typedef struct cs_sysz { sysz_cc cc; // Code condition // Number of operands of this instruction, // or 0 when instruction has no operand. uint8_t op_count; cs_sysz_op operands[6]; // operands for this instruction. } cs_sysz; //> SystemZ instruction typedef enum sysz_insn { SYSZ_INS_INVALID = 0, SYSZ_INS_A, SYSZ_INS_ADB, SYSZ_INS_ADBR, SYSZ_INS_AEB, SYSZ_INS_AEBR, SYSZ_INS_AFI, SYSZ_INS_AG, SYSZ_INS_AGF, SYSZ_INS_AGFI, SYSZ_INS_AGFR, SYSZ_INS_AGHI, SYSZ_INS_AGHIK, SYSZ_INS_AGR, SYSZ_INS_AGRK, SYSZ_INS_AGSI, SYSZ_INS_AH, SYSZ_INS_AHI, SYSZ_INS_AHIK, SYSZ_INS_AHY, SYSZ_INS_AIH, SYSZ_INS_AL, SYSZ_INS_ALC, SYSZ_INS_ALCG, SYSZ_INS_ALCGR, SYSZ_INS_ALCR, SYSZ_INS_ALFI, SYSZ_INS_ALG, SYSZ_INS_ALGF, SYSZ_INS_ALGFI, SYSZ_INS_ALGFR, SYSZ_INS_ALGHSIK, SYSZ_INS_ALGR, SYSZ_INS_ALGRK, SYSZ_INS_ALHSIK, SYSZ_INS_ALR, SYSZ_INS_ALRK, SYSZ_INS_ALY, SYSZ_INS_AR, SYSZ_INS_ARK, SYSZ_INS_ASI, SYSZ_INS_AXBR, SYSZ_INS_AY, SYSZ_INS_BCR, SYSZ_INS_BRC, SYSZ_INS_BRCL, SYSZ_INS_CGIJ, SYSZ_INS_CGRJ, SYSZ_INS_CIJ, SYSZ_INS_CLGIJ, SYSZ_INS_CLGRJ, SYSZ_INS_CLIJ, SYSZ_INS_CLRJ, SYSZ_INS_CRJ, SYSZ_INS_BER, SYSZ_INS_JE, SYSZ_INS_JGE, SYSZ_INS_LOCE, SYSZ_INS_LOCGE, SYSZ_INS_LOCGRE, SYSZ_INS_LOCRE, SYSZ_INS_STOCE, SYSZ_INS_STOCGE, SYSZ_INS_BHR, SYSZ_INS_BHER, SYSZ_INS_JHE, SYSZ_INS_JGHE, SYSZ_INS_LOCHE, SYSZ_INS_LOCGHE, SYSZ_INS_LOCGRHE, SYSZ_INS_LOCRHE, SYSZ_INS_STOCHE, SYSZ_INS_STOCGHE, SYSZ_INS_JH, SYSZ_INS_JGH, SYSZ_INS_LOCH, SYSZ_INS_LOCGH, SYSZ_INS_LOCGRH, SYSZ_INS_LOCRH, SYSZ_INS_STOCH, SYSZ_INS_STOCGH, SYSZ_INS_CGIJNLH, SYSZ_INS_CGRJNLH, SYSZ_INS_CIJNLH, SYSZ_INS_CLGIJNLH, SYSZ_INS_CLGRJNLH, SYSZ_INS_CLIJNLH, SYSZ_INS_CLRJNLH, SYSZ_INS_CRJNLH, SYSZ_INS_CGIJE, SYSZ_INS_CGRJE, SYSZ_INS_CIJE, SYSZ_INS_CLGIJE, SYSZ_INS_CLGRJE, SYSZ_INS_CLIJE, SYSZ_INS_CLRJE, SYSZ_INS_CRJE, SYSZ_INS_CGIJNLE, SYSZ_INS_CGRJNLE, SYSZ_INS_CIJNLE, SYSZ_INS_CLGIJNLE, SYSZ_INS_CLGRJNLE, SYSZ_INS_CLIJNLE, SYSZ_INS_CLRJNLE, SYSZ_INS_CRJNLE, SYSZ_INS_CGIJH, SYSZ_INS_CGRJH, SYSZ_INS_CIJH, SYSZ_INS_CLGIJH, SYSZ_INS_CLGRJH, SYSZ_INS_CLIJH, SYSZ_INS_CLRJH, SYSZ_INS_CRJH, SYSZ_INS_CGIJNL, SYSZ_INS_CGRJNL, SYSZ_INS_CIJNL, SYSZ_INS_CLGIJNL, SYSZ_INS_CLGRJNL, SYSZ_INS_CLIJNL, SYSZ_INS_CLRJNL, SYSZ_INS_CRJNL, SYSZ_INS_CGIJHE, SYSZ_INS_CGRJHE, SYSZ_INS_CIJHE, SYSZ_INS_CLGIJHE, SYSZ_INS_CLGRJHE, SYSZ_INS_CLIJHE, SYSZ_INS_CLRJHE, SYSZ_INS_CRJHE, SYSZ_INS_CGIJNHE, SYSZ_INS_CGRJNHE, SYSZ_INS_CIJNHE, SYSZ_INS_CLGIJNHE, SYSZ_INS_CLGRJNHE, SYSZ_INS_CLIJNHE, SYSZ_INS_CLRJNHE, SYSZ_INS_CRJNHE, SYSZ_INS_CGIJL, SYSZ_INS_CGRJL, SYSZ_INS_CIJL, SYSZ_INS_CLGIJL, SYSZ_INS_CLGRJL, SYSZ_INS_CLIJL, SYSZ_INS_CLRJL, SYSZ_INS_CRJL, SYSZ_INS_CGIJNH, SYSZ_INS_CGRJNH, SYSZ_INS_CIJNH, SYSZ_INS_CLGIJNH, SYSZ_INS_CLGRJNH, SYSZ_INS_CLIJNH, SYSZ_INS_CLRJNH, SYSZ_INS_CRJNH, SYSZ_INS_CGIJLE, SYSZ_INS_CGRJLE, SYSZ_INS_CIJLE, SYSZ_INS_CLGIJLE, SYSZ_INS_CLGRJLE, SYSZ_INS_CLIJLE, SYSZ_INS_CLRJLE, SYSZ_INS_CRJLE, SYSZ_INS_CGIJNE, SYSZ_INS_CGRJNE, SYSZ_INS_CIJNE, SYSZ_INS_CLGIJNE, SYSZ_INS_CLGRJNE, SYSZ_INS_CLIJNE, SYSZ_INS_CLRJNE, SYSZ_INS_CRJNE, SYSZ_INS_CGIJLH, SYSZ_INS_CGRJLH, SYSZ_INS_CIJLH, SYSZ_INS_CLGIJLH, SYSZ_INS_CLGRJLH, SYSZ_INS_CLIJLH, SYSZ_INS_CLRJLH, SYSZ_INS_CRJLH, SYSZ_INS_BLR, SYSZ_INS_BLER, SYSZ_INS_JLE, SYSZ_INS_JGLE, SYSZ_INS_LOCLE, SYSZ_INS_LOCGLE, SYSZ_INS_LOCGRLE, SYSZ_INS_LOCRLE, SYSZ_INS_STOCLE, SYSZ_INS_STOCGLE, SYSZ_INS_BLHR, SYSZ_INS_JLH, SYSZ_INS_JGLH, SYSZ_INS_LOCLH, SYSZ_INS_LOCGLH, SYSZ_INS_LOCGRLH, SYSZ_INS_LOCRLH, SYSZ_INS_STOCLH, SYSZ_INS_STOCGLH, SYSZ_INS_JL, SYSZ_INS_JGL, SYSZ_INS_LOCL, SYSZ_INS_LOCGL, SYSZ_INS_LOCGRL, SYSZ_INS_LOCRL, SYSZ_INS_LOC, SYSZ_INS_LOCG, SYSZ_INS_LOCGR, SYSZ_INS_LOCR, SYSZ_INS_STOCL, SYSZ_INS_STOCGL, SYSZ_INS_BNER, SYSZ_INS_JNE, SYSZ_INS_JGNE, SYSZ_INS_LOCNE, SYSZ_INS_LOCGNE, SYSZ_INS_LOCGRNE, SYSZ_INS_LOCRNE, SYSZ_INS_STOCNE, SYSZ_INS_STOCGNE, SYSZ_INS_BNHR, SYSZ_INS_BNHER, SYSZ_INS_JNHE, SYSZ_INS_JGNHE, SYSZ_INS_LOCNHE, SYSZ_INS_LOCGNHE, SYSZ_INS_LOCGRNHE, SYSZ_INS_LOCRNHE, SYSZ_INS_STOCNHE, SYSZ_INS_STOCGNHE, SYSZ_INS_JNH, SYSZ_INS_JGNH, SYSZ_INS_LOCNH, SYSZ_INS_LOCGNH, SYSZ_INS_LOCGRNH, SYSZ_INS_LOCRNH, SYSZ_INS_STOCNH, SYSZ_INS_STOCGNH, SYSZ_INS_BNLR, SYSZ_INS_BNLER, SYSZ_INS_JNLE, SYSZ_INS_JGNLE, SYSZ_INS_LOCNLE, SYSZ_INS_LOCGNLE, SYSZ_INS_LOCGRNLE, SYSZ_INS_LOCRNLE, SYSZ_INS_STOCNLE, SYSZ_INS_STOCGNLE, SYSZ_INS_BNLHR, SYSZ_INS_JNLH, SYSZ_INS_JGNLH, SYSZ_INS_LOCNLH, SYSZ_INS_LOCGNLH, SYSZ_INS_LOCGRNLH, SYSZ_INS_LOCRNLH, SYSZ_INS_STOCNLH, SYSZ_INS_STOCGNLH, SYSZ_INS_JNL, SYSZ_INS_JGNL, SYSZ_INS_LOCNL, SYSZ_INS_LOCGNL, SYSZ_INS_LOCGRNL, SYSZ_INS_LOCRNL, SYSZ_INS_STOCNL, SYSZ_INS_STOCGNL, SYSZ_INS_BNOR, SYSZ_INS_JNO, SYSZ_INS_JGNO, SYSZ_INS_LOCNO, SYSZ_INS_LOCGNO, SYSZ_INS_LOCGRNO, SYSZ_INS_LOCRNO, SYSZ_INS_STOCNO, SYSZ_INS_STOCGNO, SYSZ_INS_BOR, SYSZ_INS_JO, SYSZ_INS_JGO, SYSZ_INS_LOCO, SYSZ_INS_LOCGO, SYSZ_INS_LOCGRO, SYSZ_INS_LOCRO, SYSZ_INS_STOCO, SYSZ_INS_STOCGO, SYSZ_INS_STOC, SYSZ_INS_STOCG, SYSZ_INS_BASR, SYSZ_INS_BR, SYSZ_INS_BRAS, SYSZ_INS_BRASL, SYSZ_INS_J, SYSZ_INS_JG, SYSZ_INS_BRCT, SYSZ_INS_BRCTG, SYSZ_INS_C, SYSZ_INS_CDB, SYSZ_INS_CDBR, SYSZ_INS_CDFBR, SYSZ_INS_CDGBR, SYSZ_INS_CDLFBR, SYSZ_INS_CDLGBR, SYSZ_INS_CEB, SYSZ_INS_CEBR, SYSZ_INS_CEFBR, SYSZ_INS_CEGBR, SYSZ_INS_CELFBR, SYSZ_INS_CELGBR, SYSZ_INS_CFDBR, SYSZ_INS_CFEBR, SYSZ_INS_CFI, SYSZ_INS_CFXBR, SYSZ_INS_CG, SYSZ_INS_CGDBR, SYSZ_INS_CGEBR, SYSZ_INS_CGF, SYSZ_INS_CGFI, SYSZ_INS_CGFR, SYSZ_INS_CGFRL, SYSZ_INS_CGH, SYSZ_INS_CGHI, SYSZ_INS_CGHRL, SYSZ_INS_CGHSI, SYSZ_INS_CGR, SYSZ_INS_CGRL, SYSZ_INS_CGXBR, SYSZ_INS_CH, SYSZ_INS_CHF, SYSZ_INS_CHHSI, SYSZ_INS_CHI, SYSZ_INS_CHRL, SYSZ_INS_CHSI, SYSZ_INS_CHY, SYSZ_INS_CIH, SYSZ_INS_CL, SYSZ_INS_CLC, SYSZ_INS_CLFDBR, SYSZ_INS_CLFEBR, SYSZ_INS_CLFHSI, SYSZ_INS_CLFI, SYSZ_INS_CLFXBR, SYSZ_INS_CLG, SYSZ_INS_CLGDBR, SYSZ_INS_CLGEBR, SYSZ_INS_CLGF, SYSZ_INS_CLGFI, SYSZ_INS_CLGFR, SYSZ_INS_CLGFRL, SYSZ_INS_CLGHRL, SYSZ_INS_CLGHSI, SYSZ_INS_CLGR, SYSZ_INS_CLGRL, SYSZ_INS_CLGXBR, SYSZ_INS_CLHF, SYSZ_INS_CLHHSI, SYSZ_INS_CLHRL, SYSZ_INS_CLI, SYSZ_INS_CLIH, SYSZ_INS_CLIY, SYSZ_INS_CLR, SYSZ_INS_CLRL, SYSZ_INS_CLST, SYSZ_INS_CLY, SYSZ_INS_CPSDR, SYSZ_INS_CR, SYSZ_INS_CRL, SYSZ_INS_CS, SYSZ_INS_CSG, SYSZ_INS_CSY, SYSZ_INS_CXBR, SYSZ_INS_CXFBR, SYSZ_INS_CXGBR, SYSZ_INS_CXLFBR, SYSZ_INS_CXLGBR, SYSZ_INS_CY, SYSZ_INS_DDB, SYSZ_INS_DDBR, SYSZ_INS_DEB, SYSZ_INS_DEBR, SYSZ_INS_DL, SYSZ_INS_DLG, SYSZ_INS_DLGR, SYSZ_INS_DLR, SYSZ_INS_DSG, SYSZ_INS_DSGF, SYSZ_INS_DSGFR, SYSZ_INS_DSGR, SYSZ_INS_DXBR, SYSZ_INS_EAR, SYSZ_INS_FIDBR, SYSZ_INS_FIDBRA, SYSZ_INS_FIEBR, SYSZ_INS_FIEBRA, SYSZ_INS_FIXBR, SYSZ_INS_FIXBRA, SYSZ_INS_FLOGR, SYSZ_INS_IC, SYSZ_INS_ICY, SYSZ_INS_IIHF, SYSZ_INS_IIHH, SYSZ_INS_IIHL, SYSZ_INS_IILF, SYSZ_INS_IILH, SYSZ_INS_IILL, SYSZ_INS_IPM, SYSZ_INS_L, SYSZ_INS_LA, SYSZ_INS_LAA, SYSZ_INS_LAAG, SYSZ_INS_LAAL, SYSZ_INS_LAALG, SYSZ_INS_LAN, SYSZ_INS_LANG, SYSZ_INS_LAO, SYSZ_INS_LAOG, SYSZ_INS_LARL, SYSZ_INS_LAX, SYSZ_INS_LAXG, SYSZ_INS_LAY, SYSZ_INS_LB, SYSZ_INS_LBH, SYSZ_INS_LBR, SYSZ_INS_LCDBR, SYSZ_INS_LCEBR, SYSZ_INS_LCGFR, SYSZ_INS_LCGR, SYSZ_INS_LCR, SYSZ_INS_LCXBR, SYSZ_INS_LD, SYSZ_INS_LDEB, SYSZ_INS_LDEBR, SYSZ_INS_LDGR, SYSZ_INS_LDR, SYSZ_INS_LDXBR, SYSZ_INS_LDXBRA, SYSZ_INS_LDY, SYSZ_INS_LE, SYSZ_INS_LEDBR, SYSZ_INS_LEDBRA, SYSZ_INS_LER, SYSZ_INS_LEXBR, SYSZ_INS_LEXBRA, SYSZ_INS_LEY, SYSZ_INS_LFH, SYSZ_INS_LG, SYSZ_INS_LGB, SYSZ_INS_LGBR, SYSZ_INS_LGDR, SYSZ_INS_LGF, SYSZ_INS_LGFI, SYSZ_INS_LGFR, SYSZ_INS_LGFRL, SYSZ_INS_LGH, SYSZ_INS_LGHI, SYSZ_INS_LGHR, SYSZ_INS_LGHRL, SYSZ_INS_LGR, SYSZ_INS_LGRL, SYSZ_INS_LH, SYSZ_INS_LHH, SYSZ_INS_LHI, SYSZ_INS_LHR, SYSZ_INS_LHRL, SYSZ_INS_LHY, SYSZ_INS_LLC, SYSZ_INS_LLCH, SYSZ_INS_LLCR, SYSZ_INS_LLGC, SYSZ_INS_LLGCR, SYSZ_INS_LLGF, SYSZ_INS_LLGFR, SYSZ_INS_LLGFRL, SYSZ_INS_LLGH, SYSZ_INS_LLGHR, SYSZ_INS_LLGHRL, SYSZ_INS_LLH, SYSZ_INS_LLHH, SYSZ_INS_LLHR, SYSZ_INS_LLHRL, SYSZ_INS_LLIHF, SYSZ_INS_LLIHH, SYSZ_INS_LLIHL, SYSZ_INS_LLILF, SYSZ_INS_LLILH, SYSZ_INS_LLILL, SYSZ_INS_LMG, SYSZ_INS_LNDBR, SYSZ_INS_LNEBR, SYSZ_INS_LNGFR, SYSZ_INS_LNGR, SYSZ_INS_LNR, SYSZ_INS_LNXBR, SYSZ_INS_LPDBR, SYSZ_INS_LPEBR, SYSZ_INS_LPGFR, SYSZ_INS_LPGR, SYSZ_INS_LPR, SYSZ_INS_LPXBR, SYSZ_INS_LR, SYSZ_INS_LRL, SYSZ_INS_LRV, SYSZ_INS_LRVG, SYSZ_INS_LRVGR, SYSZ_INS_LRVR, SYSZ_INS_LT, SYSZ_INS_LTDBR, SYSZ_INS_LTEBR, SYSZ_INS_LTG, SYSZ_INS_LTGF, SYSZ_INS_LTGFR, SYSZ_INS_LTGR, SYSZ_INS_LTR, SYSZ_INS_LTXBR, SYSZ_INS_LXDB, SYSZ_INS_LXDBR, SYSZ_INS_LXEB, SYSZ_INS_LXEBR, SYSZ_INS_LXR, SYSZ_INS_LY, SYSZ_INS_LZDR, SYSZ_INS_LZER, SYSZ_INS_LZXR, SYSZ_INS_MADB, SYSZ_INS_MADBR, SYSZ_INS_MAEB, SYSZ_INS_MAEBR, SYSZ_INS_MDB, SYSZ_INS_MDBR, SYSZ_INS_MDEB, SYSZ_INS_MDEBR, SYSZ_INS_MEEB, SYSZ_INS_MEEBR, SYSZ_INS_MGHI, SYSZ_INS_MH, SYSZ_INS_MHI, SYSZ_INS_MHY, SYSZ_INS_MLG, SYSZ_INS_MLGR, SYSZ_INS_MS, SYSZ_INS_MSDB, SYSZ_INS_MSDBR, SYSZ_INS_MSEB, SYSZ_INS_MSEBR, SYSZ_INS_MSFI, SYSZ_INS_MSG, SYSZ_INS_MSGF, SYSZ_INS_MSGFI, SYSZ_INS_MSGFR, SYSZ_INS_MSGR, SYSZ_INS_MSR, SYSZ_INS_MSY, SYSZ_INS_MVC, SYSZ_INS_MVGHI, SYSZ_INS_MVHHI, SYSZ_INS_MVHI, SYSZ_INS_MVI, SYSZ_INS_MVIY, SYSZ_INS_MVST, SYSZ_INS_MXBR, SYSZ_INS_MXDB, SYSZ_INS_MXDBR, SYSZ_INS_N, SYSZ_INS_NC, SYSZ_INS_NG, SYSZ_INS_NGR, SYSZ_INS_NGRK, SYSZ_INS_NI, SYSZ_INS_NIHF, SYSZ_INS_NIHH, SYSZ_INS_NIHL, SYSZ_INS_NILF, SYSZ_INS_NILH, SYSZ_INS_NILL, SYSZ_INS_NIY, SYSZ_INS_NR, SYSZ_INS_NRK, SYSZ_INS_NY, SYSZ_INS_O, SYSZ_INS_OC, SYSZ_INS_OG, SYSZ_INS_OGR, SYSZ_INS_OGRK, SYSZ_INS_OI, SYSZ_INS_OIHF, SYSZ_INS_OIHH, SYSZ_INS_OIHL, SYSZ_INS_OILF, SYSZ_INS_OILH, SYSZ_INS_OILL, SYSZ_INS_OIY, SYSZ_INS_OR, SYSZ_INS_ORK, SYSZ_INS_OY, SYSZ_INS_PFD, SYSZ_INS_PFDRL, SYSZ_INS_RISBG, SYSZ_INS_RISBHG, SYSZ_INS_RISBLG, SYSZ_INS_RLL, SYSZ_INS_RLLG, SYSZ_INS_RNSBG, SYSZ_INS_ROSBG, SYSZ_INS_RXSBG, SYSZ_INS_S, SYSZ_INS_SDB, SYSZ_INS_SDBR, SYSZ_INS_SEB, SYSZ_INS_SEBR, SYSZ_INS_SG, SYSZ_INS_SGF, SYSZ_INS_SGFR, SYSZ_INS_SGR, SYSZ_INS_SGRK, SYSZ_INS_SH, SYSZ_INS_SHY, SYSZ_INS_SL, SYSZ_INS_SLB, SYSZ_INS_SLBG, SYSZ_INS_SLBR, SYSZ_INS_SLFI, SYSZ_INS_SLG, SYSZ_INS_SLBGR, SYSZ_INS_SLGF, SYSZ_INS_SLGFI, SYSZ_INS_SLGFR, SYSZ_INS_SLGR, SYSZ_INS_SLGRK, SYSZ_INS_SLL, SYSZ_INS_SLLG, SYSZ_INS_SLLK, SYSZ_INS_SLR, SYSZ_INS_SLRK, SYSZ_INS_SLY, SYSZ_INS_SQDB, SYSZ_INS_SQDBR, SYSZ_INS_SQEB, SYSZ_INS_SQEBR, SYSZ_INS_SQXBR, SYSZ_INS_SR, SYSZ_INS_SRA, SYSZ_INS_SRAG, SYSZ_INS_SRAK, SYSZ_INS_SRK, SYSZ_INS_SRL, SYSZ_INS_SRLG, SYSZ_INS_SRLK, SYSZ_INS_SRST, SYSZ_INS_ST, SYSZ_INS_STC, SYSZ_INS_STCH, SYSZ_INS_STCY, SYSZ_INS_STD, SYSZ_INS_STDY, SYSZ_INS_STE, SYSZ_INS_STEY, SYSZ_INS_STFH, SYSZ_INS_STG, SYSZ_INS_STGRL, SYSZ_INS_STH, SYSZ_INS_STHH, SYSZ_INS_STHRL, SYSZ_INS_STHY, SYSZ_INS_STMG, SYSZ_INS_STRL, SYSZ_INS_STRV, SYSZ_INS_STRVG, SYSZ_INS_STY, SYSZ_INS_SXBR, SYSZ_INS_SY, SYSZ_INS_TM, SYSZ_INS_TMHH, SYSZ_INS_TMHL, SYSZ_INS_TMLH, SYSZ_INS_TMLL, SYSZ_INS_TMY, SYSZ_INS_X, SYSZ_INS_XC, SYSZ_INS_XG, SYSZ_INS_XGR, SYSZ_INS_XGRK, SYSZ_INS_XI, SYSZ_INS_XIHF, SYSZ_INS_XILF, SYSZ_INS_XIY, SYSZ_INS_XR, SYSZ_INS_XRK, SYSZ_INS_XY, SYSZ_INS_ENDING, // <-- mark the end of the list of instructions } sysz_insn; //> Group of SystemZ instructions typedef enum sysz_insn_group { SYSZ_GRP_INVALID = 0, // = CS_GRP_INVALID //> Generic groups // all jump instructions (conditional+direct+indirect jumps) SYSZ_GRP_JUMP, // = CS_GRP_JUMP //> Architecture-specific groups SYSZ_GRP_DISTINCTOPS = 128, SYSZ_GRP_FPEXTENSION, SYSZ_GRP_HIGHWORD, SYSZ_GRP_INTERLOCKEDACCESS1, SYSZ_GRP_LOADSTOREONCOND, SYSZ_GRP_ENDING, // <-- mark the end of the list of groups } sysz_insn_group; #ifdef __cplusplus } #endif #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/capstone/x86.h ================================================ #ifndef CAPSTONE_X86_H #define CAPSTONE_X86_H /* Capstone Disassembly Engine */ /* By Nguyen Anh Quynh , 2013-2015 */ #ifdef __cplusplus extern "C" { #endif #include "platform.h" // Calculate relative address for X86-64, given cs_insn structure #define X86_REL_ADDR(insn) (((insn).detail->x86.operands[0].type == X86_OP_IMM) \ ? (uint64_t)((insn).detail->x86.operands[0].imm) \ : (((insn).address + (insn).size) + (uint64_t)(insn).detail->x86.disp)) //> X86 registers typedef enum x86_reg { X86_REG_INVALID = 0, X86_REG_AH, X86_REG_AL, X86_REG_AX, X86_REG_BH, X86_REG_BL, X86_REG_BP, X86_REG_BPL, X86_REG_BX, X86_REG_CH, X86_REG_CL, X86_REG_CS, X86_REG_CX, X86_REG_DH, X86_REG_DI, X86_REG_DIL, X86_REG_DL, X86_REG_DS, X86_REG_DX, X86_REG_EAX, X86_REG_EBP, X86_REG_EBX, X86_REG_ECX, X86_REG_EDI, X86_REG_EDX, X86_REG_EFLAGS, X86_REG_EIP, X86_REG_EIZ, X86_REG_ES, X86_REG_ESI, X86_REG_ESP, X86_REG_FPSW, X86_REG_FS, X86_REG_GS, X86_REG_IP, X86_REG_RAX, X86_REG_RBP, X86_REG_RBX, X86_REG_RCX, X86_REG_RDI, X86_REG_RDX, X86_REG_RIP, X86_REG_RIZ, X86_REG_RSI, X86_REG_RSP, X86_REG_SI, X86_REG_SIL, X86_REG_SP, X86_REG_SPL, X86_REG_SS, X86_REG_CR0, X86_REG_CR1, X86_REG_CR2, X86_REG_CR3, X86_REG_CR4, X86_REG_CR5, X86_REG_CR6, X86_REG_CR7, X86_REG_CR8, X86_REG_CR9, X86_REG_CR10, X86_REG_CR11, X86_REG_CR12, X86_REG_CR13, X86_REG_CR14, X86_REG_CR15, X86_REG_DR0, X86_REG_DR1, X86_REG_DR2, X86_REG_DR3, X86_REG_DR4, X86_REG_DR5, X86_REG_DR6, X86_REG_DR7, X86_REG_DR8, X86_REG_DR9, X86_REG_DR10, X86_REG_DR11, X86_REG_DR12, X86_REG_DR13, X86_REG_DR14, X86_REG_DR15, X86_REG_FP0, X86_REG_FP1, X86_REG_FP2, X86_REG_FP3, X86_REG_FP4, X86_REG_FP5, X86_REG_FP6, X86_REG_FP7, X86_REG_K0, X86_REG_K1, X86_REG_K2, X86_REG_K3, X86_REG_K4, X86_REG_K5, X86_REG_K6, X86_REG_K7, X86_REG_MM0, X86_REG_MM1, X86_REG_MM2, X86_REG_MM3, X86_REG_MM4, X86_REG_MM5, X86_REG_MM6, X86_REG_MM7, X86_REG_R8, X86_REG_R9, X86_REG_R10, X86_REG_R11, X86_REG_R12, X86_REG_R13, X86_REG_R14, X86_REG_R15, X86_REG_ST0, X86_REG_ST1, X86_REG_ST2, X86_REG_ST3, X86_REG_ST4, X86_REG_ST5, X86_REG_ST6, X86_REG_ST7, X86_REG_XMM0, X86_REG_XMM1, X86_REG_XMM2, X86_REG_XMM3, X86_REG_XMM4, X86_REG_XMM5, X86_REG_XMM6, X86_REG_XMM7, X86_REG_XMM8, X86_REG_XMM9, X86_REG_XMM10, X86_REG_XMM11, X86_REG_XMM12, X86_REG_XMM13, X86_REG_XMM14, X86_REG_XMM15, X86_REG_XMM16, X86_REG_XMM17, X86_REG_XMM18, X86_REG_XMM19, X86_REG_XMM20, X86_REG_XMM21, X86_REG_XMM22, X86_REG_XMM23, X86_REG_XMM24, X86_REG_XMM25, X86_REG_XMM26, X86_REG_XMM27, X86_REG_XMM28, X86_REG_XMM29, X86_REG_XMM30, X86_REG_XMM31, X86_REG_YMM0, X86_REG_YMM1, X86_REG_YMM2, X86_REG_YMM3, X86_REG_YMM4, X86_REG_YMM5, X86_REG_YMM6, X86_REG_YMM7, X86_REG_YMM8, X86_REG_YMM9, X86_REG_YMM10, X86_REG_YMM11, X86_REG_YMM12, X86_REG_YMM13, X86_REG_YMM14, X86_REG_YMM15, X86_REG_YMM16, X86_REG_YMM17, X86_REG_YMM18, X86_REG_YMM19, X86_REG_YMM20, X86_REG_YMM21, X86_REG_YMM22, X86_REG_YMM23, X86_REG_YMM24, X86_REG_YMM25, X86_REG_YMM26, X86_REG_YMM27, X86_REG_YMM28, X86_REG_YMM29, X86_REG_YMM30, X86_REG_YMM31, X86_REG_ZMM0, X86_REG_ZMM1, X86_REG_ZMM2, X86_REG_ZMM3, X86_REG_ZMM4, X86_REG_ZMM5, X86_REG_ZMM6, X86_REG_ZMM7, X86_REG_ZMM8, X86_REG_ZMM9, X86_REG_ZMM10, X86_REG_ZMM11, X86_REG_ZMM12, X86_REG_ZMM13, X86_REG_ZMM14, X86_REG_ZMM15, X86_REG_ZMM16, X86_REG_ZMM17, X86_REG_ZMM18, X86_REG_ZMM19, X86_REG_ZMM20, X86_REG_ZMM21, X86_REG_ZMM22, X86_REG_ZMM23, X86_REG_ZMM24, X86_REG_ZMM25, X86_REG_ZMM26, X86_REG_ZMM27, X86_REG_ZMM28, X86_REG_ZMM29, X86_REG_ZMM30, X86_REG_ZMM31, X86_REG_R8B, X86_REG_R9B, X86_REG_R10B, X86_REG_R11B, X86_REG_R12B, X86_REG_R13B, X86_REG_R14B, X86_REG_R15B, X86_REG_R8D, X86_REG_R9D, X86_REG_R10D, X86_REG_R11D, X86_REG_R12D, X86_REG_R13D, X86_REG_R14D, X86_REG_R15D, X86_REG_R8W, X86_REG_R9W, X86_REG_R10W, X86_REG_R11W, X86_REG_R12W, X86_REG_R13W, X86_REG_R14W, X86_REG_R15W, X86_REG_ENDING // <-- mark the end of the list of registers } x86_reg; //> Sub-flags of EFLAGS #define X86_EFLAGS_MODIFY_AF (1ULL << 0) #define X86_EFLAGS_MODIFY_CF (1ULL << 1) #define X86_EFLAGS_MODIFY_SF (1ULL << 2) #define X86_EFLAGS_MODIFY_ZF (1ULL << 3) #define X86_EFLAGS_MODIFY_PF (1ULL << 4) #define X86_EFLAGS_MODIFY_OF (1ULL << 5) #define X86_EFLAGS_MODIFY_TF (1ULL << 6) #define X86_EFLAGS_MODIFY_IF (1ULL << 7) #define X86_EFLAGS_MODIFY_DF (1ULL << 8) #define X86_EFLAGS_MODIFY_NT (1ULL << 9) #define X86_EFLAGS_MODIFY_RF (1ULL << 10) #define X86_EFLAGS_PRIOR_OF (1ULL << 11) #define X86_EFLAGS_PRIOR_SF (1ULL << 12) #define X86_EFLAGS_PRIOR_ZF (1ULL << 13) #define X86_EFLAGS_PRIOR_AF (1ULL << 14) #define X86_EFLAGS_PRIOR_PF (1ULL << 15) #define X86_EFLAGS_PRIOR_CF (1ULL << 16) #define X86_EFLAGS_PRIOR_TF (1ULL << 17) #define X86_EFLAGS_PRIOR_IF (1ULL << 18) #define X86_EFLAGS_PRIOR_DF (1ULL << 19) #define X86_EFLAGS_PRIOR_NT (1ULL << 20) #define X86_EFLAGS_RESET_OF (1ULL << 21) #define X86_EFLAGS_RESET_CF (1ULL << 22) #define X86_EFLAGS_RESET_DF (1ULL << 23) #define X86_EFLAGS_RESET_IF (1ULL << 24) #define X86_EFLAGS_RESET_SF (1ULL << 25) #define X86_EFLAGS_RESET_AF (1ULL << 26) #define X86_EFLAGS_RESET_TF (1ULL << 27) #define X86_EFLAGS_RESET_NT (1ULL << 28) #define X86_EFLAGS_RESET_PF (1ULL << 29) #define X86_EFLAGS_SET_CF (1ULL << 30) #define X86_EFLAGS_SET_DF (1ULL << 31) #define X86_EFLAGS_SET_IF (1ULL << 32) #define X86_EFLAGS_TEST_OF (1ULL << 33) #define X86_EFLAGS_TEST_SF (1ULL << 34) #define X86_EFLAGS_TEST_ZF (1ULL << 35) #define X86_EFLAGS_TEST_PF (1ULL << 36) #define X86_EFLAGS_TEST_CF (1ULL << 37) #define X86_EFLAGS_TEST_NT (1ULL << 38) #define X86_EFLAGS_TEST_DF (1ULL << 39) #define X86_EFLAGS_UNDEFINED_OF (1ULL << 40) #define X86_EFLAGS_UNDEFINED_SF (1ULL << 41) #define X86_EFLAGS_UNDEFINED_ZF (1ULL << 42) #define X86_EFLAGS_UNDEFINED_PF (1ULL << 43) #define X86_EFLAGS_UNDEFINED_AF (1ULL << 44) #define X86_EFLAGS_UNDEFINED_CF (1ULL << 45) //> Operand type for instruction's operands typedef enum x86_op_type { X86_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized). X86_OP_REG, // = CS_OP_REG (Register operand). X86_OP_IMM, // = CS_OP_IMM (Immediate operand). X86_OP_MEM, // = CS_OP_MEM (Memory operand). } x86_op_type; //> XOP Code Condition type typedef enum x86_xop_cc { X86_XOP_CC_INVALID = 0, // Uninitialized. X86_XOP_CC_LT, X86_XOP_CC_LE, X86_XOP_CC_GT, X86_XOP_CC_GE, X86_XOP_CC_EQ, X86_XOP_CC_NEQ, X86_XOP_CC_FALSE, X86_XOP_CC_TRUE, } x86_xop_cc; //> AVX broadcast type typedef enum x86_avx_bcast { X86_AVX_BCAST_INVALID = 0, // Uninitialized. X86_AVX_BCAST_2, // AVX512 broadcast type {1to2} X86_AVX_BCAST_4, // AVX512 broadcast type {1to4} X86_AVX_BCAST_8, // AVX512 broadcast type {1to8} X86_AVX_BCAST_16, // AVX512 broadcast type {1to16} } x86_avx_bcast; //> SSE Code Condition type typedef enum x86_sse_cc { X86_SSE_CC_INVALID = 0, // Uninitialized. X86_SSE_CC_EQ, X86_SSE_CC_LT, X86_SSE_CC_LE, X86_SSE_CC_UNORD, X86_SSE_CC_NEQ, X86_SSE_CC_NLT, X86_SSE_CC_NLE, X86_SSE_CC_ORD, } x86_sse_cc; //> AVX Code Condition type typedef enum x86_avx_cc { X86_AVX_CC_INVALID = 0, // Uninitialized. X86_AVX_CC_EQ, X86_AVX_CC_LT, X86_AVX_CC_LE, X86_AVX_CC_UNORD, X86_AVX_CC_NEQ, X86_AVX_CC_NLT, X86_AVX_CC_NLE, X86_AVX_CC_ORD, X86_AVX_CC_EQ_UQ, X86_AVX_CC_NGE, X86_AVX_CC_NGT, X86_AVX_CC_FALSE, X86_AVX_CC_NEQ_OQ, X86_AVX_CC_GE, X86_AVX_CC_GT, X86_AVX_CC_TRUE, X86_AVX_CC_EQ_OS, X86_AVX_CC_LT_OQ, X86_AVX_CC_LE_OQ, X86_AVX_CC_UNORD_S, X86_AVX_CC_NEQ_US, X86_AVX_CC_NLT_UQ, X86_AVX_CC_NLE_UQ, X86_AVX_CC_ORD_S, X86_AVX_CC_EQ_US, X86_AVX_CC_NGE_UQ, X86_AVX_CC_NGT_UQ, X86_AVX_CC_FALSE_OS, X86_AVX_CC_NEQ_OS, X86_AVX_CC_GE_OQ, X86_AVX_CC_GT_OQ, X86_AVX_CC_TRUE_US, } x86_avx_cc; //> AVX static rounding mode type typedef enum x86_avx_rm { X86_AVX_RM_INVALID = 0, // Uninitialized. X86_AVX_RM_RN, // Round to nearest X86_AVX_RM_RD, // Round down X86_AVX_RM_RU, // Round up X86_AVX_RM_RZ, // Round toward zero } x86_avx_rm; //> Instruction prefixes - to be used in cs_x86.prefix[] typedef enum x86_prefix { X86_PREFIX_LOCK = 0xf0, // lock (cs_x86.prefix[0] X86_PREFIX_REP = 0xf3, // rep (cs_x86.prefix[0] X86_PREFIX_REPE = 0xf3, // repe/repz (cs_x86.prefix[0] X86_PREFIX_REPNE = 0xf2, // repne/repnz (cs_x86.prefix[0] X86_PREFIX_CS = 0x2e, // segment override CS (cs_x86.prefix[1] X86_PREFIX_SS = 0x36, // segment override SS (cs_x86.prefix[1] X86_PREFIX_DS = 0x3e, // segment override DS (cs_x86.prefix[1] X86_PREFIX_ES = 0x26, // segment override ES (cs_x86.prefix[1] X86_PREFIX_FS = 0x64, // segment override FS (cs_x86.prefix[1] X86_PREFIX_GS = 0x65, // segment override GS (cs_x86.prefix[1] X86_PREFIX_OPSIZE = 0x66, // operand-size override (cs_x86.prefix[2] X86_PREFIX_ADDRSIZE = 0x67, // address-size override (cs_x86.prefix[3] } x86_prefix; // Instruction's operand referring to memory // This is associated with X86_OP_MEM operand type above typedef struct x86_op_mem { x86_reg segment; // segment register (or X86_REG_INVALID if irrelevant) x86_reg base; // base register (or X86_REG_INVALID if irrelevant) x86_reg index; // index register (or X86_REG_INVALID if irrelevant) int scale; // scale for index register int64_t disp; // displacement value } x86_op_mem; // Instruction operand typedef struct cs_x86_op { x86_op_type type; // operand type union { x86_reg reg; // register value for REG operand int64_t imm; // immediate value for IMM operand x86_op_mem mem; // base/index/scale/disp value for MEM operand }; // size of this operand (in bytes). uint8_t size; // How is this operand accessed? (READ, WRITE or READ|WRITE) // This field is combined of cs_ac_type. // NOTE: this field is irrelevant if engine is compiled in DIET mode. uint8_t access; // AVX broadcast type, or 0 if irrelevant x86_avx_bcast avx_bcast; // AVX zero opmask {z} bool avx_zero_opmask; } cs_x86_op; // Instruction structure typedef struct cs_x86 { // Instruction prefix, which can be up to 4 bytes. // A prefix byte gets value 0 when irrelevant. // prefix[0] indicates REP/REPNE/LOCK prefix (See X86_PREFIX_REP/REPNE/LOCK above) // prefix[1] indicates segment override (irrelevant for x86_64): // See X86_PREFIX_CS/SS/DS/ES/FS/GS above. // prefix[2] indicates operand-size override (X86_PREFIX_OPSIZE) // prefix[3] indicates address-size override (X86_PREFIX_ADDRSIZE) uint8_t prefix[4]; // Instruction opcode, which can be from 1 to 4 bytes in size. // This contains VEX opcode as well. // An trailing opcode byte gets value 0 when irrelevant. uint8_t opcode[4]; // REX prefix: only a non-zero value is relevant for x86_64 uint8_t rex; // Address size, which can be overridden with above prefix[5]. uint8_t addr_size; // ModR/M byte uint8_t modrm; // SIB value, or 0 when irrelevant. uint8_t sib; // Displacement value, or 0 when irrelevant. int32_t disp; /* SIB state */ // SIB index register, or X86_REG_INVALID when irrelevant. x86_reg sib_index; // SIB scale. only applicable if sib_index is relevant. int8_t sib_scale; // SIB base register, or X86_REG_INVALID when irrelevant. x86_reg sib_base; // XOP Code Condition x86_xop_cc xop_cc; // SSE Code Condition x86_sse_cc sse_cc; // AVX Code Condition x86_avx_cc avx_cc; // AVX Suppress all Exception bool avx_sae; // AVX static rounding mode x86_avx_rm avx_rm; // EFLAGS updated by this instruction. // This can be formed from OR combination of X86_EFLAGS_* symbols in x86.h uint64_t eflags; // Number of operands of this instruction, // or 0 when instruction has no operand. uint8_t op_count; cs_x86_op operands[8]; // operands for this instruction. } cs_x86; //> X86 instructions typedef enum x86_insn { X86_INS_INVALID = 0, X86_INS_AAA, X86_INS_AAD, X86_INS_AAM, X86_INS_AAS, X86_INS_FABS, X86_INS_ADC, X86_INS_ADCX, X86_INS_ADD, X86_INS_ADDPD, X86_INS_ADDPS, X86_INS_ADDSD, X86_INS_ADDSS, X86_INS_ADDSUBPD, X86_INS_ADDSUBPS, X86_INS_FADD, X86_INS_FIADD, X86_INS_FADDP, X86_INS_ADOX, X86_INS_AESDECLAST, X86_INS_AESDEC, X86_INS_AESENCLAST, X86_INS_AESENC, X86_INS_AESIMC, X86_INS_AESKEYGENASSIST, X86_INS_AND, X86_INS_ANDN, X86_INS_ANDNPD, X86_INS_ANDNPS, X86_INS_ANDPD, X86_INS_ANDPS, X86_INS_ARPL, X86_INS_BEXTR, X86_INS_BLCFILL, X86_INS_BLCI, X86_INS_BLCIC, X86_INS_BLCMSK, X86_INS_BLCS, X86_INS_BLENDPD, X86_INS_BLENDPS, X86_INS_BLENDVPD, X86_INS_BLENDVPS, X86_INS_BLSFILL, X86_INS_BLSI, X86_INS_BLSIC, X86_INS_BLSMSK, X86_INS_BLSR, X86_INS_BOUND, X86_INS_BSF, X86_INS_BSR, X86_INS_BSWAP, X86_INS_BT, X86_INS_BTC, X86_INS_BTR, X86_INS_BTS, X86_INS_BZHI, X86_INS_CALL, X86_INS_CBW, X86_INS_CDQ, X86_INS_CDQE, X86_INS_FCHS, X86_INS_CLAC, X86_INS_CLC, X86_INS_CLD, X86_INS_CLFLUSH, X86_INS_CLFLUSHOPT, X86_INS_CLGI, X86_INS_CLI, X86_INS_CLTS, X86_INS_CLWB, X86_INS_CMC, X86_INS_CMOVA, X86_INS_CMOVAE, X86_INS_CMOVB, X86_INS_CMOVBE, X86_INS_FCMOVBE, X86_INS_FCMOVB, X86_INS_CMOVE, X86_INS_FCMOVE, X86_INS_CMOVG, X86_INS_CMOVGE, X86_INS_CMOVL, X86_INS_CMOVLE, X86_INS_FCMOVNBE, X86_INS_FCMOVNB, X86_INS_CMOVNE, X86_INS_FCMOVNE, X86_INS_CMOVNO, X86_INS_CMOVNP, X86_INS_FCMOVNU, X86_INS_CMOVNS, X86_INS_CMOVO, X86_INS_CMOVP, X86_INS_FCMOVU, X86_INS_CMOVS, X86_INS_CMP, X86_INS_CMPSB, X86_INS_CMPSQ, X86_INS_CMPSW, X86_INS_CMPXCHG16B, X86_INS_CMPXCHG, X86_INS_CMPXCHG8B, X86_INS_COMISD, X86_INS_COMISS, X86_INS_FCOMP, X86_INS_FCOMIP, X86_INS_FCOMI, X86_INS_FCOM, X86_INS_FCOS, X86_INS_CPUID, X86_INS_CQO, X86_INS_CRC32, X86_INS_CVTDQ2PD, X86_INS_CVTDQ2PS, X86_INS_CVTPD2DQ, X86_INS_CVTPD2PS, X86_INS_CVTPS2DQ, X86_INS_CVTPS2PD, X86_INS_CVTSD2SI, X86_INS_CVTSD2SS, X86_INS_CVTSI2SD, X86_INS_CVTSI2SS, X86_INS_CVTSS2SD, X86_INS_CVTSS2SI, X86_INS_CVTTPD2DQ, X86_INS_CVTTPS2DQ, X86_INS_CVTTSD2SI, X86_INS_CVTTSS2SI, X86_INS_CWD, X86_INS_CWDE, X86_INS_DAA, X86_INS_DAS, X86_INS_DATA16, X86_INS_DEC, X86_INS_DIV, X86_INS_DIVPD, X86_INS_DIVPS, X86_INS_FDIVR, X86_INS_FIDIVR, X86_INS_FDIVRP, X86_INS_DIVSD, X86_INS_DIVSS, X86_INS_FDIV, X86_INS_FIDIV, X86_INS_FDIVP, X86_INS_DPPD, X86_INS_DPPS, X86_INS_RET, X86_INS_ENCLS, X86_INS_ENCLU, X86_INS_ENTER, X86_INS_EXTRACTPS, X86_INS_EXTRQ, X86_INS_F2XM1, X86_INS_LCALL, X86_INS_LJMP, X86_INS_FBLD, X86_INS_FBSTP, X86_INS_FCOMPP, X86_INS_FDECSTP, X86_INS_FEMMS, X86_INS_FFREE, X86_INS_FICOM, X86_INS_FICOMP, X86_INS_FINCSTP, X86_INS_FLDCW, X86_INS_FLDENV, X86_INS_FLDL2E, X86_INS_FLDL2T, X86_INS_FLDLG2, X86_INS_FLDLN2, X86_INS_FLDPI, X86_INS_FNCLEX, X86_INS_FNINIT, X86_INS_FNOP, X86_INS_FNSTCW, X86_INS_FNSTSW, X86_INS_FPATAN, X86_INS_FPREM, X86_INS_FPREM1, X86_INS_FPTAN, X86_INS_FFREEP, X86_INS_FRNDINT, X86_INS_FRSTOR, X86_INS_FNSAVE, X86_INS_FSCALE, X86_INS_FSETPM, X86_INS_FSINCOS, X86_INS_FNSTENV, X86_INS_FXAM, X86_INS_FXRSTOR, X86_INS_FXRSTOR64, X86_INS_FXSAVE, X86_INS_FXSAVE64, X86_INS_FXTRACT, X86_INS_FYL2X, X86_INS_FYL2XP1, X86_INS_MOVAPD, X86_INS_MOVAPS, X86_INS_ORPD, X86_INS_ORPS, X86_INS_VMOVAPD, X86_INS_VMOVAPS, X86_INS_XORPD, X86_INS_XORPS, X86_INS_GETSEC, X86_INS_HADDPD, X86_INS_HADDPS, X86_INS_HLT, X86_INS_HSUBPD, X86_INS_HSUBPS, X86_INS_IDIV, X86_INS_FILD, X86_INS_IMUL, X86_INS_IN, X86_INS_INC, X86_INS_INSB, X86_INS_INSERTPS, X86_INS_INSERTQ, X86_INS_INSD, X86_INS_INSW, X86_INS_INT, X86_INS_INT1, X86_INS_INT3, X86_INS_INTO, X86_INS_INVD, X86_INS_INVEPT, X86_INS_INVLPG, X86_INS_INVLPGA, X86_INS_INVPCID, X86_INS_INVVPID, X86_INS_IRET, X86_INS_IRETD, X86_INS_IRETQ, X86_INS_FISTTP, X86_INS_FIST, X86_INS_FISTP, X86_INS_UCOMISD, X86_INS_UCOMISS, X86_INS_VCOMISD, X86_INS_VCOMISS, X86_INS_VCVTSD2SS, X86_INS_VCVTSI2SD, X86_INS_VCVTSI2SS, X86_INS_VCVTSS2SD, X86_INS_VCVTTSD2SI, X86_INS_VCVTTSD2USI, X86_INS_VCVTTSS2SI, X86_INS_VCVTTSS2USI, X86_INS_VCVTUSI2SD, X86_INS_VCVTUSI2SS, X86_INS_VUCOMISD, X86_INS_VUCOMISS, X86_INS_JAE, X86_INS_JA, X86_INS_JBE, X86_INS_JB, X86_INS_JCXZ, X86_INS_JECXZ, X86_INS_JE, X86_INS_JGE, X86_INS_JG, X86_INS_JLE, X86_INS_JL, X86_INS_JMP, X86_INS_JNE, X86_INS_JNO, X86_INS_JNP, X86_INS_JNS, X86_INS_JO, X86_INS_JP, X86_INS_JRCXZ, X86_INS_JS, X86_INS_KANDB, X86_INS_KANDD, X86_INS_KANDNB, X86_INS_KANDND, X86_INS_KANDNQ, X86_INS_KANDNW, X86_INS_KANDQ, X86_INS_KANDW, X86_INS_KMOVB, X86_INS_KMOVD, X86_INS_KMOVQ, X86_INS_KMOVW, X86_INS_KNOTB, X86_INS_KNOTD, X86_INS_KNOTQ, X86_INS_KNOTW, X86_INS_KORB, X86_INS_KORD, X86_INS_KORQ, X86_INS_KORTESTB, X86_INS_KORTESTD, X86_INS_KORTESTQ, X86_INS_KORTESTW, X86_INS_KORW, X86_INS_KSHIFTLB, X86_INS_KSHIFTLD, X86_INS_KSHIFTLQ, X86_INS_KSHIFTLW, X86_INS_KSHIFTRB, X86_INS_KSHIFTRD, X86_INS_KSHIFTRQ, X86_INS_KSHIFTRW, X86_INS_KUNPCKBW, X86_INS_KXNORB, X86_INS_KXNORD, X86_INS_KXNORQ, X86_INS_KXNORW, X86_INS_KXORB, X86_INS_KXORD, X86_INS_KXORQ, X86_INS_KXORW, X86_INS_LAHF, X86_INS_LAR, X86_INS_LDDQU, X86_INS_LDMXCSR, X86_INS_LDS, X86_INS_FLDZ, X86_INS_FLD1, X86_INS_FLD, X86_INS_LEA, X86_INS_LEAVE, X86_INS_LES, X86_INS_LFENCE, X86_INS_LFS, X86_INS_LGDT, X86_INS_LGS, X86_INS_LIDT, X86_INS_LLDT, X86_INS_LMSW, X86_INS_OR, X86_INS_SUB, X86_INS_XOR, X86_INS_LODSB, X86_INS_LODSD, X86_INS_LODSQ, X86_INS_LODSW, X86_INS_LOOP, X86_INS_LOOPE, X86_INS_LOOPNE, X86_INS_RETF, X86_INS_RETFQ, X86_INS_LSL, X86_INS_LSS, X86_INS_LTR, X86_INS_XADD, X86_INS_LZCNT, X86_INS_MASKMOVDQU, X86_INS_MAXPD, X86_INS_MAXPS, X86_INS_MAXSD, X86_INS_MAXSS, X86_INS_MFENCE, X86_INS_MINPD, X86_INS_MINPS, X86_INS_MINSD, X86_INS_MINSS, X86_INS_CVTPD2PI, X86_INS_CVTPI2PD, X86_INS_CVTPI2PS, X86_INS_CVTPS2PI, X86_INS_CVTTPD2PI, X86_INS_CVTTPS2PI, X86_INS_EMMS, X86_INS_MASKMOVQ, X86_INS_MOVD, X86_INS_MOVDQ2Q, X86_INS_MOVNTQ, X86_INS_MOVQ2DQ, X86_INS_MOVQ, X86_INS_PABSB, X86_INS_PABSD, X86_INS_PABSW, X86_INS_PACKSSDW, X86_INS_PACKSSWB, X86_INS_PACKUSWB, X86_INS_PADDB, X86_INS_PADDD, X86_INS_PADDQ, X86_INS_PADDSB, X86_INS_PADDSW, X86_INS_PADDUSB, X86_INS_PADDUSW, X86_INS_PADDW, X86_INS_PALIGNR, X86_INS_PANDN, X86_INS_PAND, X86_INS_PAVGB, X86_INS_PAVGW, X86_INS_PCMPEQB, X86_INS_PCMPEQD, X86_INS_PCMPEQW, X86_INS_PCMPGTB, X86_INS_PCMPGTD, X86_INS_PCMPGTW, X86_INS_PEXTRW, X86_INS_PHADDSW, X86_INS_PHADDW, X86_INS_PHADDD, X86_INS_PHSUBD, X86_INS_PHSUBSW, X86_INS_PHSUBW, X86_INS_PINSRW, X86_INS_PMADDUBSW, X86_INS_PMADDWD, X86_INS_PMAXSW, X86_INS_PMAXUB, X86_INS_PMINSW, X86_INS_PMINUB, X86_INS_PMOVMSKB, X86_INS_PMULHRSW, X86_INS_PMULHUW, X86_INS_PMULHW, X86_INS_PMULLW, X86_INS_PMULUDQ, X86_INS_POR, X86_INS_PSADBW, X86_INS_PSHUFB, X86_INS_PSHUFW, X86_INS_PSIGNB, X86_INS_PSIGND, X86_INS_PSIGNW, X86_INS_PSLLD, X86_INS_PSLLQ, X86_INS_PSLLW, X86_INS_PSRAD, X86_INS_PSRAW, X86_INS_PSRLD, X86_INS_PSRLQ, X86_INS_PSRLW, X86_INS_PSUBB, X86_INS_PSUBD, X86_INS_PSUBQ, X86_INS_PSUBSB, X86_INS_PSUBSW, X86_INS_PSUBUSB, X86_INS_PSUBUSW, X86_INS_PSUBW, X86_INS_PUNPCKHBW, X86_INS_PUNPCKHDQ, X86_INS_PUNPCKHWD, X86_INS_PUNPCKLBW, X86_INS_PUNPCKLDQ, X86_INS_PUNPCKLWD, X86_INS_PXOR, X86_INS_MONITOR, X86_INS_MONTMUL, X86_INS_MOV, X86_INS_MOVABS, X86_INS_MOVBE, X86_INS_MOVDDUP, X86_INS_MOVDQA, X86_INS_MOVDQU, X86_INS_MOVHLPS, X86_INS_MOVHPD, X86_INS_MOVHPS, X86_INS_MOVLHPS, X86_INS_MOVLPD, X86_INS_MOVLPS, X86_INS_MOVMSKPD, X86_INS_MOVMSKPS, X86_INS_MOVNTDQA, X86_INS_MOVNTDQ, X86_INS_MOVNTI, X86_INS_MOVNTPD, X86_INS_MOVNTPS, X86_INS_MOVNTSD, X86_INS_MOVNTSS, X86_INS_MOVSB, X86_INS_MOVSD, X86_INS_MOVSHDUP, X86_INS_MOVSLDUP, X86_INS_MOVSQ, X86_INS_MOVSS, X86_INS_MOVSW, X86_INS_MOVSX, X86_INS_MOVSXD, X86_INS_MOVUPD, X86_INS_MOVUPS, X86_INS_MOVZX, X86_INS_MPSADBW, X86_INS_MUL, X86_INS_MULPD, X86_INS_MULPS, X86_INS_MULSD, X86_INS_MULSS, X86_INS_MULX, X86_INS_FMUL, X86_INS_FIMUL, X86_INS_FMULP, X86_INS_MWAIT, X86_INS_NEG, X86_INS_NOP, X86_INS_NOT, X86_INS_OUT, X86_INS_OUTSB, X86_INS_OUTSD, X86_INS_OUTSW, X86_INS_PACKUSDW, X86_INS_PAUSE, X86_INS_PAVGUSB, X86_INS_PBLENDVB, X86_INS_PBLENDW, X86_INS_PCLMULQDQ, X86_INS_PCMPEQQ, X86_INS_PCMPESTRI, X86_INS_PCMPESTRM, X86_INS_PCMPGTQ, X86_INS_PCMPISTRI, X86_INS_PCMPISTRM, X86_INS_PCOMMIT, X86_INS_PDEP, X86_INS_PEXT, X86_INS_PEXTRB, X86_INS_PEXTRD, X86_INS_PEXTRQ, X86_INS_PF2ID, X86_INS_PF2IW, X86_INS_PFACC, X86_INS_PFADD, X86_INS_PFCMPEQ, X86_INS_PFCMPGE, X86_INS_PFCMPGT, X86_INS_PFMAX, X86_INS_PFMIN, X86_INS_PFMUL, X86_INS_PFNACC, X86_INS_PFPNACC, X86_INS_PFRCPIT1, X86_INS_PFRCPIT2, X86_INS_PFRCP, X86_INS_PFRSQIT1, X86_INS_PFRSQRT, X86_INS_PFSUBR, X86_INS_PFSUB, X86_INS_PHMINPOSUW, X86_INS_PI2FD, X86_INS_PI2FW, X86_INS_PINSRB, X86_INS_PINSRD, X86_INS_PINSRQ, X86_INS_PMAXSB, X86_INS_PMAXSD, X86_INS_PMAXUD, X86_INS_PMAXUW, X86_INS_PMINSB, X86_INS_PMINSD, X86_INS_PMINUD, X86_INS_PMINUW, X86_INS_PMOVSXBD, X86_INS_PMOVSXBQ, X86_INS_PMOVSXBW, X86_INS_PMOVSXDQ, X86_INS_PMOVSXWD, X86_INS_PMOVSXWQ, X86_INS_PMOVZXBD, X86_INS_PMOVZXBQ, X86_INS_PMOVZXBW, X86_INS_PMOVZXDQ, X86_INS_PMOVZXWD, X86_INS_PMOVZXWQ, X86_INS_PMULDQ, X86_INS_PMULHRW, X86_INS_PMULLD, X86_INS_POP, X86_INS_POPAW, X86_INS_POPAL, X86_INS_POPCNT, X86_INS_POPF, X86_INS_POPFD, X86_INS_POPFQ, X86_INS_PREFETCH, X86_INS_PREFETCHNTA, X86_INS_PREFETCHT0, X86_INS_PREFETCHT1, X86_INS_PREFETCHT2, X86_INS_PREFETCHW, X86_INS_PSHUFD, X86_INS_PSHUFHW, X86_INS_PSHUFLW, X86_INS_PSLLDQ, X86_INS_PSRLDQ, X86_INS_PSWAPD, X86_INS_PTEST, X86_INS_PUNPCKHQDQ, X86_INS_PUNPCKLQDQ, X86_INS_PUSH, X86_INS_PUSHAW, X86_INS_PUSHAL, X86_INS_PUSHF, X86_INS_PUSHFD, X86_INS_PUSHFQ, X86_INS_RCL, X86_INS_RCPPS, X86_INS_RCPSS, X86_INS_RCR, X86_INS_RDFSBASE, X86_INS_RDGSBASE, X86_INS_RDMSR, X86_INS_RDPMC, X86_INS_RDRAND, X86_INS_RDSEED, X86_INS_RDTSC, X86_INS_RDTSCP, X86_INS_ROL, X86_INS_ROR, X86_INS_RORX, X86_INS_ROUNDPD, X86_INS_ROUNDPS, X86_INS_ROUNDSD, X86_INS_ROUNDSS, X86_INS_RSM, X86_INS_RSQRTPS, X86_INS_RSQRTSS, X86_INS_SAHF, X86_INS_SAL, X86_INS_SALC, X86_INS_SAR, X86_INS_SARX, X86_INS_SBB, X86_INS_SCASB, X86_INS_SCASD, X86_INS_SCASQ, X86_INS_SCASW, X86_INS_SETAE, X86_INS_SETA, X86_INS_SETBE, X86_INS_SETB, X86_INS_SETE, X86_INS_SETGE, X86_INS_SETG, X86_INS_SETLE, X86_INS_SETL, X86_INS_SETNE, X86_INS_SETNO, X86_INS_SETNP, X86_INS_SETNS, X86_INS_SETO, X86_INS_SETP, X86_INS_SETS, X86_INS_SFENCE, X86_INS_SGDT, X86_INS_SHA1MSG1, X86_INS_SHA1MSG2, X86_INS_SHA1NEXTE, X86_INS_SHA1RNDS4, X86_INS_SHA256MSG1, X86_INS_SHA256MSG2, X86_INS_SHA256RNDS2, X86_INS_SHL, X86_INS_SHLD, X86_INS_SHLX, X86_INS_SHR, X86_INS_SHRD, X86_INS_SHRX, X86_INS_SHUFPD, X86_INS_SHUFPS, X86_INS_SIDT, X86_INS_FSIN, X86_INS_SKINIT, X86_INS_SLDT, X86_INS_SMSW, X86_INS_SQRTPD, X86_INS_SQRTPS, X86_INS_SQRTSD, X86_INS_SQRTSS, X86_INS_FSQRT, X86_INS_STAC, X86_INS_STC, X86_INS_STD, X86_INS_STGI, X86_INS_STI, X86_INS_STMXCSR, X86_INS_STOSB, X86_INS_STOSD, X86_INS_STOSQ, X86_INS_STOSW, X86_INS_STR, X86_INS_FST, X86_INS_FSTP, X86_INS_FSTPNCE, X86_INS_FXCH, X86_INS_SUBPD, X86_INS_SUBPS, X86_INS_FSUBR, X86_INS_FISUBR, X86_INS_FSUBRP, X86_INS_SUBSD, X86_INS_SUBSS, X86_INS_FSUB, X86_INS_FISUB, X86_INS_FSUBP, X86_INS_SWAPGS, X86_INS_SYSCALL, X86_INS_SYSENTER, X86_INS_SYSEXIT, X86_INS_SYSRET, X86_INS_T1MSKC, X86_INS_TEST, X86_INS_UD2, X86_INS_FTST, X86_INS_TZCNT, X86_INS_TZMSK, X86_INS_FUCOMIP, X86_INS_FUCOMI, X86_INS_FUCOMPP, X86_INS_FUCOMP, X86_INS_FUCOM, X86_INS_UD2B, X86_INS_UNPCKHPD, X86_INS_UNPCKHPS, X86_INS_UNPCKLPD, X86_INS_UNPCKLPS, X86_INS_VADDPD, X86_INS_VADDPS, X86_INS_VADDSD, X86_INS_VADDSS, X86_INS_VADDSUBPD, X86_INS_VADDSUBPS, X86_INS_VAESDECLAST, X86_INS_VAESDEC, X86_INS_VAESENCLAST, X86_INS_VAESENC, X86_INS_VAESIMC, X86_INS_VAESKEYGENASSIST, X86_INS_VALIGND, X86_INS_VALIGNQ, X86_INS_VANDNPD, X86_INS_VANDNPS, X86_INS_VANDPD, X86_INS_VANDPS, X86_INS_VBLENDMPD, X86_INS_VBLENDMPS, X86_INS_VBLENDPD, X86_INS_VBLENDPS, X86_INS_VBLENDVPD, X86_INS_VBLENDVPS, X86_INS_VBROADCASTF128, X86_INS_VBROADCASTI32X4, X86_INS_VBROADCASTI64X4, X86_INS_VBROADCASTSD, X86_INS_VBROADCASTSS, X86_INS_VCOMPRESSPD, X86_INS_VCOMPRESSPS, X86_INS_VCVTDQ2PD, X86_INS_VCVTDQ2PS, X86_INS_VCVTPD2DQX, X86_INS_VCVTPD2DQ, X86_INS_VCVTPD2PSX, X86_INS_VCVTPD2PS, X86_INS_VCVTPD2UDQ, X86_INS_VCVTPH2PS, X86_INS_VCVTPS2DQ, X86_INS_VCVTPS2PD, X86_INS_VCVTPS2PH, X86_INS_VCVTPS2UDQ, X86_INS_VCVTSD2SI, X86_INS_VCVTSD2USI, X86_INS_VCVTSS2SI, X86_INS_VCVTSS2USI, X86_INS_VCVTTPD2DQX, X86_INS_VCVTTPD2DQ, X86_INS_VCVTTPD2UDQ, X86_INS_VCVTTPS2DQ, X86_INS_VCVTTPS2UDQ, X86_INS_VCVTUDQ2PD, X86_INS_VCVTUDQ2PS, X86_INS_VDIVPD, X86_INS_VDIVPS, X86_INS_VDIVSD, X86_INS_VDIVSS, X86_INS_VDPPD, X86_INS_VDPPS, X86_INS_VERR, X86_INS_VERW, X86_INS_VEXP2PD, X86_INS_VEXP2PS, X86_INS_VEXPANDPD, X86_INS_VEXPANDPS, X86_INS_VEXTRACTF128, X86_INS_VEXTRACTF32X4, X86_INS_VEXTRACTF64X4, X86_INS_VEXTRACTI128, X86_INS_VEXTRACTI32X4, X86_INS_VEXTRACTI64X4, X86_INS_VEXTRACTPS, X86_INS_VFMADD132PD, X86_INS_VFMADD132PS, X86_INS_VFMADDPD, X86_INS_VFMADD213PD, X86_INS_VFMADD231PD, X86_INS_VFMADDPS, X86_INS_VFMADD213PS, X86_INS_VFMADD231PS, X86_INS_VFMADDSD, X86_INS_VFMADD213SD, X86_INS_VFMADD132SD, X86_INS_VFMADD231SD, X86_INS_VFMADDSS, X86_INS_VFMADD213SS, X86_INS_VFMADD132SS, X86_INS_VFMADD231SS, X86_INS_VFMADDSUB132PD, X86_INS_VFMADDSUB132PS, X86_INS_VFMADDSUBPD, X86_INS_VFMADDSUB213PD, X86_INS_VFMADDSUB231PD, X86_INS_VFMADDSUBPS, X86_INS_VFMADDSUB213PS, X86_INS_VFMADDSUB231PS, X86_INS_VFMSUB132PD, X86_INS_VFMSUB132PS, X86_INS_VFMSUBADD132PD, X86_INS_VFMSUBADD132PS, X86_INS_VFMSUBADDPD, X86_INS_VFMSUBADD213PD, X86_INS_VFMSUBADD231PD, X86_INS_VFMSUBADDPS, X86_INS_VFMSUBADD213PS, X86_INS_VFMSUBADD231PS, X86_INS_VFMSUBPD, X86_INS_VFMSUB213PD, X86_INS_VFMSUB231PD, X86_INS_VFMSUBPS, X86_INS_VFMSUB213PS, X86_INS_VFMSUB231PS, X86_INS_VFMSUBSD, X86_INS_VFMSUB213SD, X86_INS_VFMSUB132SD, X86_INS_VFMSUB231SD, X86_INS_VFMSUBSS, X86_INS_VFMSUB213SS, X86_INS_VFMSUB132SS, X86_INS_VFMSUB231SS, X86_INS_VFNMADD132PD, X86_INS_VFNMADD132PS, X86_INS_VFNMADDPD, X86_INS_VFNMADD213PD, X86_INS_VFNMADD231PD, X86_INS_VFNMADDPS, X86_INS_VFNMADD213PS, X86_INS_VFNMADD231PS, X86_INS_VFNMADDSD, X86_INS_VFNMADD213SD, X86_INS_VFNMADD132SD, X86_INS_VFNMADD231SD, X86_INS_VFNMADDSS, X86_INS_VFNMADD213SS, X86_INS_VFNMADD132SS, X86_INS_VFNMADD231SS, X86_INS_VFNMSUB132PD, X86_INS_VFNMSUB132PS, X86_INS_VFNMSUBPD, X86_INS_VFNMSUB213PD, X86_INS_VFNMSUB231PD, X86_INS_VFNMSUBPS, X86_INS_VFNMSUB213PS, X86_INS_VFNMSUB231PS, X86_INS_VFNMSUBSD, X86_INS_VFNMSUB213SD, X86_INS_VFNMSUB132SD, X86_INS_VFNMSUB231SD, X86_INS_VFNMSUBSS, X86_INS_VFNMSUB213SS, X86_INS_VFNMSUB132SS, X86_INS_VFNMSUB231SS, X86_INS_VFRCZPD, X86_INS_VFRCZPS, X86_INS_VFRCZSD, X86_INS_VFRCZSS, X86_INS_VORPD, X86_INS_VORPS, X86_INS_VXORPD, X86_INS_VXORPS, X86_INS_VGATHERDPD, X86_INS_VGATHERDPS, X86_INS_VGATHERPF0DPD, X86_INS_VGATHERPF0DPS, X86_INS_VGATHERPF0QPD, X86_INS_VGATHERPF0QPS, X86_INS_VGATHERPF1DPD, X86_INS_VGATHERPF1DPS, X86_INS_VGATHERPF1QPD, X86_INS_VGATHERPF1QPS, X86_INS_VGATHERQPD, X86_INS_VGATHERQPS, X86_INS_VHADDPD, X86_INS_VHADDPS, X86_INS_VHSUBPD, X86_INS_VHSUBPS, X86_INS_VINSERTF128, X86_INS_VINSERTF32X4, X86_INS_VINSERTF32X8, X86_INS_VINSERTF64X2, X86_INS_VINSERTF64X4, X86_INS_VINSERTI128, X86_INS_VINSERTI32X4, X86_INS_VINSERTI32X8, X86_INS_VINSERTI64X2, X86_INS_VINSERTI64X4, X86_INS_VINSERTPS, X86_INS_VLDDQU, X86_INS_VLDMXCSR, X86_INS_VMASKMOVDQU, X86_INS_VMASKMOVPD, X86_INS_VMASKMOVPS, X86_INS_VMAXPD, X86_INS_VMAXPS, X86_INS_VMAXSD, X86_INS_VMAXSS, X86_INS_VMCALL, X86_INS_VMCLEAR, X86_INS_VMFUNC, X86_INS_VMINPD, X86_INS_VMINPS, X86_INS_VMINSD, X86_INS_VMINSS, X86_INS_VMLAUNCH, X86_INS_VMLOAD, X86_INS_VMMCALL, X86_INS_VMOVQ, X86_INS_VMOVDDUP, X86_INS_VMOVD, X86_INS_VMOVDQA32, X86_INS_VMOVDQA64, X86_INS_VMOVDQA, X86_INS_VMOVDQU16, X86_INS_VMOVDQU32, X86_INS_VMOVDQU64, X86_INS_VMOVDQU8, X86_INS_VMOVDQU, X86_INS_VMOVHLPS, X86_INS_VMOVHPD, X86_INS_VMOVHPS, X86_INS_VMOVLHPS, X86_INS_VMOVLPD, X86_INS_VMOVLPS, X86_INS_VMOVMSKPD, X86_INS_VMOVMSKPS, X86_INS_VMOVNTDQA, X86_INS_VMOVNTDQ, X86_INS_VMOVNTPD, X86_INS_VMOVNTPS, X86_INS_VMOVSD, X86_INS_VMOVSHDUP, X86_INS_VMOVSLDUP, X86_INS_VMOVSS, X86_INS_VMOVUPD, X86_INS_VMOVUPS, X86_INS_VMPSADBW, X86_INS_VMPTRLD, X86_INS_VMPTRST, X86_INS_VMREAD, X86_INS_VMRESUME, X86_INS_VMRUN, X86_INS_VMSAVE, X86_INS_VMULPD, X86_INS_VMULPS, X86_INS_VMULSD, X86_INS_VMULSS, X86_INS_VMWRITE, X86_INS_VMXOFF, X86_INS_VMXON, X86_INS_VPABSB, X86_INS_VPABSD, X86_INS_VPABSQ, X86_INS_VPABSW, X86_INS_VPACKSSDW, X86_INS_VPACKSSWB, X86_INS_VPACKUSDW, X86_INS_VPACKUSWB, X86_INS_VPADDB, X86_INS_VPADDD, X86_INS_VPADDQ, X86_INS_VPADDSB, X86_INS_VPADDSW, X86_INS_VPADDUSB, X86_INS_VPADDUSW, X86_INS_VPADDW, X86_INS_VPALIGNR, X86_INS_VPANDD, X86_INS_VPANDND, X86_INS_VPANDNQ, X86_INS_VPANDN, X86_INS_VPANDQ, X86_INS_VPAND, X86_INS_VPAVGB, X86_INS_VPAVGW, X86_INS_VPBLENDD, X86_INS_VPBLENDMB, X86_INS_VPBLENDMD, X86_INS_VPBLENDMQ, X86_INS_VPBLENDMW, X86_INS_VPBLENDVB, X86_INS_VPBLENDW, X86_INS_VPBROADCASTB, X86_INS_VPBROADCASTD, X86_INS_VPBROADCASTMB2Q, X86_INS_VPBROADCASTMW2D, X86_INS_VPBROADCASTQ, X86_INS_VPBROADCASTW, X86_INS_VPCLMULQDQ, X86_INS_VPCMOV, X86_INS_VPCMPB, X86_INS_VPCMPD, X86_INS_VPCMPEQB, X86_INS_VPCMPEQD, X86_INS_VPCMPEQQ, X86_INS_VPCMPEQW, X86_INS_VPCMPESTRI, X86_INS_VPCMPESTRM, X86_INS_VPCMPGTB, X86_INS_VPCMPGTD, X86_INS_VPCMPGTQ, X86_INS_VPCMPGTW, X86_INS_VPCMPISTRI, X86_INS_VPCMPISTRM, X86_INS_VPCMPQ, X86_INS_VPCMPUB, X86_INS_VPCMPUD, X86_INS_VPCMPUQ, X86_INS_VPCMPUW, X86_INS_VPCMPW, X86_INS_VPCOMB, X86_INS_VPCOMD, X86_INS_VPCOMPRESSD, X86_INS_VPCOMPRESSQ, X86_INS_VPCOMQ, X86_INS_VPCOMUB, X86_INS_VPCOMUD, X86_INS_VPCOMUQ, X86_INS_VPCOMUW, X86_INS_VPCOMW, X86_INS_VPCONFLICTD, X86_INS_VPCONFLICTQ, X86_INS_VPERM2F128, X86_INS_VPERM2I128, X86_INS_VPERMD, X86_INS_VPERMI2D, X86_INS_VPERMI2PD, X86_INS_VPERMI2PS, X86_INS_VPERMI2Q, X86_INS_VPERMIL2PD, X86_INS_VPERMIL2PS, X86_INS_VPERMILPD, X86_INS_VPERMILPS, X86_INS_VPERMPD, X86_INS_VPERMPS, X86_INS_VPERMQ, X86_INS_VPERMT2D, X86_INS_VPERMT2PD, X86_INS_VPERMT2PS, X86_INS_VPERMT2Q, X86_INS_VPEXPANDD, X86_INS_VPEXPANDQ, X86_INS_VPEXTRB, X86_INS_VPEXTRD, X86_INS_VPEXTRQ, X86_INS_VPEXTRW, X86_INS_VPGATHERDD, X86_INS_VPGATHERDQ, X86_INS_VPGATHERQD, X86_INS_VPGATHERQQ, X86_INS_VPHADDBD, X86_INS_VPHADDBQ, X86_INS_VPHADDBW, X86_INS_VPHADDDQ, X86_INS_VPHADDD, X86_INS_VPHADDSW, X86_INS_VPHADDUBD, X86_INS_VPHADDUBQ, X86_INS_VPHADDUBW, X86_INS_VPHADDUDQ, X86_INS_VPHADDUWD, X86_INS_VPHADDUWQ, X86_INS_VPHADDWD, X86_INS_VPHADDWQ, X86_INS_VPHADDW, X86_INS_VPHMINPOSUW, X86_INS_VPHSUBBW, X86_INS_VPHSUBDQ, X86_INS_VPHSUBD, X86_INS_VPHSUBSW, X86_INS_VPHSUBWD, X86_INS_VPHSUBW, X86_INS_VPINSRB, X86_INS_VPINSRD, X86_INS_VPINSRQ, X86_INS_VPINSRW, X86_INS_VPLZCNTD, X86_INS_VPLZCNTQ, X86_INS_VPMACSDD, X86_INS_VPMACSDQH, X86_INS_VPMACSDQL, X86_INS_VPMACSSDD, X86_INS_VPMACSSDQH, X86_INS_VPMACSSDQL, X86_INS_VPMACSSWD, X86_INS_VPMACSSWW, X86_INS_VPMACSWD, X86_INS_VPMACSWW, X86_INS_VPMADCSSWD, X86_INS_VPMADCSWD, X86_INS_VPMADDUBSW, X86_INS_VPMADDWD, X86_INS_VPMASKMOVD, X86_INS_VPMASKMOVQ, X86_INS_VPMAXSB, X86_INS_VPMAXSD, X86_INS_VPMAXSQ, X86_INS_VPMAXSW, X86_INS_VPMAXUB, X86_INS_VPMAXUD, X86_INS_VPMAXUQ, X86_INS_VPMAXUW, X86_INS_VPMINSB, X86_INS_VPMINSD, X86_INS_VPMINSQ, X86_INS_VPMINSW, X86_INS_VPMINUB, X86_INS_VPMINUD, X86_INS_VPMINUQ, X86_INS_VPMINUW, X86_INS_VPMOVDB, X86_INS_VPMOVDW, X86_INS_VPMOVM2B, X86_INS_VPMOVM2D, X86_INS_VPMOVM2Q, X86_INS_VPMOVM2W, X86_INS_VPMOVMSKB, X86_INS_VPMOVQB, X86_INS_VPMOVQD, X86_INS_VPMOVQW, X86_INS_VPMOVSDB, X86_INS_VPMOVSDW, X86_INS_VPMOVSQB, X86_INS_VPMOVSQD, X86_INS_VPMOVSQW, X86_INS_VPMOVSXBD, X86_INS_VPMOVSXBQ, X86_INS_VPMOVSXBW, X86_INS_VPMOVSXDQ, X86_INS_VPMOVSXWD, X86_INS_VPMOVSXWQ, X86_INS_VPMOVUSDB, X86_INS_VPMOVUSDW, X86_INS_VPMOVUSQB, X86_INS_VPMOVUSQD, X86_INS_VPMOVUSQW, X86_INS_VPMOVZXBD, X86_INS_VPMOVZXBQ, X86_INS_VPMOVZXBW, X86_INS_VPMOVZXDQ, X86_INS_VPMOVZXWD, X86_INS_VPMOVZXWQ, X86_INS_VPMULDQ, X86_INS_VPMULHRSW, X86_INS_VPMULHUW, X86_INS_VPMULHW, X86_INS_VPMULLD, X86_INS_VPMULLQ, X86_INS_VPMULLW, X86_INS_VPMULUDQ, X86_INS_VPORD, X86_INS_VPORQ, X86_INS_VPOR, X86_INS_VPPERM, X86_INS_VPROTB, X86_INS_VPROTD, X86_INS_VPROTQ, X86_INS_VPROTW, X86_INS_VPSADBW, X86_INS_VPSCATTERDD, X86_INS_VPSCATTERDQ, X86_INS_VPSCATTERQD, X86_INS_VPSCATTERQQ, X86_INS_VPSHAB, X86_INS_VPSHAD, X86_INS_VPSHAQ, X86_INS_VPSHAW, X86_INS_VPSHLB, X86_INS_VPSHLD, X86_INS_VPSHLQ, X86_INS_VPSHLW, X86_INS_VPSHUFB, X86_INS_VPSHUFD, X86_INS_VPSHUFHW, X86_INS_VPSHUFLW, X86_INS_VPSIGNB, X86_INS_VPSIGND, X86_INS_VPSIGNW, X86_INS_VPSLLDQ, X86_INS_VPSLLD, X86_INS_VPSLLQ, X86_INS_VPSLLVD, X86_INS_VPSLLVQ, X86_INS_VPSLLW, X86_INS_VPSRAD, X86_INS_VPSRAQ, X86_INS_VPSRAVD, X86_INS_VPSRAVQ, X86_INS_VPSRAW, X86_INS_VPSRLDQ, X86_INS_VPSRLD, X86_INS_VPSRLQ, X86_INS_VPSRLVD, X86_INS_VPSRLVQ, X86_INS_VPSRLW, X86_INS_VPSUBB, X86_INS_VPSUBD, X86_INS_VPSUBQ, X86_INS_VPSUBSB, X86_INS_VPSUBSW, X86_INS_VPSUBUSB, X86_INS_VPSUBUSW, X86_INS_VPSUBW, X86_INS_VPTESTMD, X86_INS_VPTESTMQ, X86_INS_VPTESTNMD, X86_INS_VPTESTNMQ, X86_INS_VPTEST, X86_INS_VPUNPCKHBW, X86_INS_VPUNPCKHDQ, X86_INS_VPUNPCKHQDQ, X86_INS_VPUNPCKHWD, X86_INS_VPUNPCKLBW, X86_INS_VPUNPCKLDQ, X86_INS_VPUNPCKLQDQ, X86_INS_VPUNPCKLWD, X86_INS_VPXORD, X86_INS_VPXORQ, X86_INS_VPXOR, X86_INS_VRCP14PD, X86_INS_VRCP14PS, X86_INS_VRCP14SD, X86_INS_VRCP14SS, X86_INS_VRCP28PD, X86_INS_VRCP28PS, X86_INS_VRCP28SD, X86_INS_VRCP28SS, X86_INS_VRCPPS, X86_INS_VRCPSS, X86_INS_VRNDSCALEPD, X86_INS_VRNDSCALEPS, X86_INS_VRNDSCALESD, X86_INS_VRNDSCALESS, X86_INS_VROUNDPD, X86_INS_VROUNDPS, X86_INS_VROUNDSD, X86_INS_VROUNDSS, X86_INS_VRSQRT14PD, X86_INS_VRSQRT14PS, X86_INS_VRSQRT14SD, X86_INS_VRSQRT14SS, X86_INS_VRSQRT28PD, X86_INS_VRSQRT28PS, X86_INS_VRSQRT28SD, X86_INS_VRSQRT28SS, X86_INS_VRSQRTPS, X86_INS_VRSQRTSS, X86_INS_VSCATTERDPD, X86_INS_VSCATTERDPS, X86_INS_VSCATTERPF0DPD, X86_INS_VSCATTERPF0DPS, X86_INS_VSCATTERPF0QPD, X86_INS_VSCATTERPF0QPS, X86_INS_VSCATTERPF1DPD, X86_INS_VSCATTERPF1DPS, X86_INS_VSCATTERPF1QPD, X86_INS_VSCATTERPF1QPS, X86_INS_VSCATTERQPD, X86_INS_VSCATTERQPS, X86_INS_VSHUFPD, X86_INS_VSHUFPS, X86_INS_VSQRTPD, X86_INS_VSQRTPS, X86_INS_VSQRTSD, X86_INS_VSQRTSS, X86_INS_VSTMXCSR, X86_INS_VSUBPD, X86_INS_VSUBPS, X86_INS_VSUBSD, X86_INS_VSUBSS, X86_INS_VTESTPD, X86_INS_VTESTPS, X86_INS_VUNPCKHPD, X86_INS_VUNPCKHPS, X86_INS_VUNPCKLPD, X86_INS_VUNPCKLPS, X86_INS_VZEROALL, X86_INS_VZEROUPPER, X86_INS_WAIT, X86_INS_WBINVD, X86_INS_WRFSBASE, X86_INS_WRGSBASE, X86_INS_WRMSR, X86_INS_XABORT, X86_INS_XACQUIRE, X86_INS_XBEGIN, X86_INS_XCHG, X86_INS_XCRYPTCBC, X86_INS_XCRYPTCFB, X86_INS_XCRYPTCTR, X86_INS_XCRYPTECB, X86_INS_XCRYPTOFB, X86_INS_XEND, X86_INS_XGETBV, X86_INS_XLATB, X86_INS_XRELEASE, X86_INS_XRSTOR, X86_INS_XRSTOR64, X86_INS_XRSTORS, X86_INS_XRSTORS64, X86_INS_XSAVE, X86_INS_XSAVE64, X86_INS_XSAVEC, X86_INS_XSAVEC64, X86_INS_XSAVEOPT, X86_INS_XSAVEOPT64, X86_INS_XSAVES, X86_INS_XSAVES64, X86_INS_XSETBV, X86_INS_XSHA1, X86_INS_XSHA256, X86_INS_XSTORE, X86_INS_XTEST, X86_INS_FDISI8087_NOP, X86_INS_FENI8087_NOP, // pseudo instructions X86_INS_CMPSS, X86_INS_CMPEQSS, X86_INS_CMPLTSS, X86_INS_CMPLESS, X86_INS_CMPUNORDSS, X86_INS_CMPNEQSS, X86_INS_CMPNLTSS, X86_INS_CMPNLESS, X86_INS_CMPORDSS, X86_INS_CMPSD, X86_INS_CMPEQSD, X86_INS_CMPLTSD, X86_INS_CMPLESD, X86_INS_CMPUNORDSD, X86_INS_CMPNEQSD, X86_INS_CMPNLTSD, X86_INS_CMPNLESD, X86_INS_CMPORDSD, X86_INS_CMPPS, X86_INS_CMPEQPS, X86_INS_CMPLTPS, X86_INS_CMPLEPS, X86_INS_CMPUNORDPS, X86_INS_CMPNEQPS, X86_INS_CMPNLTPS, X86_INS_CMPNLEPS, X86_INS_CMPORDPS, X86_INS_CMPPD, X86_INS_CMPEQPD, X86_INS_CMPLTPD, X86_INS_CMPLEPD, X86_INS_CMPUNORDPD, X86_INS_CMPNEQPD, X86_INS_CMPNLTPD, X86_INS_CMPNLEPD, X86_INS_CMPORDPD, X86_INS_VCMPSS, X86_INS_VCMPEQSS, X86_INS_VCMPLTSS, X86_INS_VCMPLESS, X86_INS_VCMPUNORDSS, X86_INS_VCMPNEQSS, X86_INS_VCMPNLTSS, X86_INS_VCMPNLESS, X86_INS_VCMPORDSS, X86_INS_VCMPEQ_UQSS, X86_INS_VCMPNGESS, X86_INS_VCMPNGTSS, X86_INS_VCMPFALSESS, X86_INS_VCMPNEQ_OQSS, X86_INS_VCMPGESS, X86_INS_VCMPGTSS, X86_INS_VCMPTRUESS, X86_INS_VCMPEQ_OSSS, X86_INS_VCMPLT_OQSS, X86_INS_VCMPLE_OQSS, X86_INS_VCMPUNORD_SSS, X86_INS_VCMPNEQ_USSS, X86_INS_VCMPNLT_UQSS, X86_INS_VCMPNLE_UQSS, X86_INS_VCMPORD_SSS, X86_INS_VCMPEQ_USSS, X86_INS_VCMPNGE_UQSS, X86_INS_VCMPNGT_UQSS, X86_INS_VCMPFALSE_OSSS, X86_INS_VCMPNEQ_OSSS, X86_INS_VCMPGE_OQSS, X86_INS_VCMPGT_OQSS, X86_INS_VCMPTRUE_USSS, X86_INS_VCMPSD, X86_INS_VCMPEQSD, X86_INS_VCMPLTSD, X86_INS_VCMPLESD, X86_INS_VCMPUNORDSD, X86_INS_VCMPNEQSD, X86_INS_VCMPNLTSD, X86_INS_VCMPNLESD, X86_INS_VCMPORDSD, X86_INS_VCMPEQ_UQSD, X86_INS_VCMPNGESD, X86_INS_VCMPNGTSD, X86_INS_VCMPFALSESD, X86_INS_VCMPNEQ_OQSD, X86_INS_VCMPGESD, X86_INS_VCMPGTSD, X86_INS_VCMPTRUESD, X86_INS_VCMPEQ_OSSD, X86_INS_VCMPLT_OQSD, X86_INS_VCMPLE_OQSD, X86_INS_VCMPUNORD_SSD, X86_INS_VCMPNEQ_USSD, X86_INS_VCMPNLT_UQSD, X86_INS_VCMPNLE_UQSD, X86_INS_VCMPORD_SSD, X86_INS_VCMPEQ_USSD, X86_INS_VCMPNGE_UQSD, X86_INS_VCMPNGT_UQSD, X86_INS_VCMPFALSE_OSSD, X86_INS_VCMPNEQ_OSSD, X86_INS_VCMPGE_OQSD, X86_INS_VCMPGT_OQSD, X86_INS_VCMPTRUE_USSD, X86_INS_VCMPPS, X86_INS_VCMPEQPS, X86_INS_VCMPLTPS, X86_INS_VCMPLEPS, X86_INS_VCMPUNORDPS, X86_INS_VCMPNEQPS, X86_INS_VCMPNLTPS, X86_INS_VCMPNLEPS, X86_INS_VCMPORDPS, X86_INS_VCMPEQ_UQPS, X86_INS_VCMPNGEPS, X86_INS_VCMPNGTPS, X86_INS_VCMPFALSEPS, X86_INS_VCMPNEQ_OQPS, X86_INS_VCMPGEPS, X86_INS_VCMPGTPS, X86_INS_VCMPTRUEPS, X86_INS_VCMPEQ_OSPS, X86_INS_VCMPLT_OQPS, X86_INS_VCMPLE_OQPS, X86_INS_VCMPUNORD_SPS, X86_INS_VCMPNEQ_USPS, X86_INS_VCMPNLT_UQPS, X86_INS_VCMPNLE_UQPS, X86_INS_VCMPORD_SPS, X86_INS_VCMPEQ_USPS, X86_INS_VCMPNGE_UQPS, X86_INS_VCMPNGT_UQPS, X86_INS_VCMPFALSE_OSPS, X86_INS_VCMPNEQ_OSPS, X86_INS_VCMPGE_OQPS, X86_INS_VCMPGT_OQPS, X86_INS_VCMPTRUE_USPS, X86_INS_VCMPPD, X86_INS_VCMPEQPD, X86_INS_VCMPLTPD, X86_INS_VCMPLEPD, X86_INS_VCMPUNORDPD, X86_INS_VCMPNEQPD, X86_INS_VCMPNLTPD, X86_INS_VCMPNLEPD, X86_INS_VCMPORDPD, X86_INS_VCMPEQ_UQPD, X86_INS_VCMPNGEPD, X86_INS_VCMPNGTPD, X86_INS_VCMPFALSEPD, X86_INS_VCMPNEQ_OQPD, X86_INS_VCMPGEPD, X86_INS_VCMPGTPD, X86_INS_VCMPTRUEPD, X86_INS_VCMPEQ_OSPD, X86_INS_VCMPLT_OQPD, X86_INS_VCMPLE_OQPD, X86_INS_VCMPUNORD_SPD, X86_INS_VCMPNEQ_USPD, X86_INS_VCMPNLT_UQPD, X86_INS_VCMPNLE_UQPD, X86_INS_VCMPORD_SPD, X86_INS_VCMPEQ_USPD, X86_INS_VCMPNGE_UQPD, X86_INS_VCMPNGT_UQPD, X86_INS_VCMPFALSE_OSPD, X86_INS_VCMPNEQ_OSPD, X86_INS_VCMPGE_OQPD, X86_INS_VCMPGT_OQPD, X86_INS_VCMPTRUE_USPD, X86_INS_ENDING, // mark the end of the list of insn } x86_insn; //> Group of X86 instructions typedef enum x86_insn_group { X86_GRP_INVALID = 0, // = CS_GRP_INVALID //> Generic groups // all jump instructions (conditional+direct+indirect jumps) X86_GRP_JUMP, // = CS_GRP_JUMP // all call instructions X86_GRP_CALL, // = CS_GRP_CALL // all return instructions X86_GRP_RET, // = CS_GRP_RET // all interrupt instructions (int+syscall) X86_GRP_INT, // = CS_GRP_INT // all interrupt return instructions X86_GRP_IRET, // = CS_GRP_IRET // all privileged instructions X86_GRP_PRIVILEGE, // = CS_GRP_PRIVILEGE //> Architecture-specific groups X86_GRP_VM = 128, // all virtualization instructions (VT-x + AMD-V) X86_GRP_3DNOW, X86_GRP_AES, X86_GRP_ADX, X86_GRP_AVX, X86_GRP_AVX2, X86_GRP_AVX512, X86_GRP_BMI, X86_GRP_BMI2, X86_GRP_CMOV, X86_GRP_F16C, X86_GRP_FMA, X86_GRP_FMA4, X86_GRP_FSGSBASE, X86_GRP_HLE, X86_GRP_MMX, X86_GRP_MODE32, X86_GRP_MODE64, X86_GRP_RTM, X86_GRP_SHA, X86_GRP_SSE1, X86_GRP_SSE2, X86_GRP_SSE3, X86_GRP_SSE41, X86_GRP_SSE42, X86_GRP_SSE4A, X86_GRP_SSSE3, X86_GRP_PCLMUL, X86_GRP_XOP, X86_GRP_CDI, X86_GRP_ERI, X86_GRP_TBM, X86_GRP_16BITMODE, X86_GRP_NOT64BITMODE, X86_GRP_SGX, X86_GRP_DQI, X86_GRP_BWI, X86_GRP_PFI, X86_GRP_VLX, X86_GRP_SMAP, X86_GRP_NOVLX, X86_GRP_ENDING } x86_insn_group; #ifdef __cplusplus } #endif #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/capstone/xcore.h ================================================ #ifndef CAPSTONE_XCORE_H #define CAPSTONE_XCORE_H /* Capstone Disassembly Engine */ /* By Nguyen Anh Quynh , 2014-2015 */ #ifdef __cplusplus extern "C" { #endif #include "platform.h" #ifdef _MSC_VER #pragma warning(disable:4201) #endif //> Operand type for instruction's operands typedef enum xcore_op_type { XCORE_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized). XCORE_OP_REG, // = CS_OP_REG (Register operand). XCORE_OP_IMM, // = CS_OP_IMM (Immediate operand). XCORE_OP_MEM, // = CS_OP_MEM (Memory operand). } xcore_op_type; //> XCore registers typedef enum xcore_reg { XCORE_REG_INVALID = 0, XCORE_REG_CP, XCORE_REG_DP, XCORE_REG_LR, XCORE_REG_SP, XCORE_REG_R0, XCORE_REG_R1, XCORE_REG_R2, XCORE_REG_R3, XCORE_REG_R4, XCORE_REG_R5, XCORE_REG_R6, XCORE_REG_R7, XCORE_REG_R8, XCORE_REG_R9, XCORE_REG_R10, XCORE_REG_R11, //> pseudo registers XCORE_REG_PC, // pc // internal thread registers // see The-XMOS-XS1-Architecture(X7879A).pdf XCORE_REG_SCP, // save pc XCORE_REG_SSR, // save status XCORE_REG_ET, // exception type XCORE_REG_ED, // exception data XCORE_REG_SED, // save exception data XCORE_REG_KEP, // kernel entry pointer XCORE_REG_KSP, // kernel stack pointer XCORE_REG_ID, // thread ID XCORE_REG_ENDING, // <-- mark the end of the list of registers } xcore_reg; // Instruction's operand referring to memory // This is associated with XCORE_OP_MEM operand type above typedef struct xcore_op_mem { uint8_t base; // base register, can be safely interpreted as // a value of type `xcore_reg`, but it is only // one byte wide uint8_t index; // index register, same conditions apply here int32_t disp; // displacement/offset value int direct; // +1: forward, -1: backward } xcore_op_mem; // Instruction operand typedef struct cs_xcore_op { xcore_op_type type; // operand type union { xcore_reg reg; // register value for REG operand int32_t imm; // immediate value for IMM operand xcore_op_mem mem; // base/disp value for MEM operand }; } cs_xcore_op; // Instruction structure typedef struct cs_xcore { // Number of operands of this instruction, // or 0 when instruction has no operand. uint8_t op_count; cs_xcore_op operands[8]; // operands for this instruction. } cs_xcore; //> XCore instruction typedef enum xcore_insn { XCORE_INS_INVALID = 0, XCORE_INS_ADD, XCORE_INS_ANDNOT, XCORE_INS_AND, XCORE_INS_ASHR, XCORE_INS_BAU, XCORE_INS_BITREV, XCORE_INS_BLA, XCORE_INS_BLAT, XCORE_INS_BL, XCORE_INS_BF, XCORE_INS_BT, XCORE_INS_BU, XCORE_INS_BRU, XCORE_INS_BYTEREV, XCORE_INS_CHKCT, XCORE_INS_CLRE, XCORE_INS_CLRPT, XCORE_INS_CLRSR, XCORE_INS_CLZ, XCORE_INS_CRC8, XCORE_INS_CRC32, XCORE_INS_DCALL, XCORE_INS_DENTSP, XCORE_INS_DGETREG, XCORE_INS_DIVS, XCORE_INS_DIVU, XCORE_INS_DRESTSP, XCORE_INS_DRET, XCORE_INS_ECALLF, XCORE_INS_ECALLT, XCORE_INS_EDU, XCORE_INS_EEF, XCORE_INS_EET, XCORE_INS_EEU, XCORE_INS_ENDIN, XCORE_INS_ENTSP, XCORE_INS_EQ, XCORE_INS_EXTDP, XCORE_INS_EXTSP, XCORE_INS_FREER, XCORE_INS_FREET, XCORE_INS_GETD, XCORE_INS_GET, XCORE_INS_GETN, XCORE_INS_GETR, XCORE_INS_GETSR, XCORE_INS_GETST, XCORE_INS_GETTS, XCORE_INS_INCT, XCORE_INS_INIT, XCORE_INS_INPW, XCORE_INS_INSHR, XCORE_INS_INT, XCORE_INS_IN, XCORE_INS_KCALL, XCORE_INS_KENTSP, XCORE_INS_KRESTSP, XCORE_INS_KRET, XCORE_INS_LADD, XCORE_INS_LD16S, XCORE_INS_LD8U, XCORE_INS_LDA16, XCORE_INS_LDAP, XCORE_INS_LDAW, XCORE_INS_LDC, XCORE_INS_LDW, XCORE_INS_LDIVU, XCORE_INS_LMUL, XCORE_INS_LSS, XCORE_INS_LSUB, XCORE_INS_LSU, XCORE_INS_MACCS, XCORE_INS_MACCU, XCORE_INS_MJOIN, XCORE_INS_MKMSK, XCORE_INS_MSYNC, XCORE_INS_MUL, XCORE_INS_NEG, XCORE_INS_NOT, XCORE_INS_OR, XCORE_INS_OUTCT, XCORE_INS_OUTPW, XCORE_INS_OUTSHR, XCORE_INS_OUTT, XCORE_INS_OUT, XCORE_INS_PEEK, XCORE_INS_REMS, XCORE_INS_REMU, XCORE_INS_RETSP, XCORE_INS_SETCLK, XCORE_INS_SET, XCORE_INS_SETC, XCORE_INS_SETD, XCORE_INS_SETEV, XCORE_INS_SETN, XCORE_INS_SETPSC, XCORE_INS_SETPT, XCORE_INS_SETRDY, XCORE_INS_SETSR, XCORE_INS_SETTW, XCORE_INS_SETV, XCORE_INS_SEXT, XCORE_INS_SHL, XCORE_INS_SHR, XCORE_INS_SSYNC, XCORE_INS_ST16, XCORE_INS_ST8, XCORE_INS_STW, XCORE_INS_SUB, XCORE_INS_SYNCR, XCORE_INS_TESTCT, XCORE_INS_TESTLCL, XCORE_INS_TESTWCT, XCORE_INS_TSETMR, XCORE_INS_START, XCORE_INS_WAITEF, XCORE_INS_WAITET, XCORE_INS_WAITEU, XCORE_INS_XOR, XCORE_INS_ZEXT, XCORE_INS_ENDING, // <-- mark the end of the list of instructions } xcore_insn; //> Group of XCore instructions typedef enum xcore_insn_group { XCORE_GRP_INVALID = 0, // = CS_GRP_INVALID //> Generic groups // all jump instructions (conditional+direct+indirect jumps) XCORE_GRP_JUMP, // = CS_GRP_JUMP XCORE_GRP_ENDING, // <-- mark the end of the list of groups } xcore_insn_group; #ifdef __cplusplus } #endif #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/dbghelp/dbghelp.h ================================================ #ifndef _DBGHELP_ #define _DBGHELP_ // As a general principal always call the 64 bit version // of every API, if a choice exists. The 64 bit version // works great on 32 bit platforms, and is forward // compatible to 64 bit platforms. #ifdef _WIN64 #ifndef _IMAGEHLP64 #define _IMAGEHLP64 #endif #endif #pragma pack(push,8) // For those without specstrings.h // Since there are different versions of this header, I need to // individually test each item and define it if it is not around. #ifndef __in #define __in #endif #ifndef __out #define __out #endif #ifndef __inout #define __inout #endif #ifndef __in_opt #define __in_opt #endif #ifndef __out_opt #define __out_opt #endif #ifndef __inout_opt #define __inout_opt #endif #ifndef __in_ecount #define __in_ecount(x) #endif #ifndef __out_ecount #define __out_ecount(x) #endif #ifndef __inout_ecount #define __inout_ecount(x) #endif #ifndef __in_bcount #define __in_bcount(x) #endif #ifndef __out_bcount #define __out_bcount(x) #endif #ifndef __inout_bcount #define __inout_bcount(x) #endif #ifndef __out_xcount #define __out_xcount(x) #endif #ifndef __deref_opt_out #define __deref_opt_out #endif #ifndef __deref_out #define __deref_out #endif #ifndef __out_ecount_opt #define __out_ecount_opt(x) #endif #ifndef __in_bcount_opt #define __in_bcount_opt(x) #endif #ifndef __out_bcount_opt #define __out_bcount_opt(x) #endif #ifndef __deref_out_opt #define __deref_out_opt #endif #ifdef __cplusplus extern "C" { #endif #ifdef _IMAGEHLP_SOURCE_ #define IMAGEAPI __stdcall #define DBHLP_DEPRECIATED #else #define IMAGEAPI DECLSPEC_IMPORT __stdcall #if (_MSC_VER >= 1300) && !defined(MIDL_PASS) #define DBHLP_DEPRECIATED __declspec(deprecated) #else #define DBHLP_DEPRECIATED #endif #endif #define DBHLPAPI IMAGEAPI #define IMAGE_SEPARATION (64*1024) // Observant readers may notice that 2 new fields, // 'fReadOnly' and 'Version' have been added to // the LOADED_IMAGE structure after 'fDOSImage'. // This does not change the size of the structure // from previous headers. That is because while // 'fDOSImage' is a byte, it is padded by the // compiler to 4 bytes. So the 2 new fields are // slipped into the extra space. typedef struct _LOADED_IMAGE { PSTR ModuleName; HANDLE hFile; PUCHAR MappedAddress; #ifdef _IMAGEHLP64 PIMAGE_NT_HEADERS64 FileHeader; #else PIMAGE_NT_HEADERS32 FileHeader; #endif PIMAGE_SECTION_HEADER LastRvaSection; ULONG NumberOfSections; PIMAGE_SECTION_HEADER Sections; ULONG Characteristics; BOOLEAN fSystemImage; BOOLEAN fDOSImage; BOOLEAN fReadOnly; UCHAR Version; LIST_ENTRY Links; ULONG SizeOfImage; } LOADED_IMAGE, *PLOADED_IMAGE; #define MAX_SYM_NAME 2000 // Error codes set by dbghelp functions. Call GetLastError // to see them. // Dbghelp also sets error codes found in winerror.h #define ERROR_IMAGE_NOT_STRIPPED 0x8800 // the image is not stripped. No dbg file available. #define ERROR_NO_DBG_POINTER 0x8801 // image is stripped but there is no pointer to a dbg file #define ERROR_NO_PDB_POINTER 0x8802 // image does not point to a pdb file typedef BOOL (CALLBACK* PFIND_DEBUG_FILE_CALLBACK)( __in HANDLE FileHandle, __in PCSTR FileName, __in PVOID CallerData ); HANDLE IMAGEAPI SymFindDebugInfoFile( __in HANDLE hProcess, __in PCSTR FileName, __out_ecount(MAX_PATH + 1) PSTR DebugFilePath, __in_opt PFIND_DEBUG_FILE_CALLBACK Callback, __in_opt PVOID CallerData ); typedef BOOL (CALLBACK* PFIND_DEBUG_FILE_CALLBACKW)( __in HANDLE FileHandle, __in PCWSTR FileName, __in PVOID CallerData ); HANDLE IMAGEAPI SymFindDebugInfoFileW( __in HANDLE hProcess, __in PCWSTR FileName, __out_ecount(MAX_PATH + 1) PWSTR DebugFilePath, __in_opt PFIND_DEBUG_FILE_CALLBACKW Callback, __in_opt PVOID CallerData ); HANDLE IMAGEAPI FindDebugInfoFile( __in PCSTR FileName, __in PCSTR SymbolPath, __out_ecount(MAX_PATH + 1) PSTR DebugFilePath ); HANDLE IMAGEAPI FindDebugInfoFileEx( __in PCSTR FileName, __in PCSTR SymbolPath, __out_ecount(MAX_PATH + 1) PSTR DebugFilePath, __in_opt PFIND_DEBUG_FILE_CALLBACK Callback, __in_opt PVOID CallerData ); HANDLE IMAGEAPI FindDebugInfoFileExW( __in PCWSTR FileName, __in PCWSTR SymbolPath, __out_ecount(MAX_PATH + 1) PWSTR DebugFilePath, __in_opt PFIND_DEBUG_FILE_CALLBACKW Callback, __in_opt PVOID CallerData ); typedef BOOL (CALLBACK* PFINDFILEINPATHCALLBACK)( __in PCSTR filename, __in PVOID context ); BOOL IMAGEAPI SymFindFileInPath( __in HANDLE hprocess, __in_opt PCSTR SearchPath, __in PCSTR FileName, __in_opt PVOID id, __in DWORD two, __in DWORD three, __in DWORD flags, __out_ecount(MAX_PATH + 1) PSTR FoundFile, __in_opt PFINDFILEINPATHCALLBACK callback, __in_opt PVOID context ); typedef BOOL (CALLBACK* PFINDFILEINPATHCALLBACKW)( __in PCWSTR filename, __in PVOID context ); BOOL IMAGEAPI SymFindFileInPathW( __in HANDLE hprocess, __in_opt PCWSTR SearchPath, __in PCWSTR FileName, __in_opt PVOID id, __in DWORD two, __in DWORD three, __in DWORD flags, __out_ecount(MAX_PATH + 1) PWSTR FoundFile, __in_opt PFINDFILEINPATHCALLBACKW callback, __in_opt PVOID context ); typedef BOOL (CALLBACK* PFIND_EXE_FILE_CALLBACK)( __in HANDLE FileHandle, __in PCSTR FileName, __in_opt PVOID CallerData ); HANDLE IMAGEAPI SymFindExecutableImage( __in HANDLE hProcess, __in PCSTR FileName, __out_ecount(MAX_PATH + 1) PSTR ImageFilePath, __in PFIND_EXE_FILE_CALLBACK Callback, __in PVOID CallerData ); typedef BOOL (CALLBACK* PFIND_EXE_FILE_CALLBACKW)( __in HANDLE FileHandle, __in PCWSTR FileName, __in_opt PVOID CallerData ); HANDLE IMAGEAPI SymFindExecutableImageW( __in HANDLE hProcess, __in PCWSTR FileName, __out_ecount(MAX_PATH + 1) PWSTR ImageFilePath, __in PFIND_EXE_FILE_CALLBACKW Callback, __in PVOID CallerData ); HANDLE IMAGEAPI FindExecutableImage( __in PCSTR FileName, __in PCSTR SymbolPath, __out_ecount(MAX_PATH + 1) PSTR ImageFilePath ); HANDLE IMAGEAPI FindExecutableImageEx( __in PCSTR FileName, __in PCSTR SymbolPath, __out_ecount(MAX_PATH + 1) PSTR ImageFilePath, __in_opt PFIND_EXE_FILE_CALLBACK Callback, __in_opt PVOID CallerData ); HANDLE IMAGEAPI FindExecutableImageExW( __in PCWSTR FileName, __in PCWSTR SymbolPath, __out_ecount(MAX_PATH + 1) PWSTR ImageFilePath, __in_opt PFIND_EXE_FILE_CALLBACKW Callback, __in PVOID CallerData ); PIMAGE_NT_HEADERS IMAGEAPI ImageNtHeader( __in PVOID Base ); PVOID IMAGEAPI ImageDirectoryEntryToDataEx( __in PVOID Base, __in BOOLEAN MappedAsImage, __in USHORT DirectoryEntry, __out PULONG Size, __out_opt PIMAGE_SECTION_HEADER* FoundHeader ); PVOID IMAGEAPI ImageDirectoryEntryToData( __in PVOID Base, __in BOOLEAN MappedAsImage, __in USHORT DirectoryEntry, __out PULONG Size ); PIMAGE_SECTION_HEADER IMAGEAPI ImageRvaToSection( __in PIMAGE_NT_HEADERS NtHeaders, __in PVOID Base, __in ULONG Rva ); PVOID IMAGEAPI ImageRvaToVa( __in PIMAGE_NT_HEADERS NtHeaders, __in PVOID Base, __in ULONG Rva, __in_opt OUT PIMAGE_SECTION_HEADER* LastRvaSection ); #ifndef _WIN64 // This api won't be ported to Win64 - Fix your code. typedef struct _IMAGE_DEBUG_INFORMATION { LIST_ENTRY List; DWORD ReservedSize; PVOID ReservedMappedBase; USHORT ReservedMachine; USHORT ReservedCharacteristics; DWORD ReservedCheckSum; DWORD ImageBase; DWORD SizeOfImage; DWORD ReservedNumberOfSections; PIMAGE_SECTION_HEADER ReservedSections; DWORD ReservedExportedNamesSize; PSTR ReservedExportedNames; DWORD ReservedNumberOfFunctionTableEntries; PIMAGE_FUNCTION_ENTRY ReservedFunctionTableEntries; DWORD ReservedLowestFunctionStartingAddress; DWORD ReservedHighestFunctionEndingAddress; DWORD ReservedNumberOfFpoTableEntries; PFPO_DATA ReservedFpoTableEntries; DWORD SizeOfCoffSymbols; PIMAGE_COFF_SYMBOLS_HEADER CoffSymbols; DWORD ReservedSizeOfCodeViewSymbols; PVOID ReservedCodeViewSymbols; PSTR ImageFilePath; PSTR ImageFileName; PSTR ReservedDebugFilePath; DWORD ReservedTimeDateStamp; BOOL ReservedRomImage; PIMAGE_DEBUG_DIRECTORY ReservedDebugDirectory; DWORD ReservedNumberOfDebugDirectories; DWORD ReservedOriginalFunctionTableBaseAddress; DWORD Reserved[ 2 ]; } IMAGE_DEBUG_INFORMATION, *PIMAGE_DEBUG_INFORMATION; PIMAGE_DEBUG_INFORMATION IMAGEAPI MapDebugInformation( __in_opt HANDLE FileHandle, __in PCSTR FileName, __in_opt PCSTR SymbolPath, __in ULONG ImageBase ); BOOL IMAGEAPI UnmapDebugInformation( __out_xcount(unknown) PIMAGE_DEBUG_INFORMATION DebugInfo ); #endif BOOL IMAGEAPI SearchTreeForFile( __in PCSTR RootPath, __in PCSTR InputPathName, __out_ecount(MAX_PATH + 1) PSTR OutputPathBuffer ); BOOL IMAGEAPI SearchTreeForFileW( __in PCWSTR RootPath, __in PCWSTR InputPathName, __out_ecount(MAX_PATH + 1) PWSTR OutputPathBuffer ); typedef BOOL (CALLBACK* PENUMDIRTREE_CALLBACK)( __in PCSTR FilePath, __in_opt PVOID CallerData ); BOOL IMAGEAPI EnumDirTree( __in_opt HANDLE hProcess, __in PCSTR RootPath, __in PCSTR InputPathName, __out_ecount_opt(MAX_PATH + 1) PSTR OutputPathBuffer, __in_opt PENUMDIRTREE_CALLBACK cb, __in_opt PVOID data ); typedef BOOL (CALLBACK* PENUMDIRTREE_CALLBACKW)( __in PCWSTR FilePath, __in_opt PVOID CallerData ); BOOL IMAGEAPI EnumDirTreeW( __in_opt HANDLE hProcess, __in PCWSTR RootPath, __in PCWSTR InputPathName, __out_ecount_opt(MAX_PATH + 1) PWSTR OutputPathBuffer, __in_opt PENUMDIRTREE_CALLBACKW cb, __in_opt PVOID data ); BOOL IMAGEAPI MakeSureDirectoryPathExists( __in PCSTR DirPath ); // // UnDecorateSymbolName Flags // #define UNDNAME_COMPLETE (0x0000) // Enable full undecoration #define UNDNAME_NO_LEADING_UNDERSCORES (0x0001) // Remove leading underscores from MS extended keywords #define UNDNAME_NO_MS_KEYWORDS (0x0002) // Disable expansion of MS extended keywords #define UNDNAME_NO_FUNCTION_RETURNS (0x0004) // Disable expansion of return type for primary declaration #define UNDNAME_NO_ALLOCATION_MODEL (0x0008) // Disable expansion of the declaration model #define UNDNAME_NO_ALLOCATION_LANGUAGE (0x0010) // Disable expansion of the declaration language specifier #define UNDNAME_NO_MS_THISTYPE (0x0020) // NYI Disable expansion of MS keywords on the 'this' type for primary declaration #define UNDNAME_NO_CV_THISTYPE (0x0040) // NYI Disable expansion of CV modifiers on the 'this' type for primary declaration #define UNDNAME_NO_THISTYPE (0x0060) // Disable all modifiers on the 'this' type #define UNDNAME_NO_ACCESS_SPECIFIERS (0x0080) // Disable expansion of access specifiers for members #define UNDNAME_NO_THROW_SIGNATURES (0x0100) // Disable expansion of 'throw-signatures' for functions and pointers to functions #define UNDNAME_NO_MEMBER_TYPE (0x0200) // Disable expansion of 'static' or 'virtual'ness of members #define UNDNAME_NO_RETURN_UDT_MODEL (0x0400) // Disable expansion of MS model for UDT returns #define UNDNAME_32_BIT_DECODE (0x0800) // Undecorate 32-bit decorated names #define UNDNAME_NAME_ONLY (0x1000) // Crack only the name for primary declaration; // return just [scope::]name. Does expand template params #define UNDNAME_NO_ARGUMENTS (0x2000) // Don't undecorate arguments to function #define UNDNAME_NO_SPECIAL_SYMS (0x4000) // Don't undecorate special names (v-table, vcall, vector xxx, metatype, etc) DWORD IMAGEAPI WINAPI UnDecorateSymbolName( __in PCSTR name, __out_ecount(maxStringLength) PSTR outputString, __in DWORD maxStringLength, __in DWORD flags ); DWORD IMAGEAPI WINAPI UnDecorateSymbolNameW( __in PCWSTR name, __out_ecount(maxStringLength) PWSTR outputString, __in DWORD maxStringLength, __in DWORD flags ); // // these values are used for synthesized file types // that can be passed in as image headers instead of // the standard ones from ntimage.h // #define DBHHEADER_DEBUGDIRS 0x1 #define DBHHEADER_CVMISC 0x2 #define DBHHEADER_PDBGUID 0x3 typedef struct _MODLOAD_DATA { DWORD ssize; // size of this struct DWORD ssig; // signature identifying the passed data PVOID data; // pointer to passed data DWORD size; // size of passed data DWORD flags; // options } MODLOAD_DATA, *PMODLOAD_DATA; typedef struct _MODLOAD_CVMISC { DWORD oCV; // ofset to the codeview record size_t cCV; // size of the codeview record DWORD oMisc; // offset to the misc record size_t cMisc; // size of the misc record DWORD dtImage; // datetime stamp of the image DWORD cImage; // size of the image } MODLOAD_CVMISC, *PMODLOAD_CVMISC; typedef struct _MODLOAD_PDBGUID_PDBAGE { GUID PdbGuid; // Pdb Guid DWORD PdbAge; // Pdb Age } MODLOAD_PDBGUID_PDBAGE, *PMODLOAD_PDBGUID_PDBAGE; // // StackWalking API // typedef enum { AddrMode1616, AddrMode1632, AddrModeReal, AddrModeFlat } ADDRESS_MODE; typedef struct _tagADDRESS64 { DWORD64 Offset; WORD Segment; ADDRESS_MODE Mode; } ADDRESS64, *LPADDRESS64; #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define ADDRESS ADDRESS64 #define LPADDRESS LPADDRESS64 #else typedef struct _tagADDRESS { DWORD Offset; WORD Segment; ADDRESS_MODE Mode; } ADDRESS, *LPADDRESS; __inline void Address32To64( __in LPADDRESS a32, __out LPADDRESS64 a64 ) { a64->Offset = (ULONG64)(LONG64)(LONG)a32->Offset; a64->Segment = a32->Segment; a64->Mode = a32->Mode; } __inline void Address64To32( __in LPADDRESS64 a64, __out LPADDRESS a32 ) { a32->Offset = (ULONG)a64->Offset; a32->Segment = a64->Segment; a32->Mode = a64->Mode; } #endif // // This structure is included in the STACKFRAME structure, // and is used to trace through usermode callbacks in a thread's // kernel stack. The values must be copied by the kernel debugger // from the DBGKD_GET_VERSION and WAIT_STATE_CHANGE packets. // // // New KDHELP structure for 64 bit system support. // This structure is preferred in new code. // typedef struct _KDHELP64 { // // address of kernel thread object, as provided in the // WAIT_STATE_CHANGE packet. // DWORD64 Thread; // // offset in thread object to pointer to the current callback frame // in kernel stack. // DWORD ThCallbackStack; // // offset in thread object to pointer to the current callback backing // store frame in kernel stack. // DWORD ThCallbackBStore; // // offsets to values in frame: // // address of next callback frame DWORD NextCallback; // address of saved frame pointer (if applicable) DWORD FramePointer; // // Address of the kernel function that calls out to user mode // DWORD64 KiCallUserMode; // // Address of the user mode dispatcher function // DWORD64 KeUserCallbackDispatcher; // // Lowest kernel mode address // DWORD64 SystemRangeStart; // // Address of the user mode exception dispatcher function. // Added in API version 10. // DWORD64 KiUserExceptionDispatcher; // // Stack bounds, added in API version 11. // DWORD64 StackBase; DWORD64 StackLimit; DWORD64 Reserved[5]; } KDHELP64, *PKDHELP64; #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define KDHELP KDHELP64 #define PKDHELP PKDHELP64 #else typedef struct _KDHELP { // // address of kernel thread object, as provided in the // WAIT_STATE_CHANGE packet. // DWORD Thread; // // offset in thread object to pointer to the current callback frame // in kernel stack. // DWORD ThCallbackStack; // // offsets to values in frame: // // address of next callback frame DWORD NextCallback; // address of saved frame pointer (if applicable) DWORD FramePointer; // // Address of the kernel function that calls out to user mode // DWORD KiCallUserMode; // // Address of the user mode dispatcher function // DWORD KeUserCallbackDispatcher; // // Lowest kernel mode address // DWORD SystemRangeStart; // // offset in thread object to pointer to the current callback backing // store frame in kernel stack. // DWORD ThCallbackBStore; // // Address of the user mode exception dispatcher function. // Added in API version 10. // DWORD KiUserExceptionDispatcher; // // Stack bounds, added in API version 11. // DWORD StackBase; DWORD StackLimit; DWORD Reserved[5]; } KDHELP, *PKDHELP; __inline void KdHelp32To64( __in PKDHELP p32, __out PKDHELP64 p64 ) { p64->Thread = p32->Thread; p64->ThCallbackStack = p32->ThCallbackStack; p64->NextCallback = p32->NextCallback; p64->FramePointer = p32->FramePointer; p64->KiCallUserMode = p32->KiCallUserMode; p64->KeUserCallbackDispatcher = p32->KeUserCallbackDispatcher; p64->SystemRangeStart = p32->SystemRangeStart; p64->KiUserExceptionDispatcher = p32->KiUserExceptionDispatcher; p64->StackBase = p32->StackBase; p64->StackLimit = p32->StackLimit; } #endif typedef struct _tagSTACKFRAME64 { ADDRESS64 AddrPC; // program counter ADDRESS64 AddrReturn; // return address ADDRESS64 AddrFrame; // frame pointer ADDRESS64 AddrStack; // stack pointer ADDRESS64 AddrBStore; // backing store pointer PVOID FuncTableEntry; // pointer to pdata/fpo or NULL DWORD64 Params[4]; // possible arguments to the function BOOL Far; // WOW far call BOOL Virtual; // is this a virtual frame? DWORD64 Reserved[3]; KDHELP64 KdHelp; } STACKFRAME64, *LPSTACKFRAME64; #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define STACKFRAME STACKFRAME64 #define LPSTACKFRAME LPSTACKFRAME64 #else typedef struct _tagSTACKFRAME { ADDRESS AddrPC; // program counter ADDRESS AddrReturn; // return address ADDRESS AddrFrame; // frame pointer ADDRESS AddrStack; // stack pointer PVOID FuncTableEntry; // pointer to pdata/fpo or NULL DWORD Params[4]; // possible arguments to the function BOOL Far; // WOW far call BOOL Virtual; // is this a virtual frame? DWORD Reserved[3]; KDHELP KdHelp; ADDRESS AddrBStore; // backing store pointer } STACKFRAME, *LPSTACKFRAME; #endif typedef BOOL (__stdcall* PREAD_PROCESS_MEMORY_ROUTINE64)( __in HANDLE hProcess, __in DWORD64 qwBaseAddress, __out_bcount(nSize) PVOID lpBuffer, __in DWORD nSize, __out LPDWORD lpNumberOfBytesRead ); typedef PVOID (__stdcall* PFUNCTION_TABLE_ACCESS_ROUTINE64)( __in HANDLE ahProcess, __in DWORD64 AddrBase ); typedef DWORD64 (__stdcall* PGET_MODULE_BASE_ROUTINE64)( __in HANDLE hProcess, __in DWORD64 Address ); typedef DWORD64 (__stdcall* PTRANSLATE_ADDRESS_ROUTINE64)( __in HANDLE hProcess, __in HANDLE hThread, __in LPADDRESS64 lpaddr ); BOOL IMAGEAPI StackWalk64( __in DWORD MachineType, __in HANDLE hProcess, __in HANDLE hThread, __inout LPSTACKFRAME64 StackFrame, __inout PVOID ContextRecord, __in_opt PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemoryRoutine, __in_opt PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccessRoutine, __in_opt PGET_MODULE_BASE_ROUTINE64 GetModuleBaseRoutine, __in_opt PTRANSLATE_ADDRESS_ROUTINE64 TranslateAddress ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define PREAD_PROCESS_MEMORY_ROUTINE PREAD_PROCESS_MEMORY_ROUTINE64 #define PFUNCTION_TABLE_ACCESS_ROUTINE PFUNCTION_TABLE_ACCESS_ROUTINE64 #define PGET_MODULE_BASE_ROUTINE PGET_MODULE_BASE_ROUTINE64 #define PTRANSLATE_ADDRESS_ROUTINE PTRANSLATE_ADDRESS_ROUTINE64 #define StackWalk StackWalk64 #else typedef BOOL (__stdcall* PREAD_PROCESS_MEMORY_ROUTINE)( __in HANDLE hProcess, __in DWORD lpBaseAddress, __out_bcount(nSize) PVOID lpBuffer, __in DWORD nSize, __out PDWORD lpNumberOfBytesRead ); typedef PVOID (__stdcall* PFUNCTION_TABLE_ACCESS_ROUTINE)( __in HANDLE hProcess, __in DWORD AddrBase ); typedef DWORD (__stdcall* PGET_MODULE_BASE_ROUTINE)( __in HANDLE hProcess, __in DWORD Address ); typedef DWORD (__stdcall* PTRANSLATE_ADDRESS_ROUTINE)( __in HANDLE hProcess, __in HANDLE hThread, __out LPADDRESS lpaddr ); BOOL IMAGEAPI StackWalk( DWORD MachineType, __in HANDLE hProcess, __in HANDLE hThread, __inout LPSTACKFRAME StackFrame, __inout PVOID ContextRecord, __in_opt PREAD_PROCESS_MEMORY_ROUTINE ReadMemoryRoutine, __in_opt PFUNCTION_TABLE_ACCESS_ROUTINE FunctionTableAccessRoutine, __in_opt PGET_MODULE_BASE_ROUTINE GetModuleBaseRoutine, __in_opt PTRANSLATE_ADDRESS_ROUTINE TranslateAddress ); #endif #define API_VERSION_NUMBER 11 typedef struct API_VERSION { USHORT MajorVersion; USHORT MinorVersion; USHORT Revision; USHORT Reserved; } API_VERSION, *LPAPI_VERSION; LPAPI_VERSION IMAGEAPI ImagehlpApiVersion( VOID ); LPAPI_VERSION IMAGEAPI ImagehlpApiVersionEx( __in LPAPI_VERSION AppVersion ); DWORD IMAGEAPI GetTimestampForLoadedLibrary( __in HMODULE Module ); // // typedefs for function pointers // typedef BOOL (CALLBACK* PSYM_ENUMMODULES_CALLBACK64)( __in PCSTR ModuleName, __in DWORD64 BaseOfDll, __in_opt PVOID UserContext ); typedef BOOL (CALLBACK* PSYM_ENUMMODULES_CALLBACKW64)( __in PCWSTR ModuleName, __in DWORD64 BaseOfDll, __in_opt PVOID UserContext ); typedef BOOL (CALLBACK* PENUMLOADED_MODULES_CALLBACK64)( __in PCSTR ModuleName, __in DWORD64 ModuleBase, __in ULONG ModuleSize, __in_opt PVOID UserContext ); typedef BOOL (CALLBACK* PENUMLOADED_MODULES_CALLBACKW64)( __in PCWSTR ModuleName, __in DWORD64 ModuleBase, __in ULONG ModuleSize, __in_opt PVOID UserContext ); typedef BOOL (CALLBACK* PSYM_ENUMSYMBOLS_CALLBACK64)( __in PCSTR SymbolName, __in DWORD64 SymbolAddress, __in ULONG SymbolSize, __in_opt PVOID UserContext ); typedef BOOL (CALLBACK* PSYM_ENUMSYMBOLS_CALLBACK64W)( __in PCWSTR SymbolName, __in DWORD64 SymbolAddress, __in ULONG SymbolSize, __in_opt PVOID UserContext ); typedef BOOL (CALLBACK* PSYMBOL_REGISTERED_CALLBACK64)( __in HANDLE hProcess, __in ULONG ActionCode, __in_opt ULONG64 CallbackData, __in_opt ULONG64 UserContext ); typedef PVOID (CALLBACK* PSYMBOL_FUNCENTRY_CALLBACK)( __in HANDLE hProcess, __in DWORD AddrBase, __in_opt PVOID UserContext ); typedef PVOID (CALLBACK* PSYMBOL_FUNCENTRY_CALLBACK64)( __in HANDLE hProcess, __in ULONG64 AddrBase, __in ULONG64 UserContext ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define PSYM_ENUMMODULES_CALLBACK PSYM_ENUMMODULES_CALLBACK64 #define PSYM_ENUMSYMBOLS_CALLBACK PSYM_ENUMSYMBOLS_CALLBACK64 #define PSYM_ENUMSYMBOLS_CALLBACKW PSYM_ENUMSYMBOLS_CALLBACK64W #define PENUMLOADED_MODULES_CALLBACK PENUMLOADED_MODULES_CALLBACK64 #define PSYMBOL_REGISTERED_CALLBACK PSYMBOL_REGISTERED_CALLBACK64 #define PSYMBOL_FUNCENTRY_CALLBACK PSYMBOL_FUNCENTRY_CALLBACK64 #else typedef BOOL (CALLBACK* PSYM_ENUMMODULES_CALLBACK)( __in PCSTR ModuleName, __in ULONG BaseOfDll, __in_opt PVOID UserContext ); typedef BOOL (CALLBACK* PSYM_ENUMSYMBOLS_CALLBACK)( __in PCSTR SymbolName, __in ULONG SymbolAddress, __in ULONG SymbolSize, __in_opt PVOID UserContext ); typedef BOOL (CALLBACK* PSYM_ENUMSYMBOLS_CALLBACKW)( __in PCWSTR SymbolName, __in ULONG SymbolAddress, __in ULONG SymbolSize, __in_opt PVOID UserContext ); typedef BOOL (CALLBACK* PENUMLOADED_MODULES_CALLBACK)( __in PCSTR ModuleName, __in ULONG ModuleBase, __in ULONG ModuleSize, __in_opt PVOID UserContext ); typedef BOOL (CALLBACK* PSYMBOL_REGISTERED_CALLBACK)( __in HANDLE hProcess, __in ULONG ActionCode, __in_opt PVOID CallbackData, __in_opt PVOID UserContext ); #endif // values found in SYMBOL_INFO.Tag // // This was taken from cvconst.h and should // not override any values found there. // // #define _NO_CVCONST_H_ if you don't // have access to that file... #ifdef _NO_CVCONST_H // DIA enums enum SymTagEnum { SymTagNull, SymTagExe, SymTagCompiland, SymTagCompilandDetails, SymTagCompilandEnv, SymTagFunction, SymTagBlock, SymTagData, SymTagAnnotation, SymTagLabel, SymTagPublicSymbol, SymTagUDT, SymTagEnum, SymTagFunctionType, SymTagPointerType, SymTagArrayType, SymTagBaseType, SymTagTypedef, SymTagBaseClass, SymTagFriend, SymTagFunctionArgType, SymTagFuncDebugStart, SymTagFuncDebugEnd, SymTagUsingNamespace, SymTagVTableShape, SymTagVTable, SymTagCustom, SymTagThunk, SymTagCustomType, SymTagManagedType, SymTagDimension, SymTagMax }; #endif // // flags found in SYMBOL_INFO.Flags // #define SYMFLAG_VALUEPRESENT 0x00000001 #define SYMFLAG_REGISTER 0x00000008 #define SYMFLAG_REGREL 0x00000010 #define SYMFLAG_FRAMEREL 0x00000020 #define SYMFLAG_PARAMETER 0x00000040 #define SYMFLAG_LOCAL 0x00000080 #define SYMFLAG_CONSTANT 0x00000100 #define SYMFLAG_EXPORT 0x00000200 #define SYMFLAG_FORWARDER 0x00000400 #define SYMFLAG_FUNCTION 0x00000800 #define SYMFLAG_VIRTUAL 0x00001000 #define SYMFLAG_THUNK 0x00002000 #define SYMFLAG_TLSREL 0x00004000 #define SYMFLAG_SLOT 0x00008000 #define SYMFLAG_ILREL 0x00010000 #define SYMFLAG_METADATA 0x00020000 #define SYMFLAG_CLR_TOKEN 0x00040000 // this resets SymNext/Prev to the beginning // of the module passed in the address field #define SYMFLAG_RESET 0x80000000 // // symbol type enumeration // typedef enum { SymNone = 0, SymCoff, SymCv, SymPdb, SymExport, SymDeferred, SymSym, // .sym file SymDia, SymVirtual, NumSymTypes } SYM_TYPE; // // symbol data structure // typedef struct _IMAGEHLP_SYMBOL64 { DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_SYMBOL64) DWORD64 Address; // virtual address including dll base address DWORD Size; // estimated size of symbol, can be zero DWORD Flags; // info about the symbols, see the SYMF defines DWORD MaxNameLength; // maximum size of symbol name in 'Name' CHAR Name[1]; // symbol name (null terminated string) } IMAGEHLP_SYMBOL64, *PIMAGEHLP_SYMBOL64; typedef struct _IMAGEHLP_SYMBOL64_PACKAGE { IMAGEHLP_SYMBOL64 sym; CHAR name[MAX_SYM_NAME + 1]; } IMAGEHLP_SYMBOL64_PACKAGE, *PIMAGEHLP_SYMBOL64_PACKAGE; typedef struct _IMAGEHLP_SYMBOLW64 { DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_SYMBOLW64) DWORD64 Address; // virtual address including dll base address DWORD Size; // estimated size of symbol, can be zero DWORD Flags; // info about the symbols, see the SYMF defines DWORD MaxNameLength; // maximum size of symbol name in 'Name' WCHAR Name[1]; // symbol name (null terminated string) } IMAGEHLP_SYMBOLW64, *PIMAGEHLP_SYMBOLW64; typedef struct _IMAGEHLP_SYMBOLW64_PACKAGE { IMAGEHLP_SYMBOLW64 sym; WCHAR name[MAX_SYM_NAME + 1]; } IMAGEHLP_SYMBOLW64_PACKAGE, *PIMAGEHLP_SYMBOLW64_PACKAGE; #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define IMAGEHLP_SYMBOL IMAGEHLP_SYMBOL64 #define PIMAGEHLP_SYMBOL PIMAGEHLP_SYMBOL64 #define IMAGEHLP_SYMBOL_PACKAGE IMAGEHLP_SYMBOL64_PACKAGE #define PIMAGEHLP_SYMBOL_PACKAGE PIMAGEHLP_SYMBOL64_PACKAGE #define IMAGEHLP_SYMBOLW IMAGEHLP_SYMBOLW64 #define PIMAGEHLP_SYMBOLW PIMAGEHLP_SYMBOLW64 #define IMAGEHLP_SYMBOLW_PACKAGE IMAGEHLP_SYMBOLW64_PACKAGE #define PIMAGEHLP_SYMBOLW_PACKAGE PIMAGEHLP_SYMBOLW64_PACKAGE #else typedef struct _IMAGEHLP_SYMBOL { DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_SYMBOL) DWORD Address; // virtual address including dll base address DWORD Size; // estimated size of symbol, can be zero DWORD Flags; // info about the symbols, see the SYMF defines DWORD MaxNameLength; // maximum size of symbol name in 'Name' CHAR Name[1]; // symbol name (null terminated string) } IMAGEHLP_SYMBOL, *PIMAGEHLP_SYMBOL; typedef struct _IMAGEHLP_SYMBOL_PACKAGE { IMAGEHLP_SYMBOL sym; CHAR name[MAX_SYM_NAME + 1]; } IMAGEHLP_SYMBOL_PACKAGE, *PIMAGEHLP_SYMBOL_PACKAGE; typedef struct _IMAGEHLP_SYMBOLW { DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_SYMBOLW) DWORD Address; // virtual address including dll base address DWORD Size; // estimated size of symbol, can be zero DWORD Flags; // info about the symbols, see the SYMF defines DWORD MaxNameLength; // maximum size of symbol name in 'Name' WCHAR Name[1]; // symbol name (null terminated string) } IMAGEHLP_SYMBOLW, *PIMAGEHLP_SYMBOLW; typedef struct _IMAGEHLP_SYMBOLW_PACKAGE { IMAGEHLP_SYMBOLW sym; WCHAR name[MAX_SYM_NAME + 1]; } IMAGEHLP_SYMBOLW_PACKAGE, *PIMAGEHLP_SYMBOLW_PACKAGE; #endif // // module data structure // typedef struct _IMAGEHLP_MODULE64 { DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_MODULE64) DWORD64 BaseOfImage; // base load address of module DWORD ImageSize; // virtual size of the loaded module DWORD TimeDateStamp; // date/time stamp from pe header DWORD CheckSum; // checksum from the pe header DWORD NumSyms; // number of symbols in the symbol table SYM_TYPE SymType; // type of symbols loaded CHAR ModuleName[32]; // module name CHAR ImageName[256]; // image name CHAR LoadedImageName[256]; // symbol file name // new elements: 07-Jun-2002 CHAR LoadedPdbName[256]; // pdb file name DWORD CVSig; // Signature of the CV record in the debug directories CHAR CVData[MAX_PATH * 3]; // Contents of the CV record DWORD PdbSig; // Signature of PDB GUID PdbSig70; // Signature of PDB (VC 7 and up) DWORD PdbAge; // DBI age of pdb BOOL PdbUnmatched; // loaded an unmatched pdb BOOL DbgUnmatched; // loaded an unmatched dbg BOOL LineNumbers; // we have line number information BOOL GlobalSymbols; // we have internal symbol information BOOL TypeInfo; // we have type information // new elements: 17-Dec-2003 BOOL SourceIndexed; // pdb supports source server BOOL Publics; // contains public symbols } IMAGEHLP_MODULE64, *PIMAGEHLP_MODULE64; typedef struct _IMAGEHLP_MODULEW64 { DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_MODULE64) DWORD64 BaseOfImage; // base load address of module DWORD ImageSize; // virtual size of the loaded module DWORD TimeDateStamp; // date/time stamp from pe header DWORD CheckSum; // checksum from the pe header DWORD NumSyms; // number of symbols in the symbol table SYM_TYPE SymType; // type of symbols loaded WCHAR ModuleName[32]; // module name WCHAR ImageName[256]; // image name // new elements: 07-Jun-2002 WCHAR LoadedImageName[256]; // symbol file name WCHAR LoadedPdbName[256]; // pdb file name DWORD CVSig; // Signature of the CV record in the debug directories WCHAR CVData[MAX_PATH * 3]; // Contents of the CV record DWORD PdbSig; // Signature of PDB GUID PdbSig70; // Signature of PDB (VC 7 and up) DWORD PdbAge; // DBI age of pdb BOOL PdbUnmatched; // loaded an unmatched pdb BOOL DbgUnmatched; // loaded an unmatched dbg BOOL LineNumbers; // we have line number information BOOL GlobalSymbols; // we have internal symbol information BOOL TypeInfo; // we have type information // new elements: 17-Dec-2003 BOOL SourceIndexed; // pdb supports source server BOOL Publics; // contains public symbols } IMAGEHLP_MODULEW64, *PIMAGEHLP_MODULEW64; #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define IMAGEHLP_MODULE IMAGEHLP_MODULE64 #define PIMAGEHLP_MODULE PIMAGEHLP_MODULE64 #define IMAGEHLP_MODULEW IMAGEHLP_MODULEW64 #define PIMAGEHLP_MODULEW PIMAGEHLP_MODULEW64 #else typedef struct _IMAGEHLP_MODULE { DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_MODULE) DWORD BaseOfImage; // base load address of module DWORD ImageSize; // virtual size of the loaded module DWORD TimeDateStamp; // date/time stamp from pe header DWORD CheckSum; // checksum from the pe header DWORD NumSyms; // number of symbols in the symbol table SYM_TYPE SymType; // type of symbols loaded CHAR ModuleName[32]; // module name CHAR ImageName[256]; // image name CHAR LoadedImageName[256]; // symbol file name } IMAGEHLP_MODULE, *PIMAGEHLP_MODULE; typedef struct _IMAGEHLP_MODULEW { DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_MODULE) DWORD BaseOfImage; // base load address of module DWORD ImageSize; // virtual size of the loaded module DWORD TimeDateStamp; // date/time stamp from pe header DWORD CheckSum; // checksum from the pe header DWORD NumSyms; // number of symbols in the symbol table SYM_TYPE SymType; // type of symbols loaded WCHAR ModuleName[32]; // module name WCHAR ImageName[256]; // image name WCHAR LoadedImageName[256]; // symbol file name } IMAGEHLP_MODULEW, *PIMAGEHLP_MODULEW; #endif // // source file line data structure // typedef struct _IMAGEHLP_LINE64 { DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_LINE64) PVOID Key; // internal DWORD LineNumber; // line number in file PCHAR FileName; // full filename DWORD64 Address; // first instruction of line } IMAGEHLP_LINE64, *PIMAGEHLP_LINE64; typedef struct _IMAGEHLP_LINEW64 { DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_LINE64) PVOID Key; // internal DWORD LineNumber; // line number in file PWSTR FileName; // full filename DWORD64 Address; // first instruction of line } IMAGEHLP_LINEW64, *PIMAGEHLP_LINEW64; #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define IMAGEHLP_LINE IMAGEHLP_LINE64 #define PIMAGEHLP_LINE PIMAGEHLP_LINE64 #else typedef struct _IMAGEHLP_LINE { DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_LINE) PVOID Key; // internal DWORD LineNumber; // line number in file PCHAR FileName; // full filename DWORD Address; // first instruction of line } IMAGEHLP_LINE, *PIMAGEHLP_LINE; typedef struct _IMAGEHLP_LINEW { DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_LINE64) PVOID Key; // internal DWORD LineNumber; // line number in file PCHAR FileName; // full filename DWORD64 Address; // first instruction of line } IMAGEHLP_LINEW, *PIMAGEHLP_LINEW; #endif // // source file structure // typedef struct _SOURCEFILE { DWORD64 ModBase; // base address of loaded module PCHAR FileName; // full filename of source } SOURCEFILE, *PSOURCEFILE; typedef struct _SOURCEFILEW { DWORD64 ModBase; // base address of loaded module PWSTR FileName; // full filename of source } SOURCEFILEW, *PSOURCEFILEW; // // data structures used for registered symbol callbacks // #define CBA_DEFERRED_SYMBOL_LOAD_START 0x00000001 #define CBA_DEFERRED_SYMBOL_LOAD_COMPLETE 0x00000002 #define CBA_DEFERRED_SYMBOL_LOAD_FAILURE 0x00000003 #define CBA_SYMBOLS_UNLOADED 0x00000004 #define CBA_DUPLICATE_SYMBOL 0x00000005 #define CBA_READ_MEMORY 0x00000006 #define CBA_DEFERRED_SYMBOL_LOAD_CANCEL 0x00000007 #define CBA_SET_OPTIONS 0x00000008 #define CBA_EVENT 0x00000010 #define CBA_DEFERRED_SYMBOL_LOAD_PARTIAL 0x00000020 #define CBA_DEBUG_INFO 0x10000000 #define CBA_SRCSRV_INFO 0x20000000 #define CBA_SRCSRV_EVENT 0x40000000 typedef struct _IMAGEHLP_CBA_READ_MEMORY { DWORD64 addr; // address to read from PVOID buf; // buffer to read to DWORD bytes; // amount of bytes to read DWORD* bytesread; // pointer to store amount of bytes read } IMAGEHLP_CBA_READ_MEMORY, *PIMAGEHLP_CBA_READ_MEMORY; enum { sevInfo = 0, sevProblem, sevAttn, sevFatal, sevMax // unused }; #define EVENT_SRCSPEW_START 100 #define EVENT_SRCSPEW 100 #define EVENT_SRCSPEW_END 199 typedef struct _IMAGEHLP_CBA_EVENT { DWORD severity; // values from sevInfo to sevFatal DWORD code; // numerical code IDs the error PCHAR desc; // may contain a text description of the error PVOID object; // value dependant upon the error code } IMAGEHLP_CBA_EVENT, *PIMAGEHLP_CBA_EVENT; typedef struct _IMAGEHLP_CBA_EVENTW { DWORD severity; // values from sevInfo to sevFatal DWORD code; // numerical code IDs the error PCWSTR desc; // may contain a text description of the error PVOID object; // value dependant upon the error code } IMAGEHLP_CBA_EVENTW, *PIMAGEHLP_CBA_EVENTW; typedef struct _IMAGEHLP_DEFERRED_SYMBOL_LOAD64 { DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_DEFERRED_SYMBOL_LOAD64) DWORD64 BaseOfImage; // base load address of module DWORD CheckSum; // checksum from the pe header DWORD TimeDateStamp; // date/time stamp from pe header CHAR FileName[MAX_PATH]; // symbols file or image name BOOLEAN Reparse; // load failure reparse HANDLE hFile; // file handle, if passed DWORD Flags; // } IMAGEHLP_DEFERRED_SYMBOL_LOAD64, *PIMAGEHLP_DEFERRED_SYMBOL_LOAD64; typedef struct _IMAGEHLP_DEFERRED_SYMBOL_LOADW64 { DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_DEFERRED_SYMBOL_LOADW64) DWORD64 BaseOfImage; // base load address of module DWORD CheckSum; // checksum from the pe header DWORD TimeDateStamp; // date/time stamp from pe header WCHAR FileName[MAX_PATH + 1]; // symbols file or image name BOOLEAN Reparse; // load failure reparse HANDLE hFile; // file handle, if passed DWORD Flags; // } IMAGEHLP_DEFERRED_SYMBOL_LOADW64, *PIMAGEHLP_DEFERRED_SYMBOL_LOADW64; #define DSLFLAG_MISMATCHED_PDB 0x1 #define DSLFLAG_MISMATCHED_DBG 0x2 #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define IMAGEHLP_DEFERRED_SYMBOL_LOAD IMAGEHLP_DEFERRED_SYMBOL_LOAD64 #define PIMAGEHLP_DEFERRED_SYMBOL_LOAD PIMAGEHLP_DEFERRED_SYMBOL_LOAD64 #else typedef struct _IMAGEHLP_DEFERRED_SYMBOL_LOAD { DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_DEFERRED_SYMBOL_LOAD) DWORD BaseOfImage; // base load address of module DWORD CheckSum; // checksum from the pe header DWORD TimeDateStamp; // date/time stamp from pe header CHAR FileName[MAX_PATH]; // symbols file or image name BOOLEAN Reparse; // load failure reparse HANDLE hFile; // file handle, if passed } IMAGEHLP_DEFERRED_SYMBOL_LOAD, *PIMAGEHLP_DEFERRED_SYMBOL_LOAD; #endif typedef struct _IMAGEHLP_DUPLICATE_SYMBOL64 { DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_DUPLICATE_SYMBOL64) DWORD NumberOfDups; // number of duplicates in the Symbol array PIMAGEHLP_SYMBOL64 Symbol; // array of duplicate symbols DWORD SelectedSymbol; // symbol selected (-1 to start) } IMAGEHLP_DUPLICATE_SYMBOL64, *PIMAGEHLP_DUPLICATE_SYMBOL64; #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define IMAGEHLP_DUPLICATE_SYMBOL IMAGEHLP_DUPLICATE_SYMBOL64 #define PIMAGEHLP_DUPLICATE_SYMBOL PIMAGEHLP_DUPLICATE_SYMBOL64 #else typedef struct _IMAGEHLP_DUPLICATE_SYMBOL { DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_DUPLICATE_SYMBOL) DWORD NumberOfDups; // number of duplicates in the Symbol array PIMAGEHLP_SYMBOL Symbol; // array of duplicate symbols DWORD SelectedSymbol; // symbol selected (-1 to start) } IMAGEHLP_DUPLICATE_SYMBOL, *PIMAGEHLP_DUPLICATE_SYMBOL; #endif // If dbghelp ever needs to display graphical UI, it will use this as the parent window. BOOL IMAGEAPI SymSetParentWindow( __in HWND hwnd ); PCHAR IMAGEAPI SymSetHomeDirectory( __in_opt HANDLE hProcess, __in_opt PCSTR dir ); PWSTR IMAGEAPI SymSetHomeDirectoryW( __in_opt HANDLE hProcess, __in_opt PCWSTR dir ); PCHAR IMAGEAPI SymGetHomeDirectory( __in DWORD type, __out_ecount(size) PSTR dir, __in size_t size ); PWSTR IMAGEAPI SymGetHomeDirectoryW( __in DWORD type, __out_ecount(size) PWSTR dir, __in size_t size ); enum { hdBase = 0, // root directory for dbghelp hdSym, // where symbols are stored hdSrc, // where source is stored hdMax // end marker }; typedef struct _OMAP { ULONG rva; ULONG rvaTo; } OMAP, *POMAP; BOOL IMAGEAPI SymGetOmaps( __in HANDLE hProcess, __in DWORD64 BaseOfDll, __out POMAP* OmapTo, __out PDWORD64 cOmapTo, __out POMAP* OmapFrom, __out PDWORD64 cOmapFrom ); // // options that are set/returned by SymSetOptions() & SymGetOptions() // these are used as a mask // #define SYMOPT_CASE_INSENSITIVE 0x00000001 #define SYMOPT_UNDNAME 0x00000002 #define SYMOPT_DEFERRED_LOADS 0x00000004 #define SYMOPT_NO_CPP 0x00000008 #define SYMOPT_LOAD_LINES 0x00000010 #define SYMOPT_OMAP_FIND_NEAREST 0x00000020 #define SYMOPT_LOAD_ANYTHING 0x00000040 #define SYMOPT_IGNORE_CVREC 0x00000080 #define SYMOPT_NO_UNQUALIFIED_LOADS 0x00000100 #define SYMOPT_FAIL_CRITICAL_ERRORS 0x00000200 #define SYMOPT_EXACT_SYMBOLS 0x00000400 #define SYMOPT_ALLOW_ABSOLUTE_SYMBOLS 0x00000800 #define SYMOPT_IGNORE_NT_SYMPATH 0x00001000 #define SYMOPT_INCLUDE_32BIT_MODULES 0x00002000 #define SYMOPT_PUBLICS_ONLY 0x00004000 #define SYMOPT_NO_PUBLICS 0x00008000 #define SYMOPT_AUTO_PUBLICS 0x00010000 #define SYMOPT_NO_IMAGE_SEARCH 0x00020000 #define SYMOPT_SECURE 0x00040000 #define SYMOPT_NO_PROMPTS 0x00080000 #define SYMOPT_OVERWRITE 0x00100000 #define SYMOPT_IGNORE_IMAGEDIR 0x00200000 #define SYMOPT_FLAT_DIRECTORY 0x00400000 #define SYMOPT_FAVOR_COMPRESSED 0x00800000 #define SYMOPT_ALLOW_ZERO_ADDRESS 0x01000000 #define SYMOPT_DISABLE_SYMSRV_AUTODETECT 0x02000000 #define SYMOPT_DEBUG 0x80000000 DWORD IMAGEAPI SymSetOptions( __in DWORD SymOptions ); DWORD IMAGEAPI SymGetOptions( VOID ); BOOL IMAGEAPI SymCleanup( __in HANDLE hProcess ); BOOL IMAGEAPI SymMatchString( __in PCSTR string, __in PCSTR expression, __in BOOL fCase ); BOOL IMAGEAPI SymMatchStringA( __in PCSTR string, __in PCSTR expression, __in BOOL fCase ); BOOL IMAGEAPI SymMatchStringW( __in PCWSTR string, __in PCWSTR expression, __in BOOL fCase ); typedef BOOL (CALLBACK* PSYM_ENUMSOURCEFILES_CALLBACK)( __in PSOURCEFILE pSourceFile, __in_opt PVOID UserContext ); // for backwards compatibility - don't use this #define PSYM_ENUMSOURCFILES_CALLBACK PSYM_ENUMSOURCEFILES_CALLBACK BOOL IMAGEAPI SymEnumSourceFiles( __in HANDLE hProcess, __in ULONG64 ModBase, __in_opt PCSTR Mask, __in PSYM_ENUMSOURCEFILES_CALLBACK cbSrcFiles, __in_opt PVOID UserContext ); typedef BOOL (CALLBACK* PSYM_ENUMSOURCEFILES_CALLBACKW)( __in PSOURCEFILEW pSourceFile, __in_opt PVOID UserContext ); BOOL IMAGEAPI SymEnumSourceFilesW( __in HANDLE hProcess, __in ULONG64 ModBase, __in_opt PCWSTR Mask, __in PSYM_ENUMSOURCEFILES_CALLBACKW cbSrcFiles, __in_opt PVOID UserContext ); BOOL IMAGEAPI SymEnumerateModules64( __in HANDLE hProcess, __in PSYM_ENUMMODULES_CALLBACK64 EnumModulesCallback, __in_opt PVOID UserContext ); BOOL IMAGEAPI SymEnumerateModulesW64( __in HANDLE hProcess, __in PSYM_ENUMMODULES_CALLBACKW64 EnumModulesCallback, __in_opt PVOID UserContext ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define SymEnumerateModules SymEnumerateModules64 #else BOOL IMAGEAPI SymEnumerateModules( __in HANDLE hProcess, __in PSYM_ENUMMODULES_CALLBACK EnumModulesCallback, __in_opt PVOID UserContext ); #endif BOOL IMAGEAPI EnumerateLoadedModulesEx( __in HANDLE hProcess, __in PENUMLOADED_MODULES_CALLBACK64 EnumLoadedModulesCallback, __in_opt PVOID UserContext ); BOOL IMAGEAPI EnumerateLoadedModulesExW( __in HANDLE hProcess, __in PENUMLOADED_MODULES_CALLBACKW64 EnumLoadedModulesCallback, __in_opt PVOID UserContext ); BOOL IMAGEAPI EnumerateLoadedModules64( __in HANDLE hProcess, __in PENUMLOADED_MODULES_CALLBACK64 EnumLoadedModulesCallback, __in_opt PVOID UserContext ); BOOL IMAGEAPI EnumerateLoadedModulesW64( __in HANDLE hProcess, __in PENUMLOADED_MODULES_CALLBACKW64 EnumLoadedModulesCallback, __in_opt PVOID UserContext ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define EnumerateLoadedModules EnumerateLoadedModules64 #else BOOL IMAGEAPI EnumerateLoadedModules( __in HANDLE hProcess, __in PENUMLOADED_MODULES_CALLBACK EnumLoadedModulesCallback, __in_opt PVOID UserContext ); #endif PVOID IMAGEAPI SymFunctionTableAccess64( __in HANDLE hProcess, __in DWORD64 AddrBase ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define SymFunctionTableAccess SymFunctionTableAccess64 #else PVOID IMAGEAPI SymFunctionTableAccess( __in HANDLE hProcess, __in DWORD AddrBase ); #endif BOOL IMAGEAPI SymGetUnwindInfo( __in HANDLE hProcess, __in DWORD64 Address, __out_bcount_opt(*Size) PVOID Buffer, __inout PULONG Size ); BOOL IMAGEAPI SymGetModuleInfo64( __in HANDLE hProcess, __in DWORD64 qwAddr, __out PIMAGEHLP_MODULE64 ModuleInfo ); BOOL IMAGEAPI SymGetModuleInfoW64( __in HANDLE hProcess, __in DWORD64 qwAddr, __out PIMAGEHLP_MODULEW64 ModuleInfo ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define SymGetModuleInfo SymGetModuleInfo64 #define SymGetModuleInfoW SymGetModuleInfoW64 #else BOOL IMAGEAPI SymGetModuleInfo( __in HANDLE hProcess, __in DWORD dwAddr, __out PIMAGEHLP_MODULE ModuleInfo ); BOOL IMAGEAPI SymGetModuleInfoW( __in HANDLE hProcess, __in DWORD dwAddr, __out PIMAGEHLP_MODULEW ModuleInfo ); #endif DWORD64 IMAGEAPI SymGetModuleBase64( __in HANDLE hProcess, __in DWORD64 qwAddr ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define SymGetModuleBase SymGetModuleBase64 #else DWORD IMAGEAPI SymGetModuleBase( __in HANDLE hProcess, __in DWORD dwAddr ); #endif typedef struct _SRCCODEINFO { DWORD SizeOfStruct; // set to sizeof(SRCCODEINFO) PVOID Key; // not used DWORD64 ModBase; // base address of module this applies to CHAR Obj[MAX_PATH + 1]; // the object file within the module CHAR FileName[MAX_PATH + 1]; // full filename DWORD LineNumber; // line number in file DWORD64 Address; // first instruction of line } SRCCODEINFO, *PSRCCODEINFO; typedef struct _SRCCODEINFOW { DWORD SizeOfStruct; // set to sizeof(SRCCODEINFO) PVOID Key; // not used DWORD64 ModBase; // base address of module this applies to WCHAR Obj[MAX_PATH + 1]; // the object file within the module WCHAR FileName[MAX_PATH + 1]; // full filename DWORD LineNumber; // line number in file DWORD64 Address; // first instruction of line } SRCCODEINFOW, *PSRCCODEINFOW; typedef BOOL (CALLBACK* PSYM_ENUMLINES_CALLBACK)( __in PSRCCODEINFO LineInfo, __in_opt PVOID UserContext ); BOOL IMAGEAPI SymEnumLines( __in HANDLE hProcess, __in ULONG64 Base, __in_opt PCSTR Obj, __in_opt PCSTR File, __in PSYM_ENUMLINES_CALLBACK EnumLinesCallback, __in_opt PVOID UserContext ); typedef BOOL (CALLBACK* PSYM_ENUMLINES_CALLBACKW)( __in PSRCCODEINFOW LineInfo, __in_opt PVOID UserContext ); BOOL IMAGEAPI SymEnumLinesW( __in HANDLE hProcess, __in ULONG64 Base, __in_opt PCWSTR Obj, __in_opt PCWSTR File, __in PSYM_ENUMLINES_CALLBACKW EnumLinesCallback, __in_opt PVOID UserContext ); BOOL IMAGEAPI SymGetLineFromAddr64( __in HANDLE hProcess, __in DWORD64 qwAddr, __out PDWORD pdwDisplacement, __out PIMAGEHLP_LINE64 Line64 ); BOOL IMAGEAPI SymGetLineFromAddrW64( __in HANDLE hProcess, __in DWORD64 dwAddr, __out PDWORD pdwDisplacement, __out PIMAGEHLP_LINEW64 Line ); BOOL IMAGEAPI SymEnumSourceLines( __in HANDLE hProcess, __in ULONG64 Base, __in_opt PCSTR Obj, __in_opt PCSTR File, __in_opt DWORD Line, __in DWORD Flags, __in PSYM_ENUMLINES_CALLBACK EnumLinesCallback, __in_opt PVOID UserContext ); BOOL IMAGEAPI SymEnumSourceLinesW( __in HANDLE hProcess, __in ULONG64 Base, __in_opt PCWSTR Obj, __in_opt PCWSTR File, __in_opt DWORD Line, __in DWORD Flags, __in PSYM_ENUMLINES_CALLBACKW EnumLinesCallback, __in_opt PVOID UserContext ); // flags for SymEnumSourceLines #define ESLFLAG_FULLPATH 0x1 #define ESLFLAG_NEAREST 0x2 #define ESLFLAG_PREV 0x4 #define ESLFLAG_NEXT 0x8 #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define SymGetLineFromAddr SymGetLineFromAddr64 #define SymGetLineFromAddrW SymGetLineFromAddrW64 #else BOOL IMAGEAPI SymGetLineFromAddr( __in HANDLE hProcess, __in DWORD dwAddr, __out PDWORD pdwDisplacement, __out PIMAGEHLP_LINE Line ); BOOL IMAGEAPI SymGetLineFromAddrW( __in HANDLE hProcess, __in DWORD dwAddr, __out PDWORD pdwDisplacement, __out PIMAGEHLP_LINEW Line ); #endif BOOL IMAGEAPI SymGetLineFromName64( __in HANDLE hProcess, __in_opt PCSTR ModuleName, __in_opt PCSTR FileName, __in DWORD dwLineNumber, __out PLONG plDisplacement, __inout PIMAGEHLP_LINE64 Line ); BOOL IMAGEAPI SymGetLineFromNameW64( __in HANDLE hProcess, __in_opt PCWSTR ModuleName, __in_opt PCWSTR FileName, __in DWORD dwLineNumber, __out PLONG plDisplacement, __inout PIMAGEHLP_LINEW64 Line ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define SymGetLineFromName SymGetLineFromName64 #else BOOL IMAGEAPI SymGetLineFromName( __in HANDLE hProcess, __in_opt PCSTR ModuleName, __in_opt PCSTR FileName, __in DWORD dwLineNumber, __out PLONG plDisplacement, __inout PIMAGEHLP_LINE Line ); #endif BOOL IMAGEAPI SymGetLineNext64( __in HANDLE hProcess, __inout PIMAGEHLP_LINE64 Line ); BOOL IMAGEAPI SymGetLineNextW64( __in HANDLE hProcess, __inout PIMAGEHLP_LINEW64 Line ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define SymGetLineNext SymGetLineNext64 #else BOOL IMAGEAPI SymGetLineNext( __in HANDLE hProcess, __inout PIMAGEHLP_LINE Line ); BOOL IMAGEAPI SymGetLineNextW( __in HANDLE hProcess, __inout PIMAGEHLP_LINEW Line ); #endif BOOL IMAGEAPI SymGetLinePrev64( __in HANDLE hProcess, __inout PIMAGEHLP_LINE64 Line ); BOOL IMAGEAPI SymGetLinePrevW64( __in HANDLE hProcess, __inout PIMAGEHLP_LINEW64 Line ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define SymGetLinePrev SymGetLinePrev64 #else BOOL IMAGEAPI SymGetLinePrev( __in HANDLE hProcess, __inout PIMAGEHLP_LINE Line ); BOOL IMAGEAPI SymGetLinePrevW( __in HANDLE hProcess, __inout PIMAGEHLP_LINEW Line ); #endif ULONG IMAGEAPI SymGetFileLineOffsets64( __in HANDLE hProcess, __in_opt PCSTR ModuleName, __in PCSTR FileName, __out_ecount(BufferLines) PDWORD64 Buffer, __in ULONG BufferLines ); BOOL IMAGEAPI SymMatchFileName( __in PCSTR FileName, __in PCSTR Match, __deref_opt_out PSTR* FileNameStop, __deref_opt_out PSTR* MatchStop ); BOOL IMAGEAPI SymMatchFileNameW( __in PCWSTR FileName, __in PCWSTR Match, __deref_opt_out PWSTR* FileNameStop, __deref_opt_out PWSTR* MatchStop ); BOOL IMAGEAPI SymGetSourceFile( __in HANDLE hProcess, __in ULONG64 Base, __in_opt PCSTR Params, __in PCSTR FileSpec, __out_ecount(Size) PSTR FilePath, __in DWORD Size ); BOOL IMAGEAPI SymGetSourceFileW( __in HANDLE hProcess, __in ULONG64 Base, __in_opt PCWSTR Params, __in PCWSTR FileSpec, __out_ecount(Size) PWSTR FilePath, __in DWORD Size ); BOOL IMAGEAPI SymGetSourceFileToken( __in HANDLE hProcess, __in ULONG64 Base, __in PCSTR FileSpec, __deref_out PVOID* Token, __out DWORD* Size ); BOOL IMAGEAPI SymGetSourceFileTokenW( __in HANDLE hProcess, __in ULONG64 Base, __in PCWSTR FileSpec, __deref_out PVOID* Token, __out DWORD* Size ); BOOL IMAGEAPI SymGetSourceFileFromToken( __in HANDLE hProcess, __in PVOID Token, __in_opt PCSTR Params, __out_ecount(Size) PSTR FilePath, __in DWORD Size ); BOOL IMAGEAPI SymGetSourceFileFromTokenW( __in HANDLE hProcess, __in PVOID Token, __in_opt PCWSTR Params, __out_ecount(Size) PWSTR FilePath, __in DWORD Size ); BOOL IMAGEAPI SymGetSourceVarFromToken( __in HANDLE hProcess, __in PVOID Token, __in_opt PCSTR Params, __in PCSTR VarName, __out_ecount(Size) PSTR Value, __in DWORD Size ); BOOL IMAGEAPI SymGetSourceVarFromTokenW( __in HANDLE hProcess, __in PVOID Token, __in_opt PCWSTR Params, __in PCWSTR VarName, __out_ecount(Size) PWSTR Value, __in DWORD Size ); typedef BOOL (CALLBACK* PENUMSOURCEFILETOKENSCALLBACK)(__in PVOID token, __in size_t size); BOOL IMAGEAPI SymEnumSourceFileTokens( __in HANDLE hProcess, __in ULONG64 Base, __in PENUMSOURCEFILETOKENSCALLBACK Callback ); BOOL IMAGEAPI SymInitialize( __in HANDLE hProcess, __in_opt PCSTR UserSearchPath, __in BOOL fInvadeProcess ); BOOL IMAGEAPI SymInitializeW( __in HANDLE hProcess, __in_opt PCWSTR UserSearchPath, __in BOOL fInvadeProcess ); BOOL IMAGEAPI SymGetSearchPath( __in HANDLE hProcess, __out_ecount(SearchPathLength) PSTR SearchPath, __in DWORD SearchPathLength ); BOOL IMAGEAPI SymGetSearchPathW( __in HANDLE hProcess, __out_ecount(SearchPathLength) PWSTR SearchPath, __in DWORD SearchPathLength ); BOOL IMAGEAPI SymSetSearchPath( __in HANDLE hProcess, __in_opt PCSTR SearchPath ); BOOL IMAGEAPI SymSetSearchPathW( __in HANDLE hProcess, __in_opt PCWSTR SearchPath ); #define SLMFLAG_VIRTUAL 0x1 #define SLMFLAG_ALT_INDEX 0x2 #define SLMFLAG_NO_SYMBOLS 0x4 DWORD64 IMAGEAPI SymLoadModuleEx( __in HANDLE hProcess, __in_opt HANDLE hFile, __in_opt PCSTR ImageName, __in_opt PCSTR ModuleName, __in DWORD64 BaseOfDll, __in DWORD DllSize, __in_opt PMODLOAD_DATA Data, __in_opt DWORD Flags ); DWORD64 IMAGEAPI SymLoadModuleExW( __in HANDLE hProcess, __in_opt HANDLE hFile, __in_opt PCWSTR ImageName, __in_opt PCWSTR ModuleName, __in DWORD64 BaseOfDll, __in DWORD DllSize, __in_opt PMODLOAD_DATA Data, __in_opt DWORD Flags ); BOOL IMAGEAPI SymUnloadModule64( __in HANDLE hProcess, __in DWORD64 BaseOfDll ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define SymUnloadModule SymUnloadModule64 #else BOOL IMAGEAPI SymUnloadModule( __in HANDLE hProcess, __in DWORD BaseOfDll ); #endif BOOL IMAGEAPI SymUnDName64( __in PIMAGEHLP_SYMBOL64 sym, // Symbol to undecorate __out_ecount(UnDecNameLength) PSTR UnDecName, // Buffer to store undecorated name in __in DWORD UnDecNameLength // Size of the buffer ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define SymUnDName SymUnDName64 #else BOOL IMAGEAPI SymUnDName( __in PIMAGEHLP_SYMBOL sym, // Symbol to undecorate __out_ecount(UnDecNameLength) PSTR UnDecName, // Buffer to store undecorated name in __in DWORD UnDecNameLength // Size of the buffer ); #endif BOOL IMAGEAPI SymRegisterCallback64( __in HANDLE hProcess, __in PSYMBOL_REGISTERED_CALLBACK64 CallbackFunction, __in ULONG64 UserContext ); BOOL IMAGEAPI SymRegisterCallbackW64( __in HANDLE hProcess, __in PSYMBOL_REGISTERED_CALLBACK64 CallbackFunction, __in ULONG64 UserContext ); BOOL IMAGEAPI SymRegisterFunctionEntryCallback64( __in HANDLE hProcess, __in PSYMBOL_FUNCENTRY_CALLBACK64 CallbackFunction, __in ULONG64 UserContext ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define SymRegisterCallback SymRegisterCallback64 #define SymRegisterFunctionEntryCallback SymRegisterFunctionEntryCallback64 #else BOOL IMAGEAPI SymRegisterCallback( __in HANDLE hProcess, __in PSYMBOL_REGISTERED_CALLBACK CallbackFunction, __in_opt PVOID UserContext ); BOOL IMAGEAPI SymRegisterFunctionEntryCallback( __in HANDLE hProcess, __in PSYMBOL_FUNCENTRY_CALLBACK CallbackFunction, __in_opt PVOID UserContext ); #endif typedef struct _IMAGEHLP_SYMBOL_SRC { DWORD sizeofstruct; DWORD type; char file[MAX_PATH]; } IMAGEHLP_SYMBOL_SRC, *PIMAGEHLP_SYMBOL_SRC; typedef struct _MODULE_TYPE_INFO // AKA TYPTYP { USHORT dataLength; USHORT leaf; BYTE data[1]; } MODULE_TYPE_INFO, *PMODULE_TYPE_INFO; typedef struct _SYMBOL_INFO { ULONG SizeOfStruct; ULONG TypeIndex; // Type Index of symbol ULONG64 Reserved[2]; ULONG Index; ULONG Size; ULONG64 ModBase; // Base Address of module comtaining this symbol ULONG Flags; ULONG64 Value; // Value of symbol, ValuePresent should be 1 ULONG64 Address; // Address of symbol including base address of module ULONG Register; // register holding value or pointer to value ULONG Scope; // scope of the symbol ULONG Tag; // pdb classification ULONG NameLen; // Actual length of name ULONG MaxNameLen; CHAR Name[1]; // Name of symbol } SYMBOL_INFO, *PSYMBOL_INFO; typedef struct _SYMBOL_INFO_PACKAGE { SYMBOL_INFO si; CHAR name[MAX_SYM_NAME + 1]; } SYMBOL_INFO_PACKAGE, *PSYMBOL_INFO_PACKAGE; typedef struct _SYMBOL_INFOW { ULONG SizeOfStruct; ULONG TypeIndex; // Type Index of symbol ULONG64 Reserved[2]; ULONG Index; ULONG Size; ULONG64 ModBase; // Base Address of module comtaining this symbol ULONG Flags; ULONG64 Value; // Value of symbol, ValuePresent should be 1 ULONG64 Address; // Address of symbol including base address of module ULONG Register; // register holding value or pointer to value ULONG Scope; // scope of the symbol ULONG Tag; // pdb classification ULONG NameLen; // Actual length of name ULONG MaxNameLen; WCHAR Name[1]; // Name of symbol } SYMBOL_INFOW, *PSYMBOL_INFOW; typedef struct _SYMBOL_INFO_PACKAGEW { SYMBOL_INFOW si; WCHAR name[MAX_SYM_NAME + 1]; } SYMBOL_INFO_PACKAGEW, *PSYMBOL_INFO_PACKAGEW; typedef struct _IMAGEHLP_STACK_FRAME { ULONG64 InstructionOffset; ULONG64 ReturnOffset; ULONG64 FrameOffset; ULONG64 StackOffset; ULONG64 BackingStoreOffset; ULONG64 FuncTableEntry; ULONG64 Params[4]; ULONG64 Reserved[5]; BOOL Virtual; ULONG Reserved2; } IMAGEHLP_STACK_FRAME, *PIMAGEHLP_STACK_FRAME; typedef VOID IMAGEHLP_CONTEXT, *PIMAGEHLP_CONTEXT; BOOL IMAGEAPI SymSetContext( __in HANDLE hProcess, __in PIMAGEHLP_STACK_FRAME StackFrame, __in_opt PIMAGEHLP_CONTEXT Context ); BOOL IMAGEAPI SymSetScopeFromAddr( __in HANDLE hProcess, __in ULONG64 Address ); BOOL IMAGEAPI SymSetScopeFromIndex( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in DWORD Index ); typedef BOOL (CALLBACK* PSYM_ENUMPROCESSES_CALLBACK)( __in HANDLE hProcess, __in PVOID UserContext ); BOOL IMAGEAPI SymEnumProcesses( __in PSYM_ENUMPROCESSES_CALLBACK EnumProcessesCallback, __in PVOID UserContext ); BOOL IMAGEAPI SymFromAddr( __in HANDLE hProcess, __in DWORD64 Address, __out_opt PDWORD64 Displacement, __inout PSYMBOL_INFO Symbol ); BOOL IMAGEAPI SymFromAddrW( __in HANDLE hProcess, __in DWORD64 Address, __out_opt PDWORD64 Displacement, __inout PSYMBOL_INFOW Symbol ); BOOL IMAGEAPI SymFromToken( __in HANDLE hProcess, __in DWORD64 Base, __in DWORD Token, __inout PSYMBOL_INFO Symbol ); BOOL IMAGEAPI SymFromTokenW( __in HANDLE hProcess, __in DWORD64 Base, __in DWORD Token, __inout PSYMBOL_INFOW Symbol ); BOOL IMAGEAPI SymNext( __in HANDLE hProcess, __inout PSYMBOL_INFO si ); BOOL IMAGEAPI SymNextW( __in HANDLE hProcess, __inout PSYMBOL_INFOW siw ); BOOL IMAGEAPI SymPrev( __in HANDLE hProcess, __inout PSYMBOL_INFO si ); BOOL IMAGEAPI SymPrevW( __in HANDLE hProcess, __inout PSYMBOL_INFOW siw ); // While SymFromName will provide a symbol from a name, // SymEnumSymbols can provide the same matching information // for ALL symbols with a matching name, even regular // expressions. That way you can search across modules // and differentiate between identically named symbols. BOOL IMAGEAPI SymFromName( __in HANDLE hProcess, __in PCSTR Name, __inout PSYMBOL_INFO Symbol ); BOOL IMAGEAPI SymFromNameW( __in HANDLE hProcess, __in PCWSTR Name, __inout PSYMBOL_INFOW Symbol ); typedef BOOL (CALLBACK* PSYM_ENUMERATESYMBOLS_CALLBACK)( __in PSYMBOL_INFO pSymInfo, __in ULONG SymbolSize, __in_opt PVOID UserContext ); BOOL IMAGEAPI SymEnumSymbols( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in_opt PCSTR Mask, __in PSYM_ENUMERATESYMBOLS_CALLBACK EnumSymbolsCallback, __in_opt PVOID UserContext ); typedef BOOL (CALLBACK* PSYM_ENUMERATESYMBOLS_CALLBACKW)( __in PSYMBOL_INFOW pSymInfo, __in ULONG SymbolSize, __in_opt PVOID UserContext ); BOOL IMAGEAPI SymEnumSymbolsW( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in_opt PCWSTR Mask, __in PSYM_ENUMERATESYMBOLS_CALLBACKW EnumSymbolsCallback, __in_opt PVOID UserContext ); BOOL IMAGEAPI SymEnumSymbolsForAddr( __in HANDLE hProcess, __in DWORD64 Address, __in PSYM_ENUMERATESYMBOLS_CALLBACK EnumSymbolsCallback, __in_opt PVOID UserContext ); BOOL IMAGEAPI SymEnumSymbolsForAddrW( __in HANDLE hProcess, __in DWORD64 Address, __in PSYM_ENUMERATESYMBOLS_CALLBACKW EnumSymbolsCallback, __in_opt PVOID UserContext ); #define SYMSEARCH_MASKOBJS 0x01 // used internally to implement other APIs #define SYMSEARCH_RECURSE 0X02 // recurse scopes #define SYMSEARCH_GLOBALSONLY 0X04 // search only for global symbols #define SYMSEARCH_ALLITEMS 0X08 // search for everything in the pdb, not just normal scoped symbols BOOL IMAGEAPI SymSearch( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in_opt DWORD Index, __in_opt DWORD SymTag, __in_opt PCSTR Mask, __in_opt DWORD64 Address, __in PSYM_ENUMERATESYMBOLS_CALLBACK EnumSymbolsCallback, __in_opt PVOID UserContext, __in DWORD Options ); BOOL IMAGEAPI SymSearchW( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in_opt DWORD Index, __in_opt DWORD SymTag, __in_opt PCWSTR Mask, __in_opt DWORD64 Address, __in PSYM_ENUMERATESYMBOLS_CALLBACKW EnumSymbolsCallback, __in_opt PVOID UserContext, __in DWORD Options ); BOOL IMAGEAPI SymGetScope( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in DWORD Index, __inout PSYMBOL_INFO Symbol ); BOOL IMAGEAPI SymGetScopeW( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in DWORD Index, __inout PSYMBOL_INFOW Symbol ); BOOL IMAGEAPI SymFromIndex( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in DWORD Index, __inout PSYMBOL_INFO Symbol ); BOOL IMAGEAPI SymFromIndexW( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in DWORD Index, __inout PSYMBOL_INFOW Symbol ); typedef enum _IMAGEHLP_SYMBOL_TYPE_INFO { TI_GET_SYMTAG, TI_GET_SYMNAME, TI_GET_LENGTH, TI_GET_TYPE, TI_GET_TYPEID, TI_GET_BASETYPE, TI_GET_ARRAYINDEXTYPEID, TI_FINDCHILDREN, TI_GET_DATAKIND, TI_GET_ADDRESSOFFSET, TI_GET_OFFSET, TI_GET_VALUE, TI_GET_COUNT, TI_GET_CHILDRENCOUNT, TI_GET_BITPOSITION, TI_GET_VIRTUALBASECLASS, TI_GET_VIRTUALTABLESHAPEID, TI_GET_VIRTUALBASEPOINTEROFFSET, TI_GET_CLASSPARENTID, TI_GET_NESTED, TI_GET_SYMINDEX, TI_GET_LEXICALPARENT, TI_GET_ADDRESS, TI_GET_THISADJUST, TI_GET_UDTKIND, TI_IS_EQUIV_TO, TI_GET_CALLING_CONVENTION, TI_IS_CLOSE_EQUIV_TO, TI_GTIEX_REQS_VALID, TI_GET_VIRTUALBASEOFFSET, TI_GET_VIRTUALBASEDISPINDEX, TI_GET_IS_REFERENCE, TI_GET_INDIRECTVIRTUALBASECLASS, IMAGEHLP_SYMBOL_TYPE_INFO_MAX, } IMAGEHLP_SYMBOL_TYPE_INFO; typedef struct _TI_FINDCHILDREN_PARAMS { ULONG Count; ULONG Start; ULONG ChildId[1]; } TI_FINDCHILDREN_PARAMS; BOOL IMAGEAPI SymGetTypeInfo( __in HANDLE hProcess, __in DWORD64 ModBase, __in ULONG TypeId, __in IMAGEHLP_SYMBOL_TYPE_INFO GetType, __out PVOID pInfo ); #define IMAGEHLP_GET_TYPE_INFO_UNCACHED 0x00000001 #define IMAGEHLP_GET_TYPE_INFO_CHILDREN 0x00000002 typedef struct _IMAGEHLP_GET_TYPE_INFO_PARAMS { IN ULONG SizeOfStruct; IN ULONG Flags; IN ULONG NumIds; IN PULONG TypeIds; IN ULONG64 TagFilter; IN ULONG NumReqs; IN IMAGEHLP_SYMBOL_TYPE_INFO* ReqKinds; IN PULONG_PTR ReqOffsets; IN PULONG ReqSizes; IN ULONG_PTR ReqStride; IN ULONG_PTR BufferSize; OUT PVOID Buffer; OUT ULONG EntriesMatched; OUT ULONG EntriesFilled; OUT ULONG64 TagsFound; OUT ULONG64 AllReqsValid; IN ULONG NumReqsValid; OUT PULONG64 ReqsValid OPTIONAL; } IMAGEHLP_GET_TYPE_INFO_PARAMS, *PIMAGEHLP_GET_TYPE_INFO_PARAMS; BOOL IMAGEAPI SymGetTypeInfoEx( __in HANDLE hProcess, __in DWORD64 ModBase, __inout PIMAGEHLP_GET_TYPE_INFO_PARAMS Params ); BOOL IMAGEAPI SymEnumTypes( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in PSYM_ENUMERATESYMBOLS_CALLBACK EnumSymbolsCallback, __in_opt PVOID UserContext ); BOOL IMAGEAPI SymEnumTypesW( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in PSYM_ENUMERATESYMBOLS_CALLBACKW EnumSymbolsCallback, __in_opt PVOID UserContext ); BOOL IMAGEAPI SymEnumTypesByName( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in_opt PCSTR mask, __in PSYM_ENUMERATESYMBOLS_CALLBACK EnumSymbolsCallback, __in_opt PVOID UserContext ); BOOL IMAGEAPI SymEnumTypesByNameW( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in_opt PCWSTR mask, __in PSYM_ENUMERATESYMBOLS_CALLBACKW EnumSymbolsCallback, __in_opt PVOID UserContext ); BOOL IMAGEAPI SymGetTypeFromName( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in PCSTR Name, __inout PSYMBOL_INFO Symbol ); BOOL IMAGEAPI SymGetTypeFromNameW( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in PCWSTR Name, __inout PSYMBOL_INFOW Symbol ); BOOL IMAGEAPI SymAddSymbol( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in PCSTR Name, __in DWORD64 Address, __in DWORD Size, __in DWORD Flags ); BOOL IMAGEAPI SymAddSymbolW( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in PCWSTR Name, __in DWORD64 Address, __in DWORD Size, __in DWORD Flags ); BOOL IMAGEAPI SymDeleteSymbol( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in_opt PCSTR Name, __in DWORD64 Address, __in DWORD Flags ); BOOL IMAGEAPI SymDeleteSymbolW( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in_opt PCWSTR Name, __in DWORD64 Address, __in DWORD Flags ); BOOL IMAGEAPI SymRefreshModuleList( __in HANDLE hProcess ); BOOL IMAGEAPI SymAddSourceStream( __in HANDLE hProcess, __in ULONG64 Base, __in_opt PCSTR StreamFile, __in_bcount_opt(Size) PBYTE Buffer, __in size_t Size ); typedef BOOL (WINAPI* SYMADDSOURCESTREAM)(HANDLE, ULONG64, PCSTR, PBYTE, size_t); BOOL IMAGEAPI SymAddSourceStreamA( __in HANDLE hProcess, __in ULONG64 Base, __in_opt PCSTR StreamFile, __in_bcount_opt(Size) PBYTE Buffer, __in size_t Size ); typedef BOOL (WINAPI* SYMADDSOURCESTREAMA)(HANDLE, ULONG64, PCSTR, PBYTE, size_t); BOOL IMAGEAPI SymAddSourceStreamW( __in HANDLE hProcess, __in ULONG64 Base, __in_opt PCWSTR FileSpec, __in_bcount_opt(Size) PBYTE Buffer, __in size_t Size ); BOOL IMAGEAPI SymSrvIsStoreW( __in_opt HANDLE hProcess, __in PCWSTR path ); BOOL IMAGEAPI SymSrvIsStore( __in_opt HANDLE hProcess, __in PCSTR path ); PCSTR IMAGEAPI SymSrvDeltaName( __in HANDLE hProcess, __in_opt PCSTR SymPath, __in PCSTR Type, __in PCSTR File1, __in PCSTR File2 ); PCWSTR IMAGEAPI SymSrvDeltaNameW( __in HANDLE hProcess, __in_opt PCWSTR SymPath, __in PCWSTR Type, __in PCWSTR File1, __in PCWSTR File2 ); PCSTR IMAGEAPI SymSrvGetSupplement( __in HANDLE hProcess, __in_opt PCSTR SymPath, __in PCSTR Node, __in PCSTR File ); PCWSTR IMAGEAPI SymSrvGetSupplementW( __in HANDLE hProcess, __in_opt PCWSTR SymPath, __in PCWSTR Node, __in PCWSTR File ); BOOL IMAGEAPI SymSrvGetFileIndexes( __in PCSTR File, __out GUID* Id, __out PDWORD Val1, __out_opt PDWORD Val2, __in DWORD Flags ); BOOL IMAGEAPI SymSrvGetFileIndexesW( __in PCWSTR File, __out GUID* Id, __out PDWORD Val1, __out_opt PDWORD Val2, __in DWORD Flags ); BOOL IMAGEAPI SymSrvGetFileIndexStringW( __in HANDLE hProcess, __in_opt PCWSTR SrvPath, __in PCWSTR File, __out_ecount(Size) PWSTR Index, __in size_t Size, __in DWORD Flags ); BOOL IMAGEAPI SymSrvGetFileIndexString( __in HANDLE hProcess, __in_opt PCSTR SrvPath, __in PCSTR File, __out_ecount(Size) PSTR Index, __in size_t Size, __in DWORD Flags ); typedef struct { DWORD sizeofstruct; char file[MAX_PATH + 1]; BOOL stripped; DWORD timestamp; DWORD size; char dbgfile[MAX_PATH + 1]; char pdbfile[MAX_PATH + 1]; GUID guid; DWORD sig; DWORD age; } SYMSRV_INDEX_INFO, *PSYMSRV_INDEX_INFO; typedef struct { DWORD sizeofstruct; WCHAR file[MAX_PATH + 1]; BOOL stripped; DWORD timestamp; DWORD size; WCHAR dbgfile[MAX_PATH + 1]; WCHAR pdbfile[MAX_PATH + 1]; GUID guid; DWORD sig; DWORD age; } SYMSRV_INDEX_INFOW, *PSYMSRV_INDEX_INFOW; BOOL IMAGEAPI SymSrvGetFileIndexInfo( __in PCSTR File, __out PSYMSRV_INDEX_INFO Info, __in DWORD Flags ); BOOL IMAGEAPI SymSrvGetFileIndexInfoW( __in PCWSTR File, __out PSYMSRV_INDEX_INFOW Info, __in DWORD Flags ); PCSTR IMAGEAPI SymSrvStoreSupplement( __in HANDLE hProcess, __in_opt PCSTR SrvPath, __in PCSTR Node, __in PCSTR File, __in DWORD Flags ); PCWSTR IMAGEAPI SymSrvStoreSupplementW( __in HANDLE hProcess, __in_opt PCWSTR SymPath, __in PCWSTR Node, __in PCWSTR File, __in DWORD Flags ); PCSTR IMAGEAPI SymSrvStoreFile( __in HANDLE hProcess, __in_opt PCSTR SrvPath, __in PCSTR File, __in DWORD Flags ); PCWSTR IMAGEAPI SymSrvStoreFileW( __in HANDLE hProcess, __in_opt PCWSTR SrvPath, __in PCWSTR File, __in DWORD Flags ); // used by SymGetSymbolFile's "Type" parameter enum { sfImage = 0, sfDbg, sfPdb, sfMpd, sfMax }; BOOL IMAGEAPI SymGetSymbolFile( __in_opt HANDLE hProcess, __in_opt PCSTR SymPath, __in PCSTR ImageFile, __in DWORD Type, __out_ecount(cSymbolFile) PSTR SymbolFile, __in size_t cSymbolFile, __out_ecount(cDbgFile) PSTR DbgFile, __in size_t cDbgFile ); BOOL IMAGEAPI SymGetSymbolFileW( __in_opt HANDLE hProcess, __in_opt PCWSTR SymPath, __in PCWSTR ImageFile, __in DWORD Type, __out_ecount(cSymbolFile) PWSTR SymbolFile, __in size_t cSymbolFile, __out_ecount(cDbgFile) PWSTR DbgFile, __in size_t cDbgFile ); // // Full user-mode dump creation. // typedef BOOL (WINAPI* PDBGHELP_CREATE_USER_DUMP_CALLBACK)( __in DWORD DataType, __in PVOID* Data, __out LPDWORD DataLength, __in_opt PVOID UserData ); BOOL WINAPI DbgHelpCreateUserDump( __in_opt LPCSTR FileName, __in PDBGHELP_CREATE_USER_DUMP_CALLBACK Callback, __in_opt PVOID UserData ); BOOL WINAPI DbgHelpCreateUserDumpW( __in_opt LPCWSTR FileName, __in PDBGHELP_CREATE_USER_DUMP_CALLBACK Callback, __in_opt PVOID UserData ); // ----------------------------------------------------------------- // The following 4 legacy APIs are fully supported, but newer // ones are recommended. SymFromName and SymFromAddr provide // much more detailed info on the returned symbol. BOOL IMAGEAPI SymGetSymFromAddr64( __in HANDLE hProcess, __in DWORD64 qwAddr, __out_opt PDWORD64 pdwDisplacement, __inout PIMAGEHLP_SYMBOL64 Symbol ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define SymGetSymFromAddr SymGetSymFromAddr64 #else BOOL IMAGEAPI SymGetSymFromAddr( __in HANDLE hProcess, __in DWORD dwAddr, __out_opt PDWORD pdwDisplacement, __inout PIMAGEHLP_SYMBOL Symbol ); #endif // While following two APIs will provide a symbol from a name, // SymEnumSymbols can provide the same matching information // for ALL symbols with a matching name, even regular // expressions. That way you can search across modules // and differentiate between identically named symbols. BOOL IMAGEAPI SymGetSymFromName64( __in HANDLE hProcess, __in PCSTR Name, __inout PIMAGEHLP_SYMBOL64 Symbol ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define SymGetSymFromName SymGetSymFromName64 #else BOOL IMAGEAPI SymGetSymFromName( __in HANDLE hProcess, __in PCSTR Name, __inout PIMAGEHLP_SYMBOL Symbol ); #endif // Symbol server exports typedef BOOL (WINAPI* PSYMBOLSERVERPROC)(PCSTR, PCSTR, PVOID, DWORD, DWORD, PSTR); typedef BOOL (WINAPI* PSYMBOLSERVERPROCA)(PCSTR, PCSTR, PVOID, DWORD, DWORD, PSTR); typedef BOOL (WINAPI* PSYMBOLSERVERPROCW)(PCWSTR, PCWSTR, PVOID, DWORD, DWORD, PWSTR); typedef BOOL (WINAPI* PSYMBOLSERVERBYINDEXPROC)(PCSTR, PCSTR, PCSTR, PSTR); typedef BOOL (WINAPI* PSYMBOLSERVERBYINDEXPROCA)(PCSTR, PCSTR, PCSTR, PSTR); typedef BOOL (WINAPI* PSYMBOLSERVERBYINDEXPROCW)(PCWSTR, PCWSTR, PCWSTR, PWSTR); typedef BOOL (WINAPI* PSYMBOLSERVEROPENPROC)(VOID); typedef BOOL (WINAPI* PSYMBOLSERVERCLOSEPROC)(VOID); typedef BOOL (WINAPI* PSYMBOLSERVERSETOPTIONSPROC)(UINT_PTR, ULONG64); typedef BOOL (WINAPI* PSYMBOLSERVERSETOPTIONSWPROC)(UINT_PTR, ULONG64); typedef BOOL (CALLBACK WINAPI* PSYMBOLSERVERCALLBACKPROC)(UINT_PTR action, ULONG64 data, ULONG64 context); typedef UINT_PTR(WINAPI* PSYMBOLSERVERGETOPTIONSPROC)(); typedef BOOL (WINAPI* PSYMBOLSERVERPINGPROC)(PCSTR); typedef BOOL (WINAPI* PSYMBOLSERVERPINGPROCA)(PCSTR); typedef BOOL (WINAPI* PSYMBOLSERVERPINGPROCW)(PCWSTR); typedef BOOL (WINAPI* PSYMBOLSERVERGETVERSION)(LPAPI_VERSION); typedef BOOL (WINAPI* PSYMBOLSERVERDELTANAME)(PCSTR, PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, PSTR, size_t); typedef BOOL (WINAPI* PSYMBOLSERVERDELTANAMEW)(PCWSTR, PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, PWSTR, size_t); typedef BOOL (WINAPI* PSYMBOLSERVERGETSUPPLEMENT)(PCSTR, PCSTR, PCSTR, PSTR, size_t); typedef BOOL (WINAPI* PSYMBOLSERVERGETSUPPLEMENTW)(PCWSTR, PCWSTR, PCWSTR, PWSTR, size_t); typedef BOOL (WINAPI* PSYMBOLSERVERSTORESUPPLEMENT)(PCSTR, PCSTR, PCSTR, PSTR, size_t, DWORD); typedef BOOL (WINAPI* PSYMBOLSERVERSTORESUPPLEMENTW)(PCWSTR, PCWSTR, PCWSTR, PWSTR, size_t, DWORD); typedef BOOL (WINAPI* PSYMBOLSERVERGETINDEXSTRING)(PVOID, DWORD, DWORD, PSTR, size_t); typedef BOOL (WINAPI* PSYMBOLSERVERGETINDEXSTRINGW)(PVOID, DWORD, DWORD, PWSTR, size_t); typedef BOOL (WINAPI* PSYMBOLSERVERSTOREFILE)(PCSTR, PCSTR, PVOID, DWORD, DWORD, PSTR, size_t, DWORD); typedef BOOL (WINAPI* PSYMBOLSERVERSTOREFILEW)(PCWSTR, PCWSTR, PVOID, DWORD, DWORD, PWSTR, size_t, DWORD); typedef BOOL (WINAPI* PSYMBOLSERVERISSTORE)(PCSTR); typedef BOOL (WINAPI* PSYMBOLSERVERISSTOREW)(PCWSTR); typedef DWORD (WINAPI* PSYMBOLSERVERVERSION)(); typedef BOOL (CALLBACK WINAPI* PSYMBOLSERVERMESSAGEPROC)(UINT_PTR action, ULONG64 data, ULONG64 context); #define SYMSRV_VERSION 2 #define SSRVOPT_CALLBACK 0x00000001 #define SSRVOPT_DWORD 0x00000002 #define SSRVOPT_DWORDPTR 0x00000004 #define SSRVOPT_GUIDPTR 0x00000008 #define SSRVOPT_OLDGUIDPTR 0x00000010 #define SSRVOPT_UNATTENDED 0x00000020 #define SSRVOPT_NOCOPY 0x00000040 #define SSRVOPT_GETPATH 0x00000040 #define SSRVOPT_PARENTWIN 0x00000080 #define SSRVOPT_PARAMTYPE 0x00000100 #define SSRVOPT_SECURE 0x00000200 #define SSRVOPT_TRACE 0x00000400 #define SSRVOPT_SETCONTEXT 0x00000800 #define SSRVOPT_PROXY 0x00001000 #define SSRVOPT_DOWNSTREAM_STORE 0x00002000 #define SSRVOPT_OVERWRITE 0x00004000 #define SSRVOPT_RESETTOU 0x00008000 #define SSRVOPT_CALLBACKW 0x00010000 #define SSRVOPT_FLAT_DEFAULT_STORE 0x00020000 #define SSRVOPT_PROXYW 0x00040000 #define SSRVOPT_MESSAGE 0x00080000 #define SSRVOPT_SERVICE 0x00100000 // deprecated #define SSRVOPT_FAVOR_COMPRESSED 0x00200000 #define SSRVOPT_STRING 0x00400000 #define SSRVOPT_WINHTTP 0x00800000 #define SSRVOPT_WININET 0x01000000 #define SSRVOPT_MAX 0x0100000 #define SSRVOPT_RESET ((ULONG_PTR)-1) #define NUM_SSRVOPTS 30 #define SSRVACTION_TRACE 1 #define SSRVACTION_QUERYCANCEL 2 #define SSRVACTION_EVENT 3 #define SSRVACTION_EVENTW 4 #define SSRVACTION_SIZE 5 #define SYMSTOREOPT_COMPRESS 0x01 #define SYMSTOREOPT_OVERWRITE 0x02 #define SYMSTOREOPT_RETURNINDEX 0x04 #define SYMSTOREOPT_POINTER 0x08 #define SYMSTOREOPT_ALT_INDEX 0x10 #define SYMSTOREOPT_UNICODE 0x20 #define SYMSTOREOPT_PASS_IF_EXISTS 0x40 #ifdef DBGHELP_TRANSLATE_TCHAR #define SymInitialize SymInitializeW #define SymAddSymbol SymAddSymbolW #define SymDeleteSymbol SymDeleteSymbolW #define SearchTreeForFile SearchTreeForFileW #define UnDecorateSymbolName UnDecorateSymbolNameW #define SymGetLineFromName64 SymGetLineFromNameW64 #define SymGetLineFromAddr64 SymGetLineFromAddrW64 #define SymGetLineNext64 SymGetLineNextW64 #define SymGetLinePrev64 SymGetLinePrevW64 #define SymFromName SymFromNameW #define SymFindExecutableImage SymFindExecutableImageW #define FindExecutableImageEx FindExecutableImageExW #define SymSearch SymSearchW #define SymEnumLines SymEnumLinesW #define SymEnumSourceLines SymEnumSourceLinesW #define SymGetTypeFromName SymGetTypeFromNameW #define SymEnumSymbolsForAddr SymEnumSymbolsForAddrW #define SymFromAddr SymFromAddrW #define SymMatchString SymMatchStringW #define SymEnumSourceFiles SymEnumSourceFilesW #define SymEnumSymbols SymEnumSymbolsW #define SymLoadModuleEx SymLoadModuleExW #define SymSetSearchPath SymSetSearchPathW #define SymGetSearchPath SymGetSearchPathW #define EnumDirTree EnumDirTreeW #define SymFromToken SymFromTokenW #define SymFromIndex SymFromIndexW #define SymGetScope SymGetScopeW #define SymNext SymNextW #define SymPrev SymPrevW #define SymEnumTypes SymEnumTypesW #define SymEnumTypesByName SymEnumTypesByNameW #define SymRegisterCallback64 SymRegisterCallbackW64 #define SymFindDebugInfoFile SymFindDebugInfoFileW #define FindDebugInfoFileEx FindDebugInfoFileExW #define SymFindFileInPath SymFindFileInPathW #define SymEnumerateModules64 SymEnumerateModulesW64 #define SymSetHomeDirectory SymSetHomeDirectoryW #define SymGetHomeDirectory SymGetHomeDirectoryW #define SymGetSourceFile SymGetSourceFileW #define SymGetSourceFileToken SymGetSourceFileTokenW #define SymGetSourceFileFromToken SymGetSourceFileFromTokenW #define SymGetSourceVarFromToken SymGetSourceVarFromTokenW #define SymGetSourceFileToken SymGetSourceFileTokenW #define SymGetFileLineOffsets64 SymGetFileLineOffsetsW64 #define SymFindFileInPath SymFindFileInPathW #define SymMatchFileName SymMatchFileNameW #define SymGetSourceFileFromToken SymGetSourceFileFromTokenW #define SymGetSourceVarFromToken SymGetSourceVarFromTokenW #define SymGetModuleInfo64 SymGetModuleInfoW64 #define SymSrvIsStore SymSrvIsStoreW #define SymSrvDeltaName SymSrvDeltaNameW #define SymSrvGetSupplement SymSrvGetSupplementW #define SymSrvStoreSupplement SymSrvStoreSupplementW #define SymSrvGetFileIndexes SymSrvGetFileIndexes #define SymSrvGetFileIndexString SymSrvGetFileIndexStringW #define SymSrvStoreFile SymSrvStoreFileW #define SymGetSymbolFile SymGetSymbolFileW #define EnumerateLoadedModules64 EnumerateLoadedModulesW64 #define EnumerateLoadedModulesEx EnumerateLoadedModulesExW #define SymSrvGetFileIndexInfo SymSrvGetFileIndexInfoW #define IMAGEHLP_LINE64 IMAGEHLP_LINEW64 #define PIMAGEHLP_LINE64 PIMAGEHLP_LINEW64 #define SYMBOL_INFO SYMBOL_INFOW #define PSYMBOL_INFO PSYMBOL_INFOW #define SYMBOL_INFO_PACKAGE SYMBOL_INFO_PACKAGEW #define PSYMBOL_INFO_PACKAGE PSYMBOL_INFO_PACKAGEW #define FIND_EXE_FILE_CALLBACK FIND_EXE_FILE_CALLBACKW #define PFIND_EXE_FILE_CALLBACK PFIND_EXE_FILE_CALLBACKW #define SYM_ENUMERATESYMBOLS_CALLBACK SYM_ENUMERATESYMBOLS_CALLBACKW #define PSYM_ENUMERATESYMBOLS_CALLBACK PSYM_ENUMERATESYMBOLS_CALLBACKW #define SRCCODEINFO SRCCODEINFOW #define PSRCCODEINFO PSRCCODEINFOW #define SOURCEFILE SOURCEFILEW #define PSOURCEFILE PSOURCEFILEW #define SYM_ENUMSOURECFILES_CALLBACK SYM_ENUMSOURCEFILES_CALLBACKW #define PSYM_ENUMSOURCEFILES_CALLBACK PSYM_ENUMSOURECFILES_CALLBACKW #define IMAGEHLP_CBA_EVENT IMAGEHLP_CBA_EVENTW #define PIMAGEHLP_CBA_EVENT PIMAGEHLP_CBA_EVENTW #define PENUMDIRTREE_CALLBACK PENUMDIRTREE_CALLBACKW #define IMAGEHLP_DEFERRED_SYMBOL_LOAD64 IMAGEHLP_DEFERRED_SYMBOL_LOADW64 #define PIMAGEHLP_DEFERRED_SYMBOL_LOAD64 PIMAGEHLP_DEFERRED_SYMBOL_LOADW64 #define PFIND_DEBUG_FILE_CALLBACK PFIND_DEBUG_FILE_CALLBACKW #define PFINDFILEINPATHCALLBACK PFINDFILEINPATHCALLBACKW #define IMAGEHLP_MODULE64 IMAGEHLP_MODULEW64 #define PIMAGEHLP_MODULE64 PIMAGEHLP_MODULEW64 #define SYMSRV_INDEX_INFO SYMSRV_INDEX_INFOW #define PSYMSRV_INDEX_INFO PSYMSRV_INDEX_INFOW #define PSYMBOLSERVERPROC PSYMBOLSERVERPROCW #define PSYMBOLSERVERPINGPROC PSYMBOLSERVERPINGPROCW #endif // ----------------------------------------------------------------- // The following APIs exist only for backwards compatibility // with a pre-release version documented in an MSDN release. // You should use SymFindFileInPath if you want to maintain // future compatibility. DBHLP_DEPRECIATED BOOL IMAGEAPI FindFileInPath( __in HANDLE hprocess, __in PCSTR SearchPath, __in PCSTR FileName, __in PVOID id, __in DWORD two, __in DWORD three, __in DWORD flags, __out_ecount(MAX_PATH + 1) PSTR FilePath ); // You should use SymFindFileInPath if you want to maintain // future compatibility. DBHLP_DEPRECIATED BOOL IMAGEAPI FindFileInSearchPath( __in HANDLE hprocess, __in PCSTR SearchPath, __in PCSTR FileName, __in DWORD one, __in DWORD two, __in DWORD three, __out_ecount(MAX_PATH + 1) PSTR FilePath ); DBHLP_DEPRECIATED BOOL IMAGEAPI SymEnumSym( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in PSYM_ENUMERATESYMBOLS_CALLBACK EnumSymbolsCallback, __in_opt PVOID UserContext ); DBHLP_DEPRECIATED BOOL IMAGEAPI SymEnumerateSymbols64( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in PSYM_ENUMSYMBOLS_CALLBACK64 EnumSymbolsCallback, __in_opt PVOID UserContext ); DBHLP_DEPRECIATED BOOL IMAGEAPI SymEnumerateSymbolsW64( __in HANDLE hProcess, __in ULONG64 BaseOfDll, __in PSYM_ENUMSYMBOLS_CALLBACK64W EnumSymbolsCallback, __in_opt PVOID UserContext ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define SymEnumerateSymbols SymEnumerateSymbols64 #define SymEnumerateSymbolsW SymEnumerateSymbolsW64 #else DBHLP_DEPRECIATED BOOL IMAGEAPI SymEnumerateSymbols( __in HANDLE hProcess, __in ULONG BaseOfDll, __in PSYM_ENUMSYMBOLS_CALLBACK EnumSymbolsCallback, __in_opt PVOID UserContext ); DBHLP_DEPRECIATED BOOL IMAGEAPI SymEnumerateSymbolsW( __in HANDLE hProcess, __in ULONG BaseOfDll, __in PSYM_ENUMSYMBOLS_CALLBACKW EnumSymbolsCallback, __in_opt PVOID UserContext ); #endif // use SymLoadModuleEx DWORD64 IMAGEAPI SymLoadModule64( __in HANDLE hProcess, __in_opt HANDLE hFile, __in_opt PCSTR ImageName, __in_opt PCSTR ModuleName, __in DWORD64 BaseOfDll, __in DWORD SizeOfDll ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define SymLoadModule SymLoadModule64 #else DWORD IMAGEAPI SymLoadModule( __in HANDLE hProcess, __in_opt HANDLE hFile, __in_opt PCSTR ImageName, __in_opt PCSTR ModuleName, __in DWORD BaseOfDll, __in DWORD SizeOfDll ); #endif BOOL IMAGEAPI SymGetSymNext64( __in HANDLE hProcess, __inout PIMAGEHLP_SYMBOL64 Symbol ); BOOL IMAGEAPI SymGetSymNextW64( __in HANDLE hProcess, __inout PIMAGEHLP_SYMBOLW64 Symbol ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define SymGetSymNext SymGetSymNext64 #define SymGetSymNextW SymGetSymNextW64 #else BOOL IMAGEAPI SymGetSymNext( __in HANDLE hProcess, __inout PIMAGEHLP_SYMBOL Symbol ); BOOL IMAGEAPI SymGetSymNextW( __in HANDLE hProcess, __inout PIMAGEHLP_SYMBOLW Symbol ); #endif BOOL IMAGEAPI SymGetSymPrev64( __in HANDLE hProcess, __inout PIMAGEHLP_SYMBOL64 Symbol ); BOOL IMAGEAPI SymGetSymPrevW64( __in HANDLE hProcess, __inout PIMAGEHLP_SYMBOLW64 Symbol ); #if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64) #define SymGetSymPrev SymGetSymPrev64 #define SymGetSymPrevW SymGetSymPrevW64 #else BOOL IMAGEAPI SymGetSymPrev( __in HANDLE hProcess, __inout PIMAGEHLP_SYMBOL Symbol ); BOOL IMAGEAPI SymGetSymPrevW( __in HANDLE hProcess, __inout PIMAGEHLP_SYMBOLW Symbol ); #endif // These values should not be used. // They have been replaced by SYMFLAG_ values. #define SYMF_OMAP_GENERATED 0x00000001 #define SYMF_OMAP_MODIFIED 0x00000002 #define SYMF_REGISTER 0x00000008 #define SYMF_REGREL 0x00000010 #define SYMF_FRAMEREL 0x00000020 #define SYMF_PARAMETER 0x00000040 #define SYMF_LOCAL 0x00000080 #define SYMF_CONSTANT 0x00000100 #define SYMF_EXPORT 0x00000200 #define SYMF_FORWARDER 0x00000400 #define SYMF_FUNCTION 0x00000800 #define SYMF_VIRTUAL 0x00001000 #define SYMF_THUNK 0x00002000 #define SYMF_TLSREL 0x00004000 // These values should also not be used. // They have been replaced by SYMFLAG_ values. #define IMAGEHLP_SYMBOL_INFO_VALUEPRESENT 1 #define IMAGEHLP_SYMBOL_INFO_REGISTER SYMF_REGISTER // 0x0008 #define IMAGEHLP_SYMBOL_INFO_REGRELATIVE SYMF_REGREL // 0x0010 #define IMAGEHLP_SYMBOL_INFO_FRAMERELATIVE SYMF_FRAMEREL // 0x0020 #define IMAGEHLP_SYMBOL_INFO_PARAMETER SYMF_PARAMETER // 0x0040 #define IMAGEHLP_SYMBOL_INFO_LOCAL SYMF_LOCAL // 0x0080 #define IMAGEHLP_SYMBOL_INFO_CONSTANT SYMF_CONSTANT // 0x0100 #define IMAGEHLP_SYMBOL_FUNCTION SYMF_FUNCTION // 0x0800 #define IMAGEHLP_SYMBOL_VIRTUAL SYMF_VIRTUAL // 0x1000 #define IMAGEHLP_SYMBOL_THUNK SYMF_THUNK // 0x2000 #define IMAGEHLP_SYMBOL_INFO_TLSRELATIVE SYMF_TLSREL // 0x4000 #pragma pack(pop) #pragma pack(push,4) #define MINIDUMP_SIGNATURE ('PMDM') #define MINIDUMP_VERSION (42899) typedef DWORD RVA; typedef ULONG64 RVA64; typedef struct _MINIDUMP_LOCATION_DESCRIPTOR { ULONG32 DataSize; RVA Rva; } MINIDUMP_LOCATION_DESCRIPTOR; typedef struct _MINIDUMP_LOCATION_DESCRIPTOR64 { ULONG64 DataSize; RVA64 Rva; } MINIDUMP_LOCATION_DESCRIPTOR64; typedef struct _MINIDUMP_MEMORY_DESCRIPTOR { ULONG64 StartOfMemoryRange; MINIDUMP_LOCATION_DESCRIPTOR Memory; } MINIDUMP_MEMORY_DESCRIPTOR, *PMINIDUMP_MEMORY_DESCRIPTOR; // DESCRIPTOR64 is used for full-memory minidumps where // all of the raw memory is laid out sequentially at the // end of the dump. There is no need for individual RVAs // as the RVA is the base RVA plus the sum of the preceeding // data blocks. typedef struct _MINIDUMP_MEMORY_DESCRIPTOR64 { ULONG64 StartOfMemoryRange; ULONG64 DataSize; } MINIDUMP_MEMORY_DESCRIPTOR64, *PMINIDUMP_MEMORY_DESCRIPTOR64; typedef struct _MINIDUMP_HEADER { ULONG32 Signature; ULONG32 Version; ULONG32 NumberOfStreams; RVA StreamDirectoryRva; ULONG32 CheckSum; union { ULONG32 Reserved; ULONG32 TimeDateStamp; }; ULONG64 Flags; } MINIDUMP_HEADER, *PMINIDUMP_HEADER; // // The MINIDUMP_HEADER field StreamDirectoryRva points to // an array of MINIDUMP_DIRECTORY structures. // typedef struct _MINIDUMP_DIRECTORY { ULONG32 StreamType; MINIDUMP_LOCATION_DESCRIPTOR Location; } MINIDUMP_DIRECTORY, *PMINIDUMP_DIRECTORY; typedef struct _MINIDUMP_STRING { ULONG32 Length; // Length in bytes of the string WCHAR Buffer [0]; // Variable size buffer } MINIDUMP_STRING, *PMINIDUMP_STRING; // // The MINIDUMP_DIRECTORY field StreamType may be one of the following types. // Types will be added in the future, so if a program reading the minidump // header encounters a stream type it does not understand it should ignore // the data altogether. Any tag above LastReservedStream will not be used by // the system and is reserved for program-specific information. // typedef enum _MINIDUMP_STREAM_TYPE { UnusedStream = 0, ReservedStream0 = 1, ReservedStream1 = 2, ThreadListStream = 3, ModuleListStream = 4, MemoryListStream = 5, ExceptionStream = 6, SystemInfoStream = 7, ThreadExListStream = 8, Memory64ListStream = 9, CommentStreamA = 10, CommentStreamW = 11, HandleDataStream = 12, FunctionTableStream = 13, UnloadedModuleListStream = 14, MiscInfoStream = 15, MemoryInfoListStream = 16, ThreadInfoListStream = 17, HandleOperationListStream = 18, TokenStream = 19, ceStreamNull = 0x8000, ceStreamSystemInfo = 0x8001, ceStreamException = 0x8002, ceStreamModuleList = 0x8003, ceStreamProcessList = 0x8004, ceStreamThreadList = 0x8005, ceStreamThreadContextList = 0x8006, ceStreamThreadCallStackList = 0x8007, ceStreamMemoryVirtualList = 0x8008, ceStreamMemoryPhysicalList = 0x8009, ceStreamBucketParameters = 0x800A, ceStreamProcessModuleMap = 0x800B, ceStreamDiagnosisList = 0x800C, LastReservedStream = 0xffff } MINIDUMP_STREAM_TYPE; // // The minidump system information contains processor and // Operating System specific information. // // // CPU information is obtained from one of two places. // // 1) On x86 computers, CPU_INFORMATION is obtained from the CPUID // instruction. You must use the X86 portion of the union for X86 // computers. // // 2) On non-x86 architectures, CPU_INFORMATION is obtained by calling // IsProcessorFeatureSupported(). // typedef union _CPU_INFORMATION { // // X86 platforms use CPUID function to obtain processor information. // struct { // // CPUID Subfunction 0, register EAX (VendorId [0]), // EBX (VendorId [1]) and ECX (VendorId [2]). // ULONG32 VendorId [ 3 ]; // // CPUID Subfunction 1, register EAX // ULONG32 VersionInformation; // // CPUID Subfunction 1, register EDX // ULONG32 FeatureInformation; // // CPUID, Subfunction 80000001, register EBX. This will only // be obtained if the vendor id is "AuthenticAMD". // ULONG32 AMDExtendedCpuFeatures; } X86CpuInfo; // // Non-x86 platforms use processor feature flags. // struct { ULONG64 ProcessorFeatures [ 2 ]; } OtherCpuInfo; } CPU_INFORMATION, *PCPU_INFORMATION; typedef struct _MINIDUMP_SYSTEM_INFO { // // ProcessorArchitecture, ProcessorLevel and ProcessorRevision are all // taken from the SYSTEM_INFO structure obtained by GetSystemInfo( ). // USHORT ProcessorArchitecture; USHORT ProcessorLevel; USHORT ProcessorRevision; union { USHORT Reserved0; struct { UCHAR NumberOfProcessors; UCHAR ProductType; }; }; // // MajorVersion, MinorVersion, BuildNumber, PlatformId and // CSDVersion are all taken from the OSVERSIONINFO structure // returned by GetVersionEx( ). // ULONG32 MajorVersion; ULONG32 MinorVersion; ULONG32 BuildNumber; ULONG32 PlatformId; // // RVA to a CSDVersion string in the string table. // RVA CSDVersionRva; union { ULONG32 Reserved1; struct { USHORT SuiteMask; USHORT Reserved2; }; }; CPU_INFORMATION Cpu; } MINIDUMP_SYSTEM_INFO, *PMINIDUMP_SYSTEM_INFO; // // The minidump thread contains standard thread // information plus an RVA to the memory for this // thread and an RVA to the CONTEXT structure for // this thread. // // // ThreadId must be 4 bytes on all architectures. // C_ASSERT(sizeof(((PPROCESS_INFORMATION)0)->dwThreadId) == 4); typedef struct _MINIDUMP_THREAD { ULONG32 ThreadId; ULONG32 SuspendCount; ULONG32 PriorityClass; ULONG32 Priority; ULONG64 Teb; MINIDUMP_MEMORY_DESCRIPTOR Stack; MINIDUMP_LOCATION_DESCRIPTOR ThreadContext; } MINIDUMP_THREAD, *PMINIDUMP_THREAD; // // The thread list is a container of threads. // typedef struct _MINIDUMP_THREAD_LIST { ULONG32 NumberOfThreads; MINIDUMP_THREAD Threads [0]; } MINIDUMP_THREAD_LIST, *PMINIDUMP_THREAD_LIST; typedef struct _MINIDUMP_THREAD_EX { ULONG32 ThreadId; ULONG32 SuspendCount; ULONG32 PriorityClass; ULONG32 Priority; ULONG64 Teb; MINIDUMP_MEMORY_DESCRIPTOR Stack; MINIDUMP_LOCATION_DESCRIPTOR ThreadContext; MINIDUMP_MEMORY_DESCRIPTOR BackingStore; } MINIDUMP_THREAD_EX, *PMINIDUMP_THREAD_EX; // // The thread list is a container of threads. // typedef struct _MINIDUMP_THREAD_EX_LIST { ULONG32 NumberOfThreads; MINIDUMP_THREAD_EX Threads [0]; } MINIDUMP_THREAD_EX_LIST, *PMINIDUMP_THREAD_EX_LIST; // // The MINIDUMP_EXCEPTION is the same as EXCEPTION on Win64. // typedef struct _MINIDUMP_EXCEPTION { ULONG32 ExceptionCode; ULONG32 ExceptionFlags; ULONG64 ExceptionRecord; ULONG64 ExceptionAddress; ULONG32 NumberParameters; ULONG32 __unusedAlignment; ULONG64 ExceptionInformation [ EXCEPTION_MAXIMUM_PARAMETERS ]; } MINIDUMP_EXCEPTION, *PMINIDUMP_EXCEPTION; // // The exception information stream contains the id of the thread that caused // the exception (ThreadId), the exception record for the exception // (ExceptionRecord) and an RVA to the thread context where the exception // occured. // typedef struct MINIDUMP_EXCEPTION_STREAM { ULONG32 ThreadId; ULONG32 __alignment; MINIDUMP_EXCEPTION ExceptionRecord; MINIDUMP_LOCATION_DESCRIPTOR ThreadContext; } MINIDUMP_EXCEPTION_STREAM, *PMINIDUMP_EXCEPTION_STREAM; // // The MINIDUMP_MODULE contains information about a // a specific module. It includes the CheckSum and // the TimeDateStamp for the module so the module // can be reloaded during the analysis phase. // typedef struct _MINIDUMP_MODULE { ULONG64 BaseOfImage; ULONG32 SizeOfImage; ULONG32 CheckSum; ULONG32 TimeDateStamp; RVA ModuleNameRva; VS_FIXEDFILEINFO VersionInfo; MINIDUMP_LOCATION_DESCRIPTOR CvRecord; MINIDUMP_LOCATION_DESCRIPTOR MiscRecord; ULONG64 Reserved0; // Reserved for future use. ULONG64 Reserved1; // Reserved for future use. } MINIDUMP_MODULE, *PMINIDUMP_MODULE; // // The minidump module list is a container for modules. // typedef struct _MINIDUMP_MODULE_LIST { ULONG32 NumberOfModules; MINIDUMP_MODULE Modules [ 0 ]; } MINIDUMP_MODULE_LIST, *PMINIDUMP_MODULE_LIST; // // Memory Ranges // typedef struct _MINIDUMP_MEMORY_LIST { ULONG32 NumberOfMemoryRanges; MINIDUMP_MEMORY_DESCRIPTOR MemoryRanges [0]; } MINIDUMP_MEMORY_LIST, *PMINIDUMP_MEMORY_LIST; typedef struct _MINIDUMP_MEMORY64_LIST { ULONG64 NumberOfMemoryRanges; RVA64 BaseRva; MINIDUMP_MEMORY_DESCRIPTOR64 MemoryRanges [0]; } MINIDUMP_MEMORY64_LIST, *PMINIDUMP_MEMORY64_LIST; // // Support for user supplied exception information. // typedef struct _MINIDUMP_EXCEPTION_INFORMATION { DWORD ThreadId; PEXCEPTION_POINTERS ExceptionPointers; BOOL ClientPointers; } MINIDUMP_EXCEPTION_INFORMATION, *PMINIDUMP_EXCEPTION_INFORMATION; typedef struct _MINIDUMP_EXCEPTION_INFORMATION64 { DWORD ThreadId; ULONG64 ExceptionRecord; ULONG64 ContextRecord; BOOL ClientPointers; } MINIDUMP_EXCEPTION_INFORMATION64, *PMINIDUMP_EXCEPTION_INFORMATION64; // // Support for capturing system handle state at the time of the dump. // // Per-handle object information varies according to // the OS, the OS version, the processor type and // so on. The minidump gives a minidump identifier // to each possible data format for identification // purposes but does not control nor describe the actual data. typedef enum _MINIDUMP_HANDLE_OBJECT_INFORMATION_TYPE { MiniHandleObjectInformationNone, MiniThreadInformation1, MiniMutantInformation1, MiniMutantInformation2, MiniProcessInformation1, MiniProcessInformation2, MiniHandleObjectInformationTypeMax } MINIDUMP_HANDLE_OBJECT_INFORMATION_TYPE; typedef struct _MINIDUMP_HANDLE_OBJECT_INFORMATION { RVA NextInfoRva; ULONG32 InfoType; ULONG32 SizeOfInfo; // Raw information follows. } MINIDUMP_HANDLE_OBJECT_INFORMATION; typedef struct _MINIDUMP_HANDLE_DESCRIPTOR { ULONG64 Handle; RVA TypeNameRva; RVA ObjectNameRva; ULONG32 Attributes; ULONG32 GrantedAccess; ULONG32 HandleCount; ULONG32 PointerCount; } MINIDUMP_HANDLE_DESCRIPTOR, *PMINIDUMP_HANDLE_DESCRIPTOR; typedef struct _MINIDUMP_HANDLE_DESCRIPTOR_2 { ULONG64 Handle; RVA TypeNameRva; RVA ObjectNameRva; ULONG32 Attributes; ULONG32 GrantedAccess; ULONG32 HandleCount; ULONG32 PointerCount; RVA ObjectInfoRva; ULONG32 Reserved0; } MINIDUMP_HANDLE_DESCRIPTOR_2, *PMINIDUMP_HANDLE_DESCRIPTOR_2; // The latest MINIDUMP_HANDLE_DESCRIPTOR definition. typedef MINIDUMP_HANDLE_DESCRIPTOR_2 MINIDUMP_HANDLE_DESCRIPTOR_N; typedef MINIDUMP_HANDLE_DESCRIPTOR_N* PMINIDUMP_HANDLE_DESCRIPTOR_N; typedef struct _MINIDUMP_HANDLE_DATA_STREAM { ULONG32 SizeOfHeader; ULONG32 SizeOfDescriptor; ULONG32 NumberOfDescriptors; ULONG32 Reserved; } MINIDUMP_HANDLE_DATA_STREAM, *PMINIDUMP_HANDLE_DATA_STREAM; // Some operating systems can track the last operations // performed on a handle. For example, Application Verifier // can enable this for some versions of Windows. The // handle operation list collects handle operations // known for the dump target. // Each entry is an AVRF_HANDLE_OPERATION. typedef struct _MINIDUMP_HANDLE_OPERATION_LIST { ULONG32 SizeOfHeader; ULONG32 SizeOfEntry; ULONG32 NumberOfEntries; ULONG32 Reserved; } MINIDUMP_HANDLE_OPERATION_LIST, *PMINIDUMP_HANDLE_OPERATION_LIST; // // Support for capturing dynamic function table state at the time of the dump. // typedef struct _MINIDUMP_FUNCTION_TABLE_DESCRIPTOR { ULONG64 MinimumAddress; ULONG64 MaximumAddress; ULONG64 BaseAddress; ULONG32 EntryCount; ULONG32 SizeOfAlignPad; } MINIDUMP_FUNCTION_TABLE_DESCRIPTOR, *PMINIDUMP_FUNCTION_TABLE_DESCRIPTOR; typedef struct _MINIDUMP_FUNCTION_TABLE_STREAM { ULONG32 SizeOfHeader; ULONG32 SizeOfDescriptor; ULONG32 SizeOfNativeDescriptor; ULONG32 SizeOfFunctionEntry; ULONG32 NumberOfDescriptors; ULONG32 SizeOfAlignPad; } MINIDUMP_FUNCTION_TABLE_STREAM, *PMINIDUMP_FUNCTION_TABLE_STREAM; // // The MINIDUMP_UNLOADED_MODULE contains information about a // a specific module that was previously loaded but no // longer is. This can help with diagnosing problems where // callers attempt to call code that is no longer loaded. // typedef struct _MINIDUMP_UNLOADED_MODULE { ULONG64 BaseOfImage; ULONG32 SizeOfImage; ULONG32 CheckSum; ULONG32 TimeDateStamp; RVA ModuleNameRva; } MINIDUMP_UNLOADED_MODULE, *PMINIDUMP_UNLOADED_MODULE; // // The minidump unloaded module list is a container for unloaded modules. // typedef struct _MINIDUMP_UNLOADED_MODULE_LIST { ULONG32 SizeOfHeader; ULONG32 SizeOfEntry; ULONG32 NumberOfEntries; } MINIDUMP_UNLOADED_MODULE_LIST, *PMINIDUMP_UNLOADED_MODULE_LIST; // // The miscellaneous information stream contains a variety // of small pieces of information. A member is valid if // it's within the available size and its corresponding // bit is set. // #define MINIDUMP_MISC1_PROCESS_ID 0x00000001 #define MINIDUMP_MISC1_PROCESS_TIMES 0x00000002 #define MINIDUMP_MISC1_PROCESSOR_POWER_INFO 0x00000004 #define MINIDUMP_MISC3_PROCESS_INTEGRITY 0x00000010 #define MINIDUMP_MISC3_PROCESS_EXECUTE_FLAGS 0x00000020 #define MINIDUMP_MISC3_TIMEZONE 0x00000040 #define MINIDUMP_MISC3_PROTECTED_PROCESS 0x00000080 typedef struct _MINIDUMP_MISC_INFO { ULONG32 SizeOfInfo; ULONG32 Flags1; ULONG32 ProcessId; ULONG32 ProcessCreateTime; ULONG32 ProcessUserTime; ULONG32 ProcessKernelTime; } MINIDUMP_MISC_INFO, *PMINIDUMP_MISC_INFO; typedef struct _MINIDUMP_MISC_INFO_2 { ULONG32 SizeOfInfo; ULONG32 Flags1; ULONG32 ProcessId; ULONG32 ProcessCreateTime; ULONG32 ProcessUserTime; ULONG32 ProcessKernelTime; ULONG32 ProcessorMaxMhz; ULONG32 ProcessorCurrentMhz; ULONG32 ProcessorMhzLimit; ULONG32 ProcessorMaxIdleState; ULONG32 ProcessorCurrentIdleState; } MINIDUMP_MISC_INFO_2, *PMINIDUMP_MISC_INFO_2; typedef struct _MINIDUMP_MISC_INFO_3 { ULONG32 SizeOfInfo; ULONG32 Flags1; ULONG32 ProcessId; ULONG32 ProcessCreateTime; ULONG32 ProcessUserTime; ULONG32 ProcessKernelTime; ULONG32 ProcessorMaxMhz; ULONG32 ProcessorCurrentMhz; ULONG32 ProcessorMhzLimit; ULONG32 ProcessorMaxIdleState; ULONG32 ProcessorCurrentIdleState; ULONG32 ProcessIntegrityLevel; ULONG32 ProcessExecuteFlags; ULONG32 ProtectedProcess; ULONG32 TimeZoneId; TIME_ZONE_INFORMATION TimeZone; } MINIDUMP_MISC_INFO_3, *PMINIDUMP_MISC_INFO_3; // The latest MINIDUMP_MISC_INFO definition. typedef MINIDUMP_MISC_INFO_3 MINIDUMP_MISC_INFO_N; typedef MINIDUMP_MISC_INFO_N* PMINIDUMP_MISC_INFO_N; // // The memory information stream contains memory region // description information. This stream corresponds to // what VirtualQuery would return for the process the // dump was created for. // typedef struct _MINIDUMP_MEMORY_INFO { ULONG64 BaseAddress; ULONG64 AllocationBase; ULONG32 AllocationProtect; ULONG32 __alignment1; ULONG64 RegionSize; ULONG32 State; ULONG32 Protect; ULONG32 Type; ULONG32 __alignment2; } MINIDUMP_MEMORY_INFO, *PMINIDUMP_MEMORY_INFO; typedef struct _MINIDUMP_MEMORY_INFO_LIST { ULONG SizeOfHeader; ULONG SizeOfEntry; ULONG64 NumberOfEntries; } MINIDUMP_MEMORY_INFO_LIST, *PMINIDUMP_MEMORY_INFO_LIST; // // The memory information stream contains memory region // description information. This stream corresponds to // what VirtualQuery would return for the process the // dump was created for. // // Thread dump writer status flags. #define MINIDUMP_THREAD_INFO_ERROR_THREAD 0x00000001 #define MINIDUMP_THREAD_INFO_WRITING_THREAD 0x00000002 #define MINIDUMP_THREAD_INFO_EXITED_THREAD 0x00000004 #define MINIDUMP_THREAD_INFO_INVALID_INFO 0x00000008 #define MINIDUMP_THREAD_INFO_INVALID_CONTEXT 0x00000010 #define MINIDUMP_THREAD_INFO_INVALID_TEB 0x00000020 typedef struct _MINIDUMP_THREAD_INFO { ULONG32 ThreadId; ULONG32 DumpFlags; ULONG32 DumpError; ULONG32 ExitStatus; ULONG64 CreateTime; ULONG64 ExitTime; ULONG64 KernelTime; ULONG64 UserTime; ULONG64 StartAddress; ULONG64 Affinity; } MINIDUMP_THREAD_INFO, *PMINIDUMP_THREAD_INFO; typedef struct _MINIDUMP_THREAD_INFO_LIST { ULONG SizeOfHeader; ULONG SizeOfEntry; ULONG NumberOfEntries; } MINIDUMP_THREAD_INFO_LIST, *PMINIDUMP_THREAD_INFO_LIST; // // Support for token information. // typedef struct _MINIDUMP_TOKEN_INFO_HEADER { ULONG TokenSize; // The size of the token structure. ULONG TokenId; // The PID in NtOpenProcessToken() call or TID in NtOpenThreadToken() call. ULONG64 TokenHandle; // The handle value returned. } MINIDUMP_TOKEN_INFO_HEADER, *PMINIDUMP_TOKEN_INFO_HEADER; typedef struct _MINIDUMP_TOKEN_INFO_LIST { ULONG TokenListSize; ULONG TokenListEntries; ULONG ListHeaderSize; ULONG ElementHeaderSize; } MINIDUMP_TOKEN_INFO_LIST, *PMINIDUMP_TOKEN_INFO_LIST; // // Support for arbitrary user-defined information. // typedef struct _MINIDUMP_USER_RECORD { ULONG32 Type; MINIDUMP_LOCATION_DESCRIPTOR Memory; } MINIDUMP_USER_RECORD, *PMINIDUMP_USER_RECORD; typedef struct _MINIDUMP_USER_STREAM { ULONG32 Type; ULONG BufferSize; PVOID Buffer; } MINIDUMP_USER_STREAM, *PMINIDUMP_USER_STREAM; typedef struct _MINIDUMP_USER_STREAM_INFORMATION { ULONG UserStreamCount; PMINIDUMP_USER_STREAM UserStreamArray; } MINIDUMP_USER_STREAM_INFORMATION, *PMINIDUMP_USER_STREAM_INFORMATION; // // Callback support. // typedef enum _MINIDUMP_CALLBACK_TYPE { ModuleCallback, ThreadCallback, ThreadExCallback, IncludeThreadCallback, IncludeModuleCallback, MemoryCallback, CancelCallback, WriteKernelMinidumpCallback, KernelMinidumpStatusCallback, RemoveMemoryCallback, IncludeVmRegionCallback, IoStartCallback, IoWriteAllCallback, IoFinishCallback, ReadMemoryFailureCallback, SecondaryFlagsCallback, } MINIDUMP_CALLBACK_TYPE; typedef struct _MINIDUMP_THREAD_CALLBACK { ULONG ThreadId; HANDLE ThreadHandle; CONTEXT Context; ULONG SizeOfContext; ULONG64 StackBase; ULONG64 StackEnd; } MINIDUMP_THREAD_CALLBACK, *PMINIDUMP_THREAD_CALLBACK; typedef struct _MINIDUMP_THREAD_EX_CALLBACK { ULONG ThreadId; HANDLE ThreadHandle; CONTEXT Context; ULONG SizeOfContext; ULONG64 StackBase; ULONG64 StackEnd; ULONG64 BackingStoreBase; ULONG64 BackingStoreEnd; } MINIDUMP_THREAD_EX_CALLBACK, *PMINIDUMP_THREAD_EX_CALLBACK; typedef struct _MINIDUMP_INCLUDE_THREAD_CALLBACK { ULONG ThreadId; } MINIDUMP_INCLUDE_THREAD_CALLBACK, *PMINIDUMP_INCLUDE_THREAD_CALLBACK; typedef enum _THREAD_WRITE_FLAGS { ThreadWriteThread = 0x0001, ThreadWriteStack = 0x0002, ThreadWriteContext = 0x0004, ThreadWriteBackingStore = 0x0008, ThreadWriteInstructionWindow = 0x0010, ThreadWriteThreadData = 0x0020, ThreadWriteThreadInfo = 0x0040, } THREAD_WRITE_FLAGS; typedef struct _MINIDUMP_MODULE_CALLBACK { PWCHAR FullPath; ULONG64 BaseOfImage; ULONG SizeOfImage; ULONG CheckSum; ULONG TimeDateStamp; VS_FIXEDFILEINFO VersionInfo; PVOID CvRecord; ULONG SizeOfCvRecord; PVOID MiscRecord; ULONG SizeOfMiscRecord; } MINIDUMP_MODULE_CALLBACK, *PMINIDUMP_MODULE_CALLBACK; typedef struct _MINIDUMP_INCLUDE_MODULE_CALLBACK { ULONG64 BaseOfImage; } MINIDUMP_INCLUDE_MODULE_CALLBACK, *PMINIDUMP_INCLUDE_MODULE_CALLBACK; typedef enum _MODULE_WRITE_FLAGS { ModuleWriteModule = 0x0001, ModuleWriteDataSeg = 0x0002, ModuleWriteMiscRecord = 0x0004, ModuleWriteCvRecord = 0x0008, ModuleReferencedByMemory = 0x0010, ModuleWriteTlsData = 0x0020, ModuleWriteCodeSegs = 0x0040, } MODULE_WRITE_FLAGS; typedef struct _MINIDUMP_IO_CALLBACK { HANDLE Handle; ULONG64 Offset; PVOID Buffer; ULONG BufferBytes; } MINIDUMP_IO_CALLBACK, *PMINIDUMP_IO_CALLBACK; typedef struct _MINIDUMP_READ_MEMORY_FAILURE_CALLBACK { ULONG64 Offset; ULONG Bytes; HRESULT FailureStatus; } MINIDUMP_READ_MEMORY_FAILURE_CALLBACK, *PMINIDUMP_READ_MEMORY_FAILURE_CALLBACK; typedef struct _MINIDUMP_CALLBACK_INPUT { ULONG ProcessId; HANDLE ProcessHandle; ULONG CallbackType; union { HRESULT Status; MINIDUMP_THREAD_CALLBACK Thread; MINIDUMP_THREAD_EX_CALLBACK ThreadEx; MINIDUMP_MODULE_CALLBACK Module; MINIDUMP_INCLUDE_THREAD_CALLBACK IncludeThread; MINIDUMP_INCLUDE_MODULE_CALLBACK IncludeModule; MINIDUMP_IO_CALLBACK Io; MINIDUMP_READ_MEMORY_FAILURE_CALLBACK ReadMemoryFailure; ULONG SecondaryFlags; }; } MINIDUMP_CALLBACK_INPUT, *PMINIDUMP_CALLBACK_INPUT; typedef struct _MINIDUMP_CALLBACK_OUTPUT { union { ULONG ModuleWriteFlags; ULONG ThreadWriteFlags; ULONG SecondaryFlags; struct { ULONG64 MemoryBase; ULONG MemorySize; }; struct { BOOL CheckCancel; BOOL Cancel; }; HANDLE Handle; struct { MINIDUMP_MEMORY_INFO VmRegion; BOOL Continue; }; HRESULT Status; }; } MINIDUMP_CALLBACK_OUTPUT, *PMINIDUMP_CALLBACK_OUTPUT; // // A normal minidump contains just the information // necessary to capture stack traces for all of the // existing threads in a process. // // A minidump with data segments includes all of the data // sections from loaded modules in order to capture // global variable contents. This can make the dump much // larger if many modules have global data. // // A minidump with full memory includes all of the accessible // memory in the process and can be very large. A minidump // with full memory always has the raw memory data at the end // of the dump so that the initial structures in the dump can // be mapped directly without having to include the raw // memory information. // // Stack and backing store memory can be filtered to remove // data unnecessary for stack walking. This can improve // compression of stacks and also deletes data that may // be private and should not be stored in a dump. // Memory can also be scanned to see what modules are // referenced by stack and backing store memory to allow // omission of other modules to reduce dump size. // In either of these modes the ModuleReferencedByMemory flag // is set for all modules referenced before the base // module callbacks occur. // // On some operating systems a list of modules that were // recently unloaded is kept in addition to the currently // loaded module list. This information can be saved in // the dump if desired. // // Stack and backing store memory can be scanned for referenced // pages in order to pick up data referenced by locals or other // stack memory. This can increase the size of a dump significantly. // // Module paths may contain undesired information such as user names // or other important directory names so they can be stripped. This // option reduces the ability to locate the proper image later // and should only be used in certain situations. // // Complete operating system per-process and per-thread information can // be gathered and stored in the dump. // // The virtual address space can be scanned for various types // of memory to be included in the dump. // // Code which is concerned with potentially private information // getting into the minidump can set a flag that automatically // modifies all existing and future flags to avoid placing // unnecessary data in the dump. Basic data, such as stack // information, will still be included but optional data, such // as indirect memory, will not. // // When doing a full memory dump it's possible to store all // of the enumerated memory region descriptive information // in a memory information stream. // // Additional thread information beyond the basic thread // structure can be collected if desired. // // A minidump with code segments includes all of the code // and code-related sections from loaded modules in order // to capture executable content. // // MiniDumpWithoutAuxiliaryState turns off any secondary, // auxiliary-supported memory gathering. // // MiniDumpWithFullAuxiliaryState asks any present auxiliary // data providers to include all of their state in the dump. // The exact set of what is provided depends on the auxiliary. // This can be quite large. // typedef enum _MINIDUMP_TYPE { MiniDumpNormal = 0x00000000, MiniDumpWithDataSegs = 0x00000001, MiniDumpWithFullMemory = 0x00000002, MiniDumpWithHandleData = 0x00000004, MiniDumpFilterMemory = 0x00000008, MiniDumpScanMemory = 0x00000010, MiniDumpWithUnloadedModules = 0x00000020, MiniDumpWithIndirectlyReferencedMemory = 0x00000040, MiniDumpFilterModulePaths = 0x00000080, MiniDumpWithProcessThreadData = 0x00000100, MiniDumpWithPrivateReadWriteMemory = 0x00000200, MiniDumpWithoutOptionalData = 0x00000400, MiniDumpWithFullMemoryInfo = 0x00000800, MiniDumpWithThreadInfo = 0x00001000, MiniDumpWithCodeSegs = 0x00002000, MiniDumpWithoutAuxiliaryState = 0x00004000, MiniDumpWithFullAuxiliaryState = 0x00008000, MiniDumpWithPrivateWriteCopyMemory = 0x00010000, MiniDumpIgnoreInaccessibleMemory = 0x00020000, MiniDumpWithTokenInformation = 0x00040000, MiniDumpValidTypeFlags = 0x0007ffff, } MINIDUMP_TYPE; // // In addition to the primary flags provided to // MiniDumpWriteDump there are additional, less // frequently used options queried via the secondary // flags callback. // // MiniSecondaryWithoutPowerInfo suppresses the minidump // query that retrieves processor power information for // MINIDUMP_MISC_INFO. // typedef enum _MINIDUMP_SECONDARY_FLAGS { MiniSecondaryWithoutPowerInfo = 0x00000001, MiniSecondaryValidFlags = 0x00000001, } MINIDUMP_SECONDARY_FLAGS; // // The minidump callback should modify the FieldsToWrite parameter to reflect // what portions of the specified thread or module should be written to the // file. // typedef BOOL (WINAPI* MINIDUMP_CALLBACK_ROUTINE)( __inout PVOID CallbackParam, __in PMINIDUMP_CALLBACK_INPUT CallbackInput, __inout PMINIDUMP_CALLBACK_OUTPUT CallbackOutput ); typedef struct _MINIDUMP_CALLBACK_INFORMATION { MINIDUMP_CALLBACK_ROUTINE CallbackRoutine; PVOID CallbackParam; } MINIDUMP_CALLBACK_INFORMATION, *PMINIDUMP_CALLBACK_INFORMATION; //++ // // PVOID // RVA_TO_ADDR( // PVOID Mapping, // ULONG Rva // ) // // Routine Description: // // Map an RVA that is contained within a mapped file to it's associated // flat address. // // Arguments: // // Mapping - Base address of mapped file containing the RVA. // // Rva - An Rva to fixup. // // Return Values: // // A pointer to the desired data. // //-- #define RVA_TO_ADDR(Mapping,Rva) ((PVOID)(((ULONG_PTR) (Mapping)) + (Rva))) BOOL WINAPI MiniDumpWriteDump( __in HANDLE hProcess, __in DWORD ProcessId, __in HANDLE hFile, __in MINIDUMP_TYPE DumpType, __in_opt PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam, __in_opt PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam, __in_opt PMINIDUMP_CALLBACK_INFORMATION CallbackParam ); BOOL WINAPI MiniDumpReadDumpStream( __in PVOID BaseOfDump, __in ULONG StreamNumber, __deref_out_opt PMINIDUMP_DIRECTORY* Dir, __deref_out_opt PVOID* StreamPointer, __out_opt ULONG* StreamSize ); #pragma pack(pop) #ifdef __cplusplus } #endif #endif // _DBGHELP_ ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/jansson/jansson.h ================================================ /* * Copyright (c) 2009-2016 Petri Lehtinen * * Jansson is free software; you can redistribute it and/or modify * it under the terms of the MIT license. See LICENSE for details. */ #ifndef JANSSON_H #define JANSSON_H #include #include /* for size_t */ #include #include "jansson_config.h" #ifdef __cplusplus extern "C" { #endif /* version */ #define JANSSON_MAJOR_VERSION 2 #define JANSSON_MINOR_VERSION 9 #define JANSSON_MICRO_VERSION 0 /* Micro version is omitted if it's 0 */ #define JANSSON_VERSION "2.9" /* Version as a 3-byte hex number, e.g. 0x010201 == 1.2.1. Use this for numeric comparisons, e.g. #if JANSSON_VERSION_HEX >= ... */ #define JANSSON_VERSION_HEX ((JANSSON_MAJOR_VERSION << 16) | \ (JANSSON_MINOR_VERSION << 8) | \ (JANSSON_MICRO_VERSION << 0)) /* types */ typedef enum { JSON_OBJECT, JSON_ARRAY, JSON_STRING, JSON_INTEGER, JSON_REAL, JSON_TRUE, JSON_FALSE, JSON_NULL } json_type; typedef struct json_t { json_type type; size_t refcount; } json_t; #ifndef JANSSON_USING_CMAKE /* disabled if using cmake */ #if JSON_INTEGER_IS_LONG_LONG #ifdef _WIN32 #define JSON_INTEGER_FORMAT "I64d" #else #define JSON_INTEGER_FORMAT "lld" #endif typedef long long json_int_t; #else #define JSON_INTEGER_FORMAT "ld" typedef long json_int_t; #endif /* JSON_INTEGER_IS_LONG_LONG */ #endif #define json_typeof(json) ((json)->type) #define json_is_object(json) ((json) && json_typeof(json) == JSON_OBJECT) #define json_is_array(json) ((json) && json_typeof(json) == JSON_ARRAY) #define json_is_string(json) ((json) && json_typeof(json) == JSON_STRING) #define json_is_integer(json) ((json) && json_typeof(json) == JSON_INTEGER) #define json_is_real(json) ((json) && json_typeof(json) == JSON_REAL) #define json_is_number(json) (json_is_integer(json) || json_is_real(json)) #define json_is_true(json) ((json) && json_typeof(json) == JSON_TRUE) #define json_is_false(json) ((json) && json_typeof(json) == JSON_FALSE) #define json_boolean_value json_is_true #define json_is_boolean(json) (json_is_true(json) || json_is_false(json)) #define json_is_null(json) ((json) && json_typeof(json) == JSON_NULL) /* construction, destruction, reference counting */ __declspec(dllimport) json_t* json_object(void); __declspec(dllimport) json_t* json_array(void); __declspec(dllimport) json_t* json_string(const char* value); __declspec(dllimport) json_t* json_stringn(const char* value, size_t len); __declspec(dllimport) json_t* json_string_nocheck(const char* value); __declspec(dllimport) json_t* json_stringn_nocheck(const char* value, size_t len); __declspec(dllimport) json_t* json_integer(json_int_t value); __declspec(dllimport) json_t* json_real(double value); __declspec(dllimport) json_t* json_true(void); __declspec(dllimport) json_t* json_false(void); #define json_boolean(val) ((val) ? json_true() : json_false()) __declspec(dllimport) json_t* json_null(void); static JSON_INLINE json_t* json_incref(json_t* json) { if(json && json->refcount != (size_t) - 1) ++json->refcount; return json; } /* do not call json_delete directly */ __declspec(dllimport) void json_delete(json_t* json); static JSON_INLINE void json_decref(json_t* json) { if(json && json->refcount != (size_t) - 1 && --json->refcount == 0) json_delete(json); } #if defined(__GNUC__) || defined(__clang__) static JSON_INLINE void json_decrefp(json_t** json) { if(json) { json_decref(*json); *json = NULL; } } #define json_auto_t json_t __attribute__((cleanup(json_decrefp))) #endif /* error reporting */ #define JSON_ERROR_TEXT_LENGTH 160 #define JSON_ERROR_SOURCE_LENGTH 80 typedef struct { int line; int column; int position; char source[JSON_ERROR_SOURCE_LENGTH]; char text[JSON_ERROR_TEXT_LENGTH]; } json_error_t; /* getters, setters, manipulation */ __declspec(dllimport) void json_object_seed(size_t seed); __declspec(dllimport) size_t json_object_size(const json_t* object); __declspec(dllimport) json_t* json_object_get(const json_t* object, const char* key); __declspec(dllimport) int json_object_set_new(json_t* object, const char* key, json_t* value); __declspec(dllimport) int json_object_set_new_nocheck(json_t* object, const char* key, json_t* value); __declspec(dllimport) int json_object_del(json_t* object, const char* key); __declspec(dllimport) int json_object_clear(json_t* object); __declspec(dllimport) int json_object_update(json_t* object, json_t* other); __declspec(dllimport) int json_object_update_existing(json_t* object, json_t* other); __declspec(dllimport) int json_object_update_missing(json_t* object, json_t* other); __declspec(dllimport) void* json_object_iter(json_t* object); __declspec(dllimport) void* json_object_iter_at(json_t* object, const char* key); __declspec(dllimport) void* json_object_key_to_iter(const char* key); __declspec(dllimport) void* json_object_iter_next(json_t* object, void* iter); __declspec(dllimport) const char* json_object_iter_key(void* iter); __declspec(dllimport) json_t* json_object_iter_value(void* iter); __declspec(dllimport) int json_object_iter_set_new(json_t* object, void* iter, json_t* value); #define json_object_foreach(object, key, value) \ for(key = json_object_iter_key(json_object_iter(object)); \ key && (value = json_object_iter_value(json_object_key_to_iter(key))); \ key = json_object_iter_key(json_object_iter_next(object, json_object_key_to_iter(key)))) #define json_object_foreach_safe(object, n, key, value) \ for(key = json_object_iter_key(json_object_iter(object)), \ n = json_object_iter_next(object, json_object_key_to_iter(key)); \ key && (value = json_object_iter_value(json_object_key_to_iter(key))); \ key = json_object_iter_key(n), \ n = json_object_iter_next(object, json_object_key_to_iter(key))) #define json_array_foreach(array, index, value) \ for(index = 0; \ index < json_array_size(array) && (value = json_array_get(array, index)); \ index++) static JSON_INLINE int json_object_set(json_t* object, const char* key, json_t* value) { return json_object_set_new(object, key, json_incref(value)); } static JSON_INLINE int json_object_set_nocheck(json_t* object, const char* key, json_t* value) { return json_object_set_new_nocheck(object, key, json_incref(value)); } static JSON_INLINE int json_object_iter_set(json_t* object, void* iter, json_t* value) { return json_object_iter_set_new(object, iter, json_incref(value)); } __declspec(dllimport) size_t json_array_size(const json_t* array); __declspec(dllimport) json_t* json_array_get(const json_t* array, size_t index); __declspec(dllimport) int json_array_set_new(json_t* array, size_t index, json_t* value); __declspec(dllimport) int json_array_append_new(json_t* array, json_t* value); __declspec(dllimport) int json_array_insert_new(json_t* array, size_t index, json_t* value); __declspec(dllimport) int json_array_remove(json_t* array, size_t index); __declspec(dllimport) int json_array_clear(json_t* array); __declspec(dllimport) int json_array_extend(json_t* array, json_t* other); static JSON_INLINE int json_array_set(json_t* array, size_t ind, json_t* value) { return json_array_set_new(array, ind, json_incref(value)); } static JSON_INLINE int json_array_append(json_t* array, json_t* value) { return json_array_append_new(array, json_incref(value)); } static JSON_INLINE int json_array_insert(json_t* array, size_t ind, json_t* value) { return json_array_insert_new(array, ind, json_incref(value)); } __declspec(dllimport) const char* json_string_value(const json_t* string); __declspec(dllimport) size_t json_string_length(const json_t* string); __declspec(dllimport) json_int_t json_integer_value(const json_t* integer); __declspec(dllimport) double json_real_value(const json_t* real); __declspec(dllimport) double json_number_value(const json_t* json); __declspec(dllimport) int json_string_set(json_t* string, const char* value); __declspec(dllimport) int json_string_setn(json_t* string, const char* value, size_t len); __declspec(dllimport) int json_string_set_nocheck(json_t* string, const char* value); __declspec(dllimport) int json_string_setn_nocheck(json_t* string, const char* value, size_t len); __declspec(dllimport) int json_integer_set(json_t* integer, json_int_t value); __declspec(dllimport) int json_real_set(json_t* real, double value); /* pack, unpack */ __declspec(dllimport) json_t* json_pack(const char* fmt, ...); __declspec(dllimport) json_t* json_pack_ex(json_error_t* error, size_t flags, const char* fmt, ...); __declspec(dllimport) json_t* json_vpack_ex(json_error_t* error, size_t flags, const char* fmt, va_list ap); #define JSON_VALIDATE_ONLY 0x1 #define JSON_STRICT 0x2 __declspec(dllimport) int json_unpack(json_t* root, const char* fmt, ...); __declspec(dllimport) int json_unpack_ex(json_t* root, json_error_t* error, size_t flags, const char* fmt, ...); __declspec(dllimport) int json_vunpack_ex(json_t* root, json_error_t* error, size_t flags, const char* fmt, va_list ap); /* equality */ __declspec(dllimport) int json_equal(json_t* value1, json_t* value2); /* copying */ __declspec(dllimport) json_t* json_copy(json_t* value); __declspec(dllimport) json_t* json_deep_copy(const json_t* value); /* decoding */ #define JSON_REJECT_DUPLICATES 0x1 #define JSON_DISABLE_EOF_CHECK 0x2 #define JSON_DECODE_ANY 0x4 #define JSON_DECODE_INT_AS_REAL 0x8 #define JSON_ALLOW_NUL 0x10 typedef size_t (*json_load_callback_t)(void* buffer, size_t buflen, void* data); __declspec(dllimport) json_t* json_loads(const char* input, size_t flags, json_error_t* error); __declspec(dllimport) json_t* json_loadb(const char* buffer, size_t buflen, size_t flags, json_error_t* error); __declspec(dllimport) json_t* json_loadf(FILE* input, size_t flags, json_error_t* error); __declspec(dllimport) json_t* json_load_file(const char* path, size_t flags, json_error_t* error); __declspec(dllimport) json_t* json_load_callback(json_load_callback_t callback, void* data, size_t flags, json_error_t* error); /* encoding */ #define JSON_MAX_INDENT 0x1F #define JSON_INDENT(n) ((n) & JSON_MAX_INDENT) #define JSON_COMPACT 0x20 #define JSON_ENSURE_ASCII 0x40 #define JSON_SORT_KEYS 0x80 #define JSON_PRESERVE_ORDER 0x100 #define JSON_ENCODE_ANY 0x200 #define JSON_ESCAPE_SLASH 0x400 #define JSON_REAL_PRECISION(n) (((n) & 0x1F) << 11) typedef int (*json_dump_callback_t)(const char* buffer, size_t size, void* data); __declspec(dllimport) char* json_dumps(const json_t* json, size_t flags); __declspec(dllimport) int json_dumpf(const json_t* json, FILE* output, size_t flags); __declspec(dllimport) int json_dump_file(const json_t* json, const char* path, size_t flags); __declspec(dllimport) int json_dump_callback(const json_t* json, json_dump_callback_t callback, void* data, size_t flags); /* custom memory allocation */ typedef void* (*json_malloc_t)(size_t); typedef void (*json_free_t)(void*); __declspec(dllimport) void json_set_alloc_funcs(json_malloc_t malloc_fn, json_free_t free_fn); __declspec(dllimport) void json_get_alloc_funcs(json_malloc_t* malloc_fn, json_free_t* free_fn); #ifdef __cplusplus } #endif #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/jansson/jansson_config.h ================================================ /* * Copyright (c) 2010-2016 Petri Lehtinen * * Jansson is free software; you can redistribute it and/or modify * it under the terms of the MIT license. See LICENSE for details. * * * This file specifies a part of the site-specific configuration for * Jansson, namely those things that affect the public API in * jansson.h. * * The CMake system will generate the jansson_config.h file and * copy it to the build and install directories. */ #ifndef JANSSON_CONFIG_H #define JANSSON_CONFIG_H /* Define this so that we can disable scattered automake configuration in source files */ #ifndef JANSSON_USING_CMAKE #define JANSSON_USING_CMAKE #endif /* Note: when using cmake, JSON_INTEGER_IS_LONG_LONG is not defined nor used, * as we will also check for __int64 etc types. * (the definition was used in the automake system) */ /* Bring in the cmake-detected defines */ #define HAVE_STDINT_H 1 /* #undef HAVE_INTTYPES_H */ /* #undef HAVE_SYS_TYPES_H */ /* Include our standard type header for the integer typedef */ #if defined(HAVE_STDINT_H) # include #elif defined(HAVE_INTTYPES_H) # include #elif defined(HAVE_SYS_TYPES_H) # include #endif /* If your compiler supports the inline keyword in C, JSON_INLINE is defined to `inline', otherwise empty. In C++, the inline is always supported. */ #ifdef __cplusplus #define JSON_INLINE inline #else #define JSON_INLINE __inline #endif #define json_int_t long long #define json_strtoint strtoll #define JSON_INTEGER_FORMAT "I64d" /* If locale.h and localeconv() are available, define to 1, otherwise to 0. */ #define JSON_HAVE_LOCALECONV 1 /* Maximum recursion depth for parsing JSON input. This limits the depth of e.g. array-within-array constructions. */ #define JSON_PARSER_MAX_DEPTH 2048 #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/jansson/jansson_x64dbg.h ================================================ #pragma once #include "jansson.h" typedef json_t* JSON; static JSON_INLINE json_t* json_hex(unsigned json_int_t value) { char hexvalue[20]; sprintf_s(hexvalue, "0x%llX", value); return json_string(hexvalue); } static JSON_INLINE unsigned json_int_t json_hex_value(const json_t* hex) { unsigned json_int_t ret = 0; const char* hexvalue; hexvalue = json_string_value(hex); if(!hexvalue) return 0; sscanf_s(hexvalue, "0x%llX", &ret); return ret; } ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/lz4/lz4.h ================================================ /* LZ4 - Fast LZ compression algorithm Header File Copyright (C) 2011-2014, Yann Collet. BSD 2-Clause License (http://www.opensource.org/licenses/bsd-license.php) Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. You can contact the author at : - LZ4 homepage : http://fastcompression.blogspot.com/p/lz4.html - LZ4 source repository : http://code.google.com/p/lz4/ */ #ifndef _LZ4_H #define _LZ4_H #if defined (__cplusplus) extern "C" { #endif /************************************** Version **************************************/ #define LZ4_VERSION_MAJOR 1 /* for major interface/format changes */ #define LZ4_VERSION_MINOR 1 /* for minor interface/format changes */ #define LZ4_VERSION_RELEASE 3 /* for tweaks, bug-fixes, or development */ /************************************** Compiler Options **************************************/ #if (defined(__GNUC__) && defined(__STRICT_ANSI__)) || (defined(_MSC_VER) && !defined(__cplusplus)) /* Visual Studio */ # define inline __inline /* Visual C is not C99, but supports some kind of inline */ #endif /************************************** Simple Functions **************************************/ __declspec(dllimport) int LZ4_compress(const char* source, char* dest, int inputSize); __declspec(dllimport) int LZ4_decompress_safe(const char* source, char* dest, int inputSize, int maxOutputSize); /* LZ4_compress() : Compresses 'inputSize' bytes from 'source' into 'dest'. Destination buffer must be already allocated, and must be sized to handle worst cases situations (input data not compressible) Worst case size evaluation is provided by function LZ4_compressBound() inputSize : Max supported value is LZ4_MAX_INPUT_VALUE return : the number of bytes written in buffer dest or 0 if the compression fails LZ4_decompress_safe() : maxOutputSize : is the size of the destination buffer (which must be already allocated) return : the number of bytes decoded in the destination buffer (necessarily <= maxOutputSize) If the source stream is detected malformed, the function will stop decoding and return a negative result. This function is protected against buffer overflow exploits (never writes outside of output buffer, and never reads outside of input buffer). Therefore, it is protected against malicious data packets */ /************************************** Advanced Functions **************************************/ #define LZ4_MAX_INPUT_SIZE 0x7E000000 /* 2 113 929 216 bytes */ #define LZ4_COMPRESSBOUND(isize) ((unsigned int)(isize) > (unsigned int)LZ4_MAX_INPUT_SIZE ? 0 : (isize) + ((isize)/255) + 16) /* LZ4_compressBound() : Provides the maximum size that LZ4 may output in a "worst case" scenario (input data not compressible) primarily useful for memory allocation of output buffer. inline function is recommended for the general case, macro is also provided when result needs to be evaluated at compilation (such as stack memory allocation). isize : is the input size. Max supported value is LZ4_MAX_INPUT_SIZE return : maximum output size in a "worst case" scenario or 0, if input size is too large ( > LZ4_MAX_INPUT_SIZE) */ __declspec(dllimport) int LZ4_compressBound(int isize); /* LZ4_compress_limitedOutput() : Compress 'inputSize' bytes from 'source' into an output buffer 'dest' of maximum size 'maxOutputSize'. If it cannot achieve it, compression will stop, and result of the function will be zero. This function never writes outside of provided output buffer. inputSize : Max supported value is LZ4_MAX_INPUT_VALUE maxOutputSize : is the size of the destination buffer (which must be already allocated) return : the number of bytes written in buffer 'dest' or 0 if the compression fails */ __declspec(dllimport) int LZ4_compress_limitedOutput(const char* source, char* dest, int inputSize, int maxOutputSize); /* LZ4_decompress_fast() : originalSize : is the original and therefore uncompressed size return : the number of bytes read from the source buffer (in other words, the compressed size) If the source stream is malformed, the function will stop decoding and return a negative result. note : This function is a bit faster than LZ4_decompress_safe() This function never writes outside of output buffers, but may read beyond input buffer in case of malicious data packet. Use this function preferably into a trusted environment (data to decode comes from a trusted source). Destination buffer must be already allocated. Its size must be a minimum of 'outputSize' bytes. */ __declspec(dllimport) int LZ4_decompress_fast(const char* source, char* dest, int originalSize); /* LZ4_decompress_safe_partial() : This function decompress a compressed block of size 'inputSize' at position 'source' into output buffer 'dest' of size 'maxOutputSize'. The function tries to stop decompressing operation as soon as 'targetOutputSize' has been reached, reducing decompression time. return : the number of bytes decoded in the destination buffer (necessarily <= maxOutputSize) Note : this number can be < 'targetOutputSize' should the compressed block to decode be smaller. Always control how many bytes were decoded. If the source stream is detected malformed, the function will stop decoding and return a negative result. This function never writes outside of output buffer, and never reads outside of input buffer. It is therefore protected against malicious data packets */ __declspec(dllimport) int LZ4_decompress_safe_partial(const char* source, char* dest, int inputSize, int targetOutputSize, int maxOutputSize); /* These functions are provided should you prefer to allocate memory for compression tables with your own allocation methods. To know how much memory must be allocated for the compression tables, use : int LZ4_sizeofState(); Note that tables must be aligned on 4-bytes boundaries, otherwise compression will fail (return code 0). The allocated memory can be provided to the compressions functions using 'void* state' parameter. LZ4_compress_withState() and LZ4_compress_limitedOutput_withState() are equivalent to previously described functions. They just use the externally allocated memory area instead of allocating their own (on stack, or on heap). */ __declspec(dllimport) int LZ4_sizeofState(void); __declspec(dllimport) int LZ4_compress_withState(void* state, const char* source, char* dest, int inputSize); __declspec(dllimport) int LZ4_compress_limitedOutput_withState(void* state, const char* source, char* dest, int inputSize, int maxOutputSize); /************************************** Streaming Functions **************************************/ __declspec(dllimport) void* LZ4_create(const char* inputBuffer); __declspec(dllimport) int LZ4_compress_continue(void* LZ4_Data, const char* source, char* dest, int inputSize); __declspec(dllimport) int LZ4_compress_limitedOutput_continue(void* LZ4_Data, const char* source, char* dest, int inputSize, int maxOutputSize); __declspec(dllimport) char* LZ4_slideInputBuffer(void* LZ4_Data); __declspec(dllimport) int LZ4_free(void* LZ4_Data); /* These functions allow the compression of dependent blocks, where each block benefits from prior 64 KB within preceding blocks. In order to achieve this, it is necessary to start creating the LZ4 Data Structure, thanks to the function : void* LZ4_create (const char* inputBuffer); The result of the function is the (void*) pointer on the LZ4 Data Structure. This pointer will be needed in all other functions. If the pointer returned is NULL, then the allocation has failed, and compression must be aborted. The only parameter 'const char* inputBuffer' must, obviously, point at the beginning of input buffer. The input buffer must be already allocated, and size at least 192KB. 'inputBuffer' will also be the 'const char* source' of the first block. All blocks are expected to lay next to each other within the input buffer, starting from 'inputBuffer'. To compress each block, use either LZ4_compress_continue() or LZ4_compress_limitedOutput_continue(). Their behavior are identical to LZ4_compress() or LZ4_compress_limitedOutput(), but require the LZ4 Data Structure as their first argument, and check that each block starts right after the previous one. If next block does not begin immediately after the previous one, the compression will fail (return 0). When it's no longer possible to lay the next block after the previous one (not enough space left into input buffer), a call to : char* LZ4_slideInputBuffer(void* LZ4_Data); must be performed. It will typically copy the latest 64KB of input at the beginning of input buffer. Note that, for this function to work properly, minimum size of an input buffer must be 192KB. ==> The memory position where the next input data block must start is provided as the result of the function. Compression can then resume, using LZ4_compress_continue() or LZ4_compress_limitedOutput_continue(), as usual. When compression is completed, a call to LZ4_free() will release the memory used by the LZ4 Data Structure. */ __declspec(dllimport) int LZ4_sizeofStreamState(void); __declspec(dllimport) int LZ4_resetStreamState(void* state, const char* inputBuffer); /* These functions achieve the same result as : void* LZ4_create (const char* inputBuffer); They are provided here to allow the user program to allocate memory using its own routines. To know how much space must be allocated, use LZ4_sizeofStreamState(); Note also that space must be 4-bytes aligned. Once space is allocated, you must initialize it using : LZ4_resetStreamState(void* state, const char* inputBuffer); void* state is a pointer to the space allocated. It must be aligned on 4-bytes boundaries, and be large enough. The parameter 'const char* inputBuffer' must, obviously, point at the beginning of input buffer. The input buffer must be already allocated, and size at least 192KB. 'inputBuffer' will also be the 'const char* source' of the first block. The same space can be re-used multiple times, just by initializing it each time with LZ4_resetStreamState(). return value of LZ4_resetStreamState() must be 0 is OK. Any other value means there was an error (typically, pointer is not aligned on 4-bytes boundaries). */ __declspec(dllimport) int LZ4_decompress_safe_withPrefix64k(const char* source, char* dest, int inputSize, int maxOutputSize); __declspec(dllimport) int LZ4_decompress_fast_withPrefix64k(const char* source, char* dest, int outputSize); /* *_withPrefix64k() : These decoding functions work the same as their "normal name" versions, but can use up to 64KB of data in front of 'char* dest'. These functions are necessary to decode inter-dependant blocks. */ /************************************** Obsolete Functions **************************************/ /* These functions are deprecated and should no longer be used. They are provided here for compatibility with existing user programs. */ __declspec(dllimport) int LZ4_uncompress(const char* source, char* dest, int outputSize); __declspec(dllimport) int LZ4_uncompress_unknownOutputSize(const char* source, char* dest, int isize, int maxOutputSize); #if defined (__cplusplus) } #endif #endif //_LZ4_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/lz4/lz4file.h ================================================ #ifndef _LZ4FILE_H #define _LZ4FILE_H typedef enum _LZ4_STATUS { LZ4_SUCCESS, LZ4_FAILED_OPEN_INPUT, LZ4_FAILED_OPEN_OUTPUT, LZ4_NOT_ENOUGH_MEMORY, LZ4_INVALID_ARCHIVE, LZ4_CORRUPTED_ARCHIVE } LZ4_STATUS; #if defined (__cplusplus) extern "C" { #endif __declspec(dllimport) LZ4_STATUS LZ4_compress_file(const char* input_filename, const char* output_filename); __declspec(dllimport) LZ4_STATUS LZ4_compress_fileW(const wchar_t* input_filename, const wchar_t* output_filename); __declspec(dllimport) LZ4_STATUS LZ4_decompress_file(const char* input_filename, const char* output_filename); __declspec(dllimport) LZ4_STATUS LZ4_decompress_fileW(const wchar_t* input_filename, const wchar_t* output_filename); #if defined (__cplusplus) } #endif #endif //_LZ4FILE_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/lz4/lz4hc.h ================================================ /* LZ4 HC - High Compression Mode of LZ4 Header File Copyright (C) 2011-2014, Yann Collet. BSD 2-Clause License (http://www.opensource.org/licenses/bsd-license.php) Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. You can contact the author at : - LZ4 homepage : http://fastcompression.blogspot.com/p/lz4.html - LZ4 source repository : http://code.google.com/p/lz4/ */ #ifndef _LZ4HC_H #define _LZ4HC_H #if defined (__cplusplus) extern "C" { #endif __declspec(dllimport) int LZ4_compressHC(const char* source, char* dest, int inputSize); /* LZ4_compressHC : return : the number of bytes in compressed buffer dest or 0 if compression fails. note : destination buffer must be already allocated. To avoid any problem, size it to handle worst cases situations (input data not compressible) Worst case size evaluation is provided by function LZ4_compressBound() (see "lz4.h") */ __declspec(dllimport) int LZ4_compressHC_limitedOutput(const char* source, char* dest, int inputSize, int maxOutputSize); /* LZ4_compress_limitedOutput() : Compress 'inputSize' bytes from 'source' into an output buffer 'dest' of maximum size 'maxOutputSize'. If it cannot achieve it, compression will stop, and result of the function will be zero. This function never writes outside of provided output buffer. inputSize : Max supported value is 1 GB maxOutputSize : is maximum allowed size into the destination buffer (which must be already allocated) return : the number of output bytes written in buffer 'dest' or 0 if compression fails. */ __declspec(dllimport) int LZ4_compressHC2(const char* source, char* dest, int inputSize, int compressionLevel); __declspec(dllimport) int LZ4_compressHC2_limitedOutput(const char* source, char* dest, int inputSize, int maxOutputSize, int compressionLevel); /* Same functions as above, but with programmable 'compressionLevel'. Recommended values are between 4 and 9, although any value between 0 and 16 will work. 'compressionLevel'==0 means use default 'compressionLevel' value. Values above 16 behave the same as 16. Equivalent variants exist for all other compression functions below. */ /* Note : Decompression functions are provided within LZ4 source code (see "lz4.h") (BSD license) */ /************************************** Using an external allocation **************************************/ __declspec(dllimport) int LZ4_sizeofStateHC(void); __declspec(dllimport) int LZ4_compressHC_withStateHC(void* state, const char* source, char* dest, int inputSize); __declspec(dllimport) int LZ4_compressHC_limitedOutput_withStateHC(void* state, const char* source, char* dest, int inputSize, int maxOutputSize); __declspec(dllimport) int LZ4_compressHC2_withStateHC(void* state, const char* source, char* dest, int inputSize, int compressionLevel); __declspec(dllimport) int LZ4_compressHC2_limitedOutput_withStateHC(void* state, const char* source, char* dest, int inputSize, int maxOutputSize, int compressionLevel); /* These functions are provided should you prefer to allocate memory for compression tables with your own allocation methods. To know how much memory must be allocated for the compression tables, use : int LZ4_sizeofStateHC(); Note that tables must be aligned for pointer (32 or 64 bits), otherwise compression will fail (return code 0). The allocated memory can be provided to the compressions functions using 'void* state' parameter. LZ4_compress_withStateHC() and LZ4_compress_limitedOutput_withStateHC() are equivalent to previously described functions. They just use the externally allocated memory area instead of allocating their own (on stack, or on heap). */ /************************************** Streaming Functions **************************************/ __declspec(dllimport) void* LZ4_createHC(const char* inputBuffer); __declspec(dllimport) int LZ4_compressHC_continue(void* LZ4HC_Data, const char* source, char* dest, int inputSize); __declspec(dllimport) int LZ4_compressHC_limitedOutput_continue(void* LZ4HC_Data, const char* source, char* dest, int inputSize, int maxOutputSize); __declspec(dllimport) char* LZ4_slideInputBufferHC(void* LZ4HC_Data); __declspec(dllimport) int LZ4_freeHC(void* LZ4HC_Data); __declspec(dllimport) int LZ4_compressHC2_continue(void* LZ4HC_Data, const char* source, char* dest, int inputSize, int compressionLevel); __declspec(dllimport) int LZ4_compressHC2_limitedOutput_continue(void* LZ4HC_Data, const char* source, char* dest, int inputSize, int maxOutputSize, int compressionLevel); /* These functions allow the compression of dependent blocks, where each block benefits from prior 64 KB within preceding blocks. In order to achieve this, it is necessary to start creating the LZ4HC Data Structure, thanks to the function : void* LZ4_createHC (const char* inputBuffer); The result of the function is the (void*) pointer on the LZ4HC Data Structure. This pointer will be needed in all other functions. If the pointer returned is NULL, then the allocation has failed, and compression must be aborted. The only parameter 'const char* inputBuffer' must, obviously, point at the beginning of input buffer. The input buffer must be already allocated, and size at least 192KB. 'inputBuffer' will also be the 'const char* source' of the first block. All blocks are expected to lay next to each other within the input buffer, starting from 'inputBuffer'. To compress each block, use either LZ4_compressHC_continue() or LZ4_compressHC_limitedOutput_continue(). Their behavior are identical to LZ4_compressHC() or LZ4_compressHC_limitedOutput(), but require the LZ4HC Data Structure as their first argument, and check that each block starts right after the previous one. If next block does not begin immediately after the previous one, the compression will fail (return 0). When it's no longer possible to lay the next block after the previous one (not enough space left into input buffer), a call to : char* LZ4_slideInputBufferHC(void* LZ4HC_Data); must be performed. It will typically copy the latest 64KB of input at the beginning of input buffer. Note that, for this function to work properly, minimum size of an input buffer must be 192KB. ==> The memory position where the next input data block must start is provided as the result of the function. Compression can then resume, using LZ4_compressHC_continue() or LZ4_compressHC_limitedOutput_continue(), as usual. When compression is completed, a call to LZ4_freeHC() will release the memory used by the LZ4HC Data Structure. */ __declspec(dllimport) int LZ4_sizeofStreamStateHC(void); __declspec(dllimport) int LZ4_resetStreamStateHC(void* state, const char* inputBuffer); /* These functions achieve the same result as : void* LZ4_createHC (const char* inputBuffer); They are provided here to allow the user program to allocate memory using its own routines. To know how much space must be allocated, use LZ4_sizeofStreamStateHC(); Note also that space must be aligned for pointers (32 or 64 bits). Once space is allocated, you must initialize it using : LZ4_resetStreamStateHC(void* state, const char* inputBuffer); void* state is a pointer to the space allocated. It must be aligned for pointers (32 or 64 bits), and be large enough. The parameter 'const char* inputBuffer' must, obviously, point at the beginning of input buffer. The input buffer must be already allocated, and size at least 192KB. 'inputBuffer' will also be the 'const char* source' of the first block. The same space can be re-used multiple times, just by initializing it each time with LZ4_resetStreamState(). return value of LZ4_resetStreamStateHC() must be 0 is OK. Any other value means there was an error (typically, state is not aligned for pointers (32 or 64 bits)). */ #if defined (__cplusplus) } #endif #endif //_LZ4HC_H ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/ahocorasick.h ================================================ /* Copyright (c) 2013. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef _AHOCORASICK_H #define _AHOCORASICK_H #include "limits.h" #include "atoms.h" #include "types.h" #define YR_AC_ROOT_STATE 0 #define YR_AC_NEXT_STATE(t) (t >> 32) #define YR_AC_INVALID_TRANSITION(t, c) (((t) & 0xFFFF) != c) #define YR_AC_MAKE_TRANSITION(state, code, flags) \ ((uint64_t)((((uint64_t) state) << 32) | ((flags) << 16) | (code))) #define YR_AC_USED_FLAG 0x1 #define YR_AC_USED_TRANSITION_SLOT(x) ((x) & (YR_AC_USED_FLAG << 16)) #define YR_AC_UNUSED_TRANSITION_SLOT(x) (!YR_AC_USED_TRANSITION_SLOT(x)) typedef struct _YR_AC_TABLES { YR_AC_TRANSITION* transitions; YR_AC_MATCH_TABLE_ENTRY* matches; } YR_AC_TABLES; int yr_ac_automaton_create( YR_AC_AUTOMATON** automaton); int yr_ac_automaton_destroy( YR_AC_AUTOMATON* automaton); int yr_ac_add_string( YR_AC_AUTOMATON* automaton, YR_STRING* string, YR_ATOM_LIST_ITEM* atom, YR_ARENA* matches_arena); int yr_ac_compile( YR_AC_AUTOMATON* automaton, YR_ARENA* arena, YR_AC_TABLES* tables); void yr_ac_print_automaton( YR_AC_AUTOMATON* automaton); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/arena.h ================================================ /* Copyright (c) 2013. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_ARENA_H #define YR_ARENA_H #include #include "integers.h" #include "stream.h" #define ARENA_FLAGS_FIXED_SIZE 1 #define ARENA_FLAGS_COALESCED 2 #define ARENA_FILE_VERSION ((13 << 16) | MAX_THREADS) #define EOL ((size_t) -1) typedef struct _YR_RELOC { uint32_t offset; struct _YR_RELOC* next; } YR_RELOC; typedef struct _YR_ARENA_PAGE { uint8_t* new_address; uint8_t* address; size_t size; size_t used; YR_RELOC* reloc_list_head; YR_RELOC* reloc_list_tail; struct _YR_ARENA_PAGE* next; struct _YR_ARENA_PAGE* prev; } YR_ARENA_PAGE; typedef struct _YR_ARENA { int flags; YR_ARENA_PAGE* page_list_head; YR_ARENA_PAGE* current_page; } YR_ARENA; int yr_arena_create( size_t initial_size, int flags, YR_ARENA** arena); void yr_arena_destroy( YR_ARENA* arena); void* yr_arena_base_address( YR_ARENA* arena); void* yr_arena_next_address( YR_ARENA* arena, void* address, size_t offset); int yr_arena_coalesce( YR_ARENA* arena); int yr_arena_reserve_memory( YR_ARENA* arena, size_t size); int yr_arena_allocate_memory( YR_ARENA* arena, size_t size, void** allocated_memory); int yr_arena_allocate_struct( YR_ARENA* arena, size_t size, void** allocated_memory, ...); int yr_arena_make_relocatable( YR_ARENA* arena, void* base, ...); int yr_arena_write_data( YR_ARENA* arena, void* data, size_t size, void** written_data); int yr_arena_write_string( YR_ARENA* arena, const char* string, char** written_string); int yr_arena_append( YR_ARENA* target_arena, YR_ARENA* source_arena); int yr_arena_load_stream( YR_STREAM* stream, YR_ARENA** arena); int yr_arena_save_stream( YR_ARENA* arena, YR_STREAM* stream); int yr_arena_duplicate( YR_ARENA* arena, YR_ARENA** duplicated); void yr_arena_print( YR_ARENA* arena); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/atoms.h ================================================ /* Copyright (c) 2013. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_ATOMS_H #define YR_ATOMS_H #include "limits.h" #include "re.h" #define ATOM_TREE_LEAF 1 #define ATOM_TREE_AND 2 #define ATOM_TREE_OR 3 typedef struct _ATOM_TREE_NODE { uint8_t type; uint8_t atom_length; uint8_t atom[MAX_ATOM_LENGTH]; uint8_t* forward_code; uint8_t* backward_code; RE_NODE* recent_nodes[MAX_ATOM_LENGTH]; struct _ATOM_TREE_NODE* children_head; struct _ATOM_TREE_NODE* children_tail; struct _ATOM_TREE_NODE* next_sibling; } ATOM_TREE_NODE; typedef struct _ATOM_TREE { ATOM_TREE_NODE* current_leaf; ATOM_TREE_NODE* root_node; } ATOM_TREE; typedef struct _YR_ATOM_LIST_ITEM { uint8_t atom_length; uint8_t atom[MAX_ATOM_LENGTH]; uint16_t backtrack; uint8_t* forward_code; uint8_t* backward_code; struct _YR_ATOM_LIST_ITEM* next; } YR_ATOM_LIST_ITEM; int yr_atoms_extract_from_re( RE_AST* re_ast, int flags, YR_ATOM_LIST_ITEM** atoms); int yr_atoms_extract_from_string( uint8_t* string, int string_length, int flags, YR_ATOM_LIST_ITEM** atoms); int yr_atoms_min_quality( YR_ATOM_LIST_ITEM* atom_list); void yr_atoms_list_destroy( YR_ATOM_LIST_ITEM* list_head); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/compiler.h ================================================ /* Copyright (c) 2013. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_COMPILER_H #define YR_COMPILER_H #include #include #include "ahocorasick.h" #include "arena.h" #include "hash.h" #include "utils.h" #include "filemap.h" #define YARA_ERROR_LEVEL_ERROR 0 #define YARA_ERROR_LEVEL_WARNING 1 typedef void (*YR_COMPILER_CALLBACK_FUNC)( int error_level, const char* file_name, int line_number, const char* message, void* user_data); typedef struct _YR_FIXUP { void* address; struct _YR_FIXUP* next; } YR_FIXUP; typedef struct _YR_COMPILER { int errors; int current_line; int last_error; int last_error_line; int last_result; jmp_buf error_recovery; YR_ARENA* sz_arena; YR_ARENA* rules_arena; YR_ARENA* strings_arena; YR_ARENA* code_arena; YR_ARENA* re_code_arena; YR_ARENA* compiled_rules_arena; YR_ARENA* externals_arena; YR_ARENA* namespaces_arena; YR_ARENA* metas_arena; YR_ARENA* matches_arena; YR_ARENA* automaton_arena; YR_AC_AUTOMATON* automaton; YR_HASH_TABLE* rules_table; YR_HASH_TABLE* objects_table; YR_HASH_TABLE* strings_table; YR_NAMESPACE* current_namespace; YR_RULE* current_rule; YR_FIXUP* fixup_stack_head; int namespaces_count; uint8_t* loop_address[MAX_LOOP_NESTING]; char* loop_identifier[MAX_LOOP_NESTING]; int loop_depth; int loop_for_of_mem_offset; int allow_includes; char* file_name_stack[MAX_INCLUDE_DEPTH]; int file_name_stack_ptr; FILE* file_stack[MAX_INCLUDE_DEPTH]; int file_stack_ptr; char last_error_extra_info[MAX_COMPILER_ERROR_EXTRA_INFO]; char lex_buf[LEX_BUF_SIZE]; char* lex_buf_ptr; unsigned short lex_buf_len; char include_base_dir[MAX_PATH]; void* user_data; YR_COMPILER_CALLBACK_FUNC callback; } YR_COMPILER; #define yr_compiler_set_error_extra_info(compiler, info) \ strlcpy( \ compiler->last_error_extra_info, \ info, \ sizeof(compiler->last_error_extra_info)); \ #define yr_compiler_set_error_extra_info_fmt(compiler, fmt, ...) \ snprintf( \ compiler->last_error_extra_info, \ sizeof(compiler->last_error_extra_info), \ fmt, __VA_ARGS__); int _yr_compiler_push_file( YR_COMPILER* compiler, FILE* fh); FILE* _yr_compiler_pop_file( YR_COMPILER* compiler); int _yr_compiler_push_file_name( YR_COMPILER* compiler, const char* file_name); void _yr_compiler_pop_file_name( YR_COMPILER* compiler); YR_API int yr_compiler_create( YR_COMPILER** compiler); YR_API void yr_compiler_destroy( YR_COMPILER* compiler); YR_API void yr_compiler_set_callback( YR_COMPILER* compiler, YR_COMPILER_CALLBACK_FUNC callback, void* user_data); YR_API int yr_compiler_add_file( YR_COMPILER* compiler, FILE* rules_file, const char* namespace_, const char* file_name); YR_API int yr_compiler_add_fd( YR_COMPILER* compiler, YR_FILE_DESCRIPTOR rules_fd, const char* namespace_, const char* file_name); YR_API int yr_compiler_add_string( YR_COMPILER* compiler, const char* rules_string, const char* namespace_); YR_API char* yr_compiler_get_error_message( YR_COMPILER* compiler, char* buffer, int buffer_size); YR_API char* yr_compiler_get_current_file_name( YR_COMPILER* context); YR_API int yr_compiler_define_integer_variable( YR_COMPILER* compiler, const char* identifier, int64_t value); YR_API int yr_compiler_define_boolean_variable( YR_COMPILER* compiler, const char* identifier, int value); YR_API int yr_compiler_define_float_variable( YR_COMPILER* compiler, const char* identifier, double value); YR_API int yr_compiler_define_string_variable( YR_COMPILER* compiler, const char* identifier, const char* value); YR_API int yr_compiler_get_rules( YR_COMPILER* compiler, YR_RULES** rules); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/dotnet.h ================================================ #ifndef YR_DOTNET_H #define YR_DOTNET_H // // CLI header. // ECMA-335 Section II.25.3.3 // typedef struct _CLI_HEADER { DWORD Size; // Called "Cb" in documentation. WORD MajorRuntimeVersion; WORD MinorRuntimeVersion; IMAGE_DATA_DIRECTORY MetaData; DWORD Flags; DWORD EntryPointToken; IMAGE_DATA_DIRECTORY Resources; IMAGE_DATA_DIRECTORY StrongNameSignature; ULONGLONG CodeManagerTable; IMAGE_DATA_DIRECTORY VTableFixups; ULONGLONG ExportAddressTableJumps; ULONGLONG ManagedNativeHeader; } CLI_HEADER, *PCLI_HEADER; #define NET_METADATA_MAGIC 0x424a5342 // // CLI MetaData // ECMA-335 Section II.24.2.1 // // Note: This is only part of the struct, as the rest of it is variable length. // typedef struct _NET_METADATA { DWORD Magic; WORD MajorVersion; WORD MinorVersion; DWORD Reserved; DWORD Length; char Version[0]; } NET_METADATA, *PNET_METADATA; #define DOTNET_STREAM_NAME_SIZE 32 // // CLI Stream Header // ECMA-335 Section II.24.2.2 // typedef struct _STREAM_HEADER { DWORD Offset; DWORD Size; char Name[0]; } STREAM_HEADER, *PSTREAM_HEADER; // // CLI #~ Stream Header // ECMA-335 Section II.24.2.6 // typedef struct _TILDE_HEADER { DWORD Reserved1; BYTE MajorVersion; BYTE MinorVersion; BYTE HeapSizes; BYTE Reserved2; ULONGLONG Valid; ULONGLONG Sorted; } TILDE_HEADER, *PTILDE_HEADER; // These are the bit positions in Valid which will be set if the table // exists. #define BIT_MODULE 0x00 #define BIT_TYPEREF 0x01 #define BIT_TYPEDEF 0x02 #define BIT_FIELDPTR 0x03 // Not documented in ECMA-335 #define BIT_FIELD 0x04 #define BIT_METHODDEFPTR 0x05 // Not documented in ECMA-335 #define BIT_METHODDEF 0x06 #define BIT_PARAMPTR 0x07 // Not documented in ECMA-335 #define BIT_PARAM 0x08 #define BIT_INTERFACEIMPL 0x09 #define BIT_MEMBERREF 0x0A #define BIT_CONSTANT 0x0B #define BIT_CUSTOMATTRIBUTE 0x0C #define BIT_FIELDMARSHAL 0x0D #define BIT_DECLSECURITY 0x0E #define BIT_CLASSLAYOUT 0x0F #define BIT_FIELDLAYOUT 0x10 #define BIT_STANDALONESIG 0x11 #define BIT_EVENTMAP 0x12 #define BIT_EVENTPTR 0x13 // Not documented in ECMA-335 #define BIT_EVENT 0x14 #define BIT_PROPERTYMAP 0x15 #define BIT_PROPERTYPTR 0x16 // Not documented in ECMA-335 #define BIT_PROPERTY 0x17 #define BIT_METHODSEMANTICS 0x18 #define BIT_METHODIMPL 0x19 #define BIT_MODULEREF 0x1A #define BIT_TYPESPEC 0x1B #define BIT_IMPLMAP 0x1C #define BIT_FIELDRVA 0x1D #define BIT_ENCLOG 0x1E // Not documented in ECMA-335 #define BIT_ENCMAP 0x1F // Not documented in ECMA-335 #define BIT_ASSEMBLY 0x20 #define BIT_ASSEMBLYPROCESSOR 0x21 #define BIT_ASSEMBLYOS 0x22 #define BIT_ASSEMBLYREF 0x23 #define BIT_ASSEMBLYREFPROCESSOR 0x24 #define BIT_ASSEMBLYREFOS 0x25 #define BIT_FILE 0x26 #define BIT_EXPORTEDTYPE 0x27 #define BIT_MANIFESTRESOURCE 0x28 #define BIT_NESTEDCLASS 0x29 #define BIT_GENERICPARAM 0x2A #define BIT_METHODSPEC 0x2B #define BIT_GENERICPARAMCONSTRAINT 0x2C // These are not documented in ECMA-335 nor is it clear what the format is. // They are for debugging information as far as I can tell. //#define BIT_DOCUMENT 0x30 //#define BIT_METHODDEBUGINFORMATION 0x31 //#define BIT_LOCALSCOPE 0x32 //#define BIT_LOCALVARIABLE 0x33 //#define BIT_LOCALCONSTANT 0x34 //#define BIT_IMPORTSCOPE 0x35 //#define BIT_STATEMACHINEMETHOD 0x36 // // Element types. Note this is not a complete list as we aren't parsing all of // them. This only includes the ones we care about. // ECMA-335 Section II.23.1.16 // #define ELEMENT_TYPE_STRING 0x0E // The string length of a typelib attribute is at most 0xFF. #define MAX_TYPELIB_SIZE 0xFF // // Module table // ECMA-335 Section II.22.30 // typedef struct _MODULE_TABLE { WORD Generation; union { WORD Name_Short; DWORD Name_Long; } Name; union { WORD Mvid_Short; DWORD Mvid_Long; } Mvid; union { WORD EncId_Short; DWORD EncId_Long; } EncId; union { WORD EncBaseId_Short; DWORD EncBaseId_Long; } EncBaseId; } MODULE_TABLE, *PMODULE_TABLE; // // Assembly Table // ECMA-335 Section II.22.2 // typedef struct _ASSEMBLY_TABLE { DWORD HashAlgId; WORD MajorVersion; WORD MinorVersion; WORD BuildNumber; WORD RevisionNumber; DWORD Flags; union { WORD PublicKey_Short; DWORD PublicKey_Long; } PublicKey; union { WORD Name_Short; DWORD Name_Long; } Name; } ASSEMBLY_TABLE, *PASSEMBLY_TABLE; // // Assembly Reference Table // ECMA-335 Section II.22.5 // typedef struct _ASSEMBLYREF_TABLE { WORD MajorVersion; WORD MinorVersion; WORD BuildNumber; WORD RevisionNumber; DWORD Flags; union { WORD PublicKeyOrToken_Short; DWORD PublicKeyOrToken_Long; } PublicKeyOrToken; union { WORD Name_Short; DWORD Name_Long; } Name; } ASSEMBLYREF_TABLE, *PASSEMBLYREF_TABLE; // // Manifest Resource Table // ECMA-335 Section II.22.24 // typedef struct _MANIFESTRESOURCE_TABLE { DWORD Offset; DWORD Flags; union { WORD Name_Short; DWORD Name_Long; } Name; union { WORD Implementation_Short; DWORD Implementation_Long; } Implementation; } MANIFESTRESOURCE_TABLE, *PMANIFESTRESOURCE_TABLE; // // ModuleRef Table // ECMA-335 Section II.22.31 // // This is a short table, but necessary because the field size can change. // typedef struct _MODULEREF_TABLE { union { WORD Name_Short; DWORD Name_Long; } Name; } MODULEREF_TABLE, *PMODULEREF_TABLE; // // CustomAttribute Table // ECMA-335 Section II.22.10 // typedef struct _CUSTOMATTRIBUTE_TABLE { union { WORD Parent_Short; DWORD Parent_Long; } Parent; union { WORD Type_Short; DWORD Type_Long; } Type; union { WORD Value_Short; DWORD Value_Long; } Value; } CUSTOMATTRIBUTE_TABLE, *PCUSTOMATTRIBUTE_TABLE; // // Constant TAble // ECMA-335 Section II.22.9 // typedef struct _CONSTANT_TABLE { WORD Type; union { WORD Parent_Short; DWORD Parent_Long; } Parent; union { WORD Value_Short; DWORD Value_Long; } Value; } CONSTANT_TABLE, *PCONSTANT_TABLE; // Used to return offsets to the various headers. typedef struct _STREAMS { PSTREAM_HEADER guid; PSTREAM_HEADER tilde; PSTREAM_HEADER string; PSTREAM_HEADER blob; PSTREAM_HEADER us; } STREAMS, *PSTREAMS; // Used to return the value of parsing a #US or #Blob entry. // ECMA-335 Section II.24.2.4 typedef struct _BLOB_PARSE_RESULT { uint8_t size; // Number of bytes parsed. This is the new offset. DWORD length; // Value of the bytes parsed. This is the blob length. } BLOB_PARSE_RESULT, *PBLOB_PARSE_RESULT; // Used to store the number of rows of each table. typedef struct _ROWS { uint32_t module; uint32_t moduleref; uint32_t assemblyref; uint32_t typeref; uint32_t methoddef; uint32_t memberref; uint32_t typedef_; uint32_t typespec; uint32_t field; uint32_t param; uint32_t property; uint32_t interfaceimpl; uint32_t event; uint32_t standalonesig; uint32_t assembly; uint32_t file; uint32_t exportedtype; uint32_t manifestresource; uint32_t genericparam; uint32_t genericparamconstraint; uint32_t methodspec; uint32_t assemblyrefprocessor; } ROWS, *PROWS; // Used to store the index sizes for the various tables. typedef struct _INDEX_SIZES { uint8_t string; uint8_t guid; uint8_t blob; uint8_t field; uint8_t methoddef; uint8_t memberref; uint8_t param; uint8_t event; uint8_t typedef_; uint8_t property; uint8_t moduleref; uint8_t assemblyrefprocessor; uint8_t assemblyref; uint8_t genericparam; } INDEX_SIZES, *PINDEX_SIZES; #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/elf.h ================================================ /* Copyright (c) 2013. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef _ELF_H #define _ELF_H #include "integers.h" // 32-bit ELF base types typedef uint32_t elf32_addr_t; typedef uint16_t elf32_half_t; typedef uint32_t elf32_off_t; typedef uint32_t elf32_word_t; // 64-bit ELF base types typedef uint64_t elf64_addr_t; typedef uint16_t elf64_half_t; typedef uint64_t elf64_off_t; typedef uint32_t elf64_word_t; typedef uint64_t elf64_xword_t; #define ELF_MAGIC 0x464C457F #define ELF_ET_NONE 0x0000 // no type #define ELF_ET_REL 0x0001 // relocatable #define ELF_ET_EXEC 0x0002 // executable #define ELF_ET_DYN 0x0003 // Shared-Object-File #define ELF_ET_CORE 0x0004 // Corefile #define ELF_ET_LOPROC 0xFF00 // Processor-specific #define ELF_ET_HIPROC 0x00FF // Processor-specific #define ELF_EM_NONE 0x0000 // no type #define ELF_EM_M32 0x0001 // AT&T WE 32100 #define ELF_EM_SPARC 0x0002 // SPARC #define ELF_EM_386 0x0003 // Intel 80386 #define ELF_EM_68K 0x0004 // Motorola 68000 #define ELF_EM_88K 0x0005 // Motorola 88000 #define ELF_EM_860 0x0007 // Intel 80860 #define ELF_EM_MIPS 0x0008 // MIPS I Architecture #define ELF_EM_MIPS_RS3_LE 0x000A // MIPS RS3000 Little-endian #define ELF_EM_PPC 0x0014 // PowerPC #define ELF_EM_PPC64 0x0015 // 64-bit PowerPC #define ELF_EM_ARM 0x0028 // ARM #define ELF_EM_X86_64 0x003E // AMD/Intel x86_64 #define ELF_EM_AARCH64 0x00B7 // 64-bit ARM #define ELF_CLASS_NONE 0x0000 #define ELF_CLASS_32 0x0001 // 32bit file #define ELF_CLASS_64 0x0002 // 64bit file #define ELF_DATA_NONE 0x0000 #define ELF_DATA_2LSB 0x0001 #define ELF_DATA_2MSB 0x002 #define ELF_SHT_NULL 0 // Section header table entry unused #define ELF_SHT_PROGBITS 1 // Program data #define ELF_SHT_SYMTAB 2 // Symbol table #define ELF_SHT_STRTAB 3 // String table #define ELF_SHT_RELA 4 // Relocation entries with addends #define ELF_SHT_HASH 5 // Symbol hash table #define ELF_SHT_DYNAMIC 6 // Dynamic linking information #define ELF_SHT_NOTE 7 // Notes #define ELF_SHT_NOBITS 8 // Program space with no data (bss) #define ELF_SHT_REL 9 // Relocation entries, no addends #define ELF_SHT_SHLIB 10 // Reserved #define ELF_SHT_DYNSYM 11 // Dynamic linker symbol table #define ELF_SHT_NUM 12 // Number of defined types #define ELF_SHF_WRITE 0x1 // Section is writable #define ELF_SHF_ALLOC 0x2 // Section is present during execution #define ELF_SHF_EXECINSTR 0x4 // Section contains executable instructions #define ELF_SHN_LORESERVE 0xFF00 #define ELF_PT_NULL 0 // The array element is unused #define ELF_PT_LOAD 1 // Loadable segment #define ELF_PT_DYNAMIC 2 // Segment contains dynamic linking info #define ELF_PT_INTERP 3 // Contains interpreter pathname #define ELF_PT_NOTE 4 // Location & size of auxiliary info #define ELF_PT_SHLIB 5 // Reserved, unspecified semantics #define ELF_PT_PHDR 6 // Location and size of program header table #define ELF_PT_TLS 7 // Thread-Local Storage #define ELF_PT_GNU_EH_FRAME 0x6474e550 #define ELF_PT_GNU_STACK 0x6474e551 #define ELF_DT_NULL 0 // End of the dynamic entries #define ELF_DT_NEEDED 1 // Name of needed library #define ELF_DT_PLTRELSZ 2 // Size in bytes of PLT relocs #define ELF_DT_PLTGOT 3 // Processor defined value */ #define ELF_DT_HASH 4 // Address of symbol hash table #define ELF_DT_STRTAB 5 // Address of string table #define ELF_DT_SYMTAB 6 // Address of symbol table #define ELF_DT_RELA 7 // Address of Rela relocs #define ELF_DT_RELASZ 8 // Total size of Rela relocs #define ELF_DT_RELAENT 9 // Size of one Rela reloc #define ELF_DT_STRSZ 10 // Size of string table #define ELF_DT_SYMENT 11 // Size of one symbol table entry #define ELF_DT_INIT 12 // Address of init function #define ELF_DT_FINI 13 // Address of termination function #define ELF_DT_SONAME 14 // Name of shared object #define ELF_DT_RPATH 15 // Library search path (deprecated) #define ELF_DT_SYMBOLIC 16 // Start symbol search here #define ELF_DT_REL 17 // Address of Rel relocs #define ELF_DT_RELSZ 18 // Total size of Rel relocs #define ELF_DT_RELENT 19 // Size of one Rel reloc #define ELF_DT_PLTREL 20 // Type of reloc in PLT #define ELF_DT_DEBUG 21 // For debugging; unspecified #define ELF_DT_TEXTREL 22 // Reloc might modify .text #define ELF_DT_JMPREL 23 // Address of PLT relocs #define ELF_DT_BIND_NOW 24 // Process relocations of object #define ELF_DT_INIT_ARRAY 25 // Array with addresses of init fct #define ELF_DT_FINI_ARRAY 26 // Array with addresses of fini fct #define ELF_DT_INIT_ARRAYSZ 27 // Size in bytes of DT_INIT_ARRAY #define ELF_DT_FINI_ARRAYSZ 28 // Size in bytes of DT_FINI_ARRAY #define ELF_DT_RUNPATH 29 // Library search path #define ELF_DT_FLAGS 30 // Flags for the object being loaded #define ELF_DT_ENCODING 32 // Start of encoded range #define ELF_STT_NOTYPE 0 // Symbol type is unspecified #define ELF_STT_OBJECT 1 // Symbol is a data object #define ELF_STT_FUNC 2 // Symbol is a code object #define ELF_STT_SECTION 3 // Symbol associated with a section #define ELF_STT_FILE 4 // Symbol's name is file name #define ELF_STT_COMMON 5 // Symbol is a common data object #define ELF_STT_TLS 6 // Symbol is thread-local data object #define ELF_STB_LOCAL 0 // Local symbol #define ELF_STB_GLOBAL 1 // Global symbol #define ELF_STB_WEAK 2 // Weak symbol #define ELF_PF_X 0x1 // Segment is executable #define ELF_PF_W 0x2 // Segment is writable #define ELF_PF_R 0x4 // Segment is readable #define ELF_PN_XNUM 0xffff #pragma pack(push,1) typedef struct { uint32_t magic; uint8_t _class; uint8_t data; uint8_t version; uint8_t pad[8]; uint8_t nident; } elf_ident_t; typedef struct { elf_ident_t ident; elf32_half_t type; elf32_half_t machine; elf32_word_t version; elf32_addr_t entry; elf32_off_t ph_offset; elf32_off_t sh_offset; elf32_word_t flags; elf32_half_t header_size; elf32_half_t ph_entry_size; elf32_half_t ph_entry_count; elf32_half_t sh_entry_size; elf32_half_t sh_entry_count; elf32_half_t sh_str_table_index; } elf32_header_t; typedef struct { elf_ident_t ident; elf64_half_t type; elf64_half_t machine; elf64_word_t version; elf64_addr_t entry; elf64_off_t ph_offset; elf64_off_t sh_offset; elf64_word_t flags; elf64_half_t header_size; elf64_half_t ph_entry_size; elf64_half_t ph_entry_count; elf64_half_t sh_entry_size; elf64_half_t sh_entry_count; elf64_half_t sh_str_table_index; } elf64_header_t; typedef struct { elf32_word_t type; elf32_off_t offset; elf32_addr_t virt_addr; elf32_addr_t phys_addr; elf32_word_t file_size; elf32_word_t mem_size; elf32_word_t flags; elf32_word_t alignment; } elf32_program_header_t; typedef struct { elf64_word_t type; elf64_word_t flags; elf64_off_t offset; elf64_addr_t virt_addr; elf64_addr_t phys_addr; elf64_xword_t file_size; elf64_xword_t mem_size; elf64_xword_t alignment; } elf64_program_header_t; typedef struct { elf32_word_t name; elf32_word_t type; elf32_word_t flags; elf32_addr_t addr; elf32_off_t offset; elf32_word_t size; elf32_word_t link; elf32_word_t info; elf32_word_t align; elf32_word_t entry_size; } elf32_section_header_t; typedef struct { elf64_word_t name; elf64_word_t type; elf64_xword_t flags; elf64_addr_t addr; elf64_off_t offset; elf64_xword_t size; elf64_word_t link; elf64_word_t info; elf64_xword_t align; elf64_xword_t entry_size; } elf64_section_header_t; typedef struct { elf32_word_t tag; elf32_word_t val; } elf32_dyn_t; typedef struct { elf64_xword_t tag; elf64_xword_t val; } elf64_dyn_t; typedef struct { elf32_word_t name; elf32_addr_t value; elf32_word_t size; unsigned char info; unsigned char other; elf32_half_t shndx; } elf32_sym_t; typedef struct { elf32_word_t name; unsigned char info; unsigned char other; elf32_half_t shndx; elf64_addr_t value; elf64_xword_t size; } elf64_sym_t; #pragma pack(pop) #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/endian.h ================================================ /* Copyright (c) 2016. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_ENDIAN_H #define YR_ENDIAN_H #include #if defined(__has_builtin) # if __has_builtin(__builtin_bswap16) # define yr_bswap16(x) __builtin_bswap16(x) # endif #endif #if !defined(yr_bswap16) && defined(_MSC_VER) # define yr_bswap16(x) _byteswap_ushort(x) #endif #if !defined(yr_bswap16) uint16_t _yr_bswap16(uint16_t x); # define yr_bswap16(x) _yr_bswap16(x) #endif #if defined(__has_builtin) # if __has_builtin(__builtin_bswap32) # define yr_bswap32(x) __builtin_bswap32(x) # endif #endif #if !defined(yr_bswap32) && defined(_MSC_VER) # define yr_bswap32(x) _byteswap_ulong(x) #endif #if !defined(yr_bswap32) uint32_t _yr_bswap32(uint32_t x); #define yr_bswap32(x) _yr_bswap32(x) #endif #if defined(__has_builtin) # if __has_builtin(__builtin_bswap64) # define yr_bswap64(x) __builtin_bswap64(x) # endif #endif #if !defined(yr_bswap64) && defined(_MSC_VER) # define yr_bswap64(x) _byteswap_uint64(x) #endif #if !defined(yr_bswap64) uint64_t _yr_bswap64(uint64_t x); #define yr_bswap64(x) _yr_bswap64(x) #endif #if defined(WORDS_BIGENDIAN) #define yr_le16toh(x) yr_bswap16(x) #define yr_le32toh(x) yr_bswap32(x) #define yr_le64toh(x) yr_bswap64(x) #define yr_be16toh(x) (x) #define yr_be32toh(x) (x) #define yr_be64toh(x) (x) #else #define yr_le16toh(x) (x) #define yr_le32toh(x) (x) #define yr_le64toh(x) (x) #define yr_be16toh(x) yr_bswap16(x) #define yr_be32toh(x) yr_bswap32(x) #define yr_be64toh(x) yr_bswap64(x) #endif #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/error.h ================================================ /* Copyright (c) 2014. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_ERROR_H #define YR_ERROR_H #include #if defined(_WIN32) || defined(__CYGWIN__) #include #endif #ifndef ERROR_SUCCESS #define ERROR_SUCCESS 0 #endif // ERROR_INSUFICIENT_MEMORY is misspelled but it's kept for backward // compatibility, as some other programs can be using it in this form. #define ERROR_INSUFICIENT_MEMORY 1 #define ERROR_INSUFFICIENT_MEMORY 1 #define ERROR_COULD_NOT_ATTACH_TO_PROCESS 2 #define ERROR_COULD_NOT_OPEN_FILE 3 #define ERROR_COULD_NOT_MAP_FILE 4 #define ERROR_INVALID_FILE 6 #define ERROR_CORRUPT_FILE 7 #define ERROR_UNSUPPORTED_FILE_VERSION 8 #define ERROR_INVALID_REGULAR_EXPRESSION 9 #define ERROR_INVALID_HEX_STRING 10 #define ERROR_SYNTAX_ERROR 11 #define ERROR_LOOP_NESTING_LIMIT_EXCEEDED 12 #define ERROR_DUPLICATED_LOOP_IDENTIFIER 13 #define ERROR_DUPLICATED_IDENTIFIER 14 #define ERROR_DUPLICATED_TAG_IDENTIFIER 15 #define ERROR_DUPLICATED_META_IDENTIFIER 16 #define ERROR_DUPLICATED_STRING_IDENTIFIER 17 #define ERROR_UNREFERENCED_STRING 18 #define ERROR_UNDEFINED_STRING 19 #define ERROR_UNDEFINED_IDENTIFIER 20 #define ERROR_MISPLACED_ANONYMOUS_STRING 21 #define ERROR_INCLUDES_CIRCULAR_REFERENCE 22 #define ERROR_INCLUDE_DEPTH_EXCEEDED 23 #define ERROR_WRONG_TYPE 24 #define ERROR_EXEC_STACK_OVERFLOW 25 #define ERROR_SCAN_TIMEOUT 26 #define ERROR_TOO_MANY_SCAN_THREADS 27 #define ERROR_CALLBACK_ERROR 28 #define ERROR_INVALID_ARGUMENT 29 #define ERROR_TOO_MANY_MATCHES 30 #define ERROR_INTERNAL_FATAL_ERROR 31 #define ERROR_NESTED_FOR_OF_LOOP 32 #define ERROR_INVALID_FIELD_NAME 33 #define ERROR_UNKNOWN_MODULE 34 #define ERROR_NOT_A_STRUCTURE 35 #define ERROR_NOT_INDEXABLE 36 #define ERROR_NOT_A_FUNCTION 37 #define ERROR_INVALID_FORMAT 38 #define ERROR_TOO_MANY_ARGUMENTS 39 #define ERROR_WRONG_ARGUMENTS 40 #define ERROR_WRONG_RETURN_TYPE 41 #define ERROR_DUPLICATED_STRUCTURE_MEMBER 42 #define ERROR_EMPTY_STRING 43 #define ERROR_DIVISION_BY_ZERO 44 #define ERROR_REGULAR_EXPRESSION_TOO_LARGE 45 #define ERROR_TOO_MANY_RE_FIBERS 46 #define ERROR_COULD_NOT_READ_PROCESS_MEMORY 47 #define ERROR_INVALID_EXTERNAL_VARIABLE_TYPE 48 #define ERROR_REGULAR_EXPRESSION_TOO_COMPLEX 49 #define ERROR_INVALID_MODULE_NAME 50 #define FAIL_ON_ERROR(x) { \ int result = (x); \ if (result != ERROR_SUCCESS) \ return result; \ } #define FAIL_ON_ERROR_WITH_CLEANUP(x, cleanup) { \ int result = (x); \ if (result != ERROR_SUCCESS) { \ cleanup; \ return result; \ } \ } #define FAIL_ON_COMPILER_ERROR(x) { \ compiler->last_result = (x); \ if (compiler->last_result != ERROR_SUCCESS) \ return compiler->last_result; \ } #ifdef NDEBUG #define assertf(expr, msg, ...) ((void)0) #else #define assertf(expr, msg, ...) \ if(!(expr)) { \ fprintf(stderr, "%s:%d: " msg "\n", __FILE__, __LINE__, ##__VA_ARGS__); \ abort(); \ } #endif #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/exec.h ================================================ /* Copyright (c) 2013-2014. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_EXEC_H #define YR_EXEC_H #include "hash.h" #include "scan.h" #include "types.h" #include "rules.h" #define UNDEFINED 0xFFFABADAFABADAFFLL #define IS_UNDEFINED(x) ((size_t)(x) == (size_t) UNDEFINED) #define OP_ERROR 0 #define OP_HALT 255 #define OP_NOP 254 #define OP_AND 1 #define OP_OR 2 #define OP_NOT 3 #define OP_BITWISE_NOT 4 #define OP_BITWISE_AND 5 #define OP_BITWISE_OR 6 #define OP_BITWISE_XOR 7 #define OP_SHL 8 #define OP_SHR 9 #define OP_MOD 10 #define OP_INT_TO_DBL 11 #define OP_STR_TO_BOOL 12 #define OP_PUSH 13 #define OP_POP 14 #define OP_CALL 15 #define OP_OBJ_LOAD 16 #define OP_OBJ_VALUE 17 #define OP_OBJ_FIELD 18 #define OP_INDEX_ARRAY 19 #define OP_COUNT 20 #define OP_LENGTH 21 #define OP_FOUND 22 #define OP_FOUND_AT 23 #define OP_FOUND_IN 24 #define OP_OFFSET 25 #define OP_OF 26 #define OP_PUSH_RULE 27 #define OP_INIT_RULE 28 #define OP_MATCH_RULE 29 #define OP_INCR_M 30 #define OP_CLEAR_M 31 #define OP_ADD_M 32 #define OP_POP_M 33 #define OP_PUSH_M 34 #define OP_SWAPUNDEF 35 #define OP_JNUNDEF 36 #define OP_JLE 37 #define OP_FILESIZE 38 #define OP_ENTRYPOINT 39 #define OP_CONTAINS 40 #define OP_MATCHES 41 #define OP_IMPORT 42 #define OP_LOOKUP_DICT 43 #define OP_JFALSE 44 #define OP_JTRUE 45 #define _OP_EQ 0 #define _OP_NEQ 1 #define _OP_LT 2 #define _OP_GT 3 #define _OP_LE 4 #define _OP_GE 5 #define _OP_ADD 6 #define _OP_SUB 7 #define _OP_MUL 8 #define _OP_DIV 9 #define _OP_MINUS 10 #define OP_INT_BEGIN 100 #define OP_INT_EQ (OP_INT_BEGIN + _OP_EQ) #define OP_INT_NEQ (OP_INT_BEGIN + _OP_NEQ) #define OP_INT_LT (OP_INT_BEGIN + _OP_LT) #define OP_INT_GT (OP_INT_BEGIN + _OP_GT) #define OP_INT_LE (OP_INT_BEGIN + _OP_LE) #define OP_INT_GE (OP_INT_BEGIN + _OP_GE) #define OP_INT_ADD (OP_INT_BEGIN + _OP_ADD) #define OP_INT_SUB (OP_INT_BEGIN + _OP_SUB) #define OP_INT_MUL (OP_INT_BEGIN + _OP_MUL) #define OP_INT_DIV (OP_INT_BEGIN + _OP_DIV) #define OP_INT_MINUS (OP_INT_BEGIN + _OP_MINUS) #define OP_INT_END OP_INT_MINUS #define OP_DBL_BEGIN 120 #define OP_DBL_EQ (OP_DBL_BEGIN + _OP_EQ) #define OP_DBL_NEQ (OP_DBL_BEGIN + _OP_NEQ) #define OP_DBL_LT (OP_DBL_BEGIN + _OP_LT) #define OP_DBL_GT (OP_DBL_BEGIN + _OP_GT) #define OP_DBL_LE (OP_DBL_BEGIN + _OP_LE) #define OP_DBL_GE (OP_DBL_BEGIN + _OP_GE) #define OP_DBL_ADD (OP_DBL_BEGIN + _OP_ADD) #define OP_DBL_SUB (OP_DBL_BEGIN + _OP_SUB) #define OP_DBL_MUL (OP_DBL_BEGIN + _OP_MUL) #define OP_DBL_DIV (OP_DBL_BEGIN + _OP_DIV) #define OP_DBL_MINUS (OP_DBL_BEGIN + _OP_MINUS) #define OP_DBL_END OP_DBL_MINUS #define OP_STR_BEGIN 140 #define OP_STR_EQ (OP_STR_BEGIN + _OP_EQ) #define OP_STR_NEQ (OP_STR_BEGIN + _OP_NEQ) #define OP_STR_LT (OP_STR_BEGIN + _OP_LT) #define OP_STR_GT (OP_STR_BEGIN + _OP_GT) #define OP_STR_LE (OP_STR_BEGIN + _OP_LE) #define OP_STR_GE (OP_STR_BEGIN + _OP_GE) #define OP_STR_END OP_STR_GE #define IS_INT_OP(x) ((x) >= OP_INT_BEGIN && (x) <= OP_INT_END) #define IS_DBL_OP(x) ((x) >= OP_DBL_BEGIN && (x) <= OP_DBL_END) #define IS_STR_OP(x) ((x) >= OP_STR_BEGIN && (x) <= OP_STR_END) #define OP_READ_INT 240 #define OP_INT8 (OP_READ_INT + 0) #define OP_INT16 (OP_READ_INT + 1) #define OP_INT32 (OP_READ_INT + 2) #define OP_UINT8 (OP_READ_INT + 3) #define OP_UINT16 (OP_READ_INT + 4) #define OP_UINT32 (OP_READ_INT + 5) #define OP_INT8BE (OP_READ_INT + 6) #define OP_INT16BE (OP_READ_INT + 7) #define OP_INT32BE (OP_READ_INT + 8) #define OP_UINT8BE (OP_READ_INT + 9) #define OP_UINT16BE (OP_READ_INT + 10) #define OP_UINT32BE (OP_READ_INT + 11) #define OPERATION(operator, op1, op2) \ (IS_UNDEFINED(op1) || IS_UNDEFINED(op2)) ? (UNDEFINED) : (op1 operator op2) #define COMPARISON(operator, op1, op2) \ (IS_UNDEFINED(op1) || IS_UNDEFINED(op2)) ? (0) : (op1 operator op2) int yr_execute_code( YR_RULES* rules, YR_SCAN_CONTEXT* context, int timeout, time_t start_time); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/exefiles.h ================================================ /* Copyright (c) 2007. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_EXEFILES_H #define YR_EXEFILES_H uint64_t yr_get_entry_point_offset( uint8_t* buffer, size_t buffer_length); uint64_t yr_get_entry_point_address( uint8_t* buffer, size_t buffer_length, size_t base_address); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/filemap.h ================================================ /* Copyright (c) 2007-2015. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_FILEMAP_H #define YR_FILEMAP_H #ifdef _MSC_VER #define off_t int64_t #else #include #endif #if defined(_WIN32) || defined(__CYGWIN__) #include #define YR_FILE_DESCRIPTOR HANDLE #else #define YR_FILE_DESCRIPTOR int #endif #include #include "integers.h" #include "utils.h" typedef struct _YR_MAPPED_FILE { YR_FILE_DESCRIPTOR file; size_t size; uint8_t* data; #if defined(_WIN32) || defined(__CYGWIN__) HANDLE mapping; #endif } YR_MAPPED_FILE; YR_API int yr_filemap_map( const char* file_path, YR_MAPPED_FILE* pmapped_file); YR_API int yr_filemap_map_fd( YR_FILE_DESCRIPTOR file, off_t offset, size_t size, YR_MAPPED_FILE* pmapped_file); YR_API int yr_filemap_map_ex( const char* file_path, off_t offset, size_t size, YR_MAPPED_FILE* pmapped_file); YR_API void yr_filemap_unmap( YR_MAPPED_FILE* pmapped_file); YR_API void yr_filemap_unmap_fd( YR_MAPPED_FILE* pmapped_file); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/globals.h ================================================ /* Copyright (c) 2014. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_GLOBALS_H #define YR_GLOBALS_H #include "threading.h" extern char yr_lowercase[256]; extern char yr_altercase[256]; extern YR_THREAD_STORAGE_KEY yr_tidx_key; extern YR_THREAD_STORAGE_KEY yr_recovery_state_key; #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/hash.h ================================================ /* Copyright (c) 2013. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_HASH_H #define YR_HASH_H #include #include "utils.h" typedef struct _YR_HASH_TABLE_ENTRY { void* key; size_t key_length; char* ns; void* value; struct _YR_HASH_TABLE_ENTRY* next; } YR_HASH_TABLE_ENTRY; typedef struct _YR_HASH_TABLE { int size; YR_HASH_TABLE_ENTRY* buckets[1]; } YR_HASH_TABLE; typedef int (*YR_HASH_TABLE_FREE_VALUE_FUNC)(void* value); YR_API int yr_hash_table_create( int size, YR_HASH_TABLE** table); YR_API void yr_hash_table_clean( YR_HASH_TABLE* table, YR_HASH_TABLE_FREE_VALUE_FUNC free_value); YR_API void yr_hash_table_destroy( YR_HASH_TABLE* table, YR_HASH_TABLE_FREE_VALUE_FUNC free_value); YR_API void* yr_hash_table_lookup( YR_HASH_TABLE* table, const char* key, const char* ns); YR_API int yr_hash_table_add( YR_HASH_TABLE* table, const char* key, const char* ns, void* value); YR_API void* yr_hash_table_lookup_raw_key( YR_HASH_TABLE* table, const void* key, size_t key_length, const char* ns); YR_API int yr_hash_table_add_raw_key( YR_HASH_TABLE* table, const void* key, size_t key_length, const char* ns, void* value); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/hex_lexer.h ================================================ /* Copyright (c) 2007. Victor M. Alvarez [plusvic@gmail.com]. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "re.h" #undef yyparse #undef yylex #undef yyerror #undef yyfatal #undef yychar #undef yydebug #undef yynerrs #undef yyget_extra #undef yyget_lineno #undef YY_FATAL_ERROR #undef YY_DECL #undef LEX_ENV #define yyparse hex_yyparse #define yylex hex_yylex #define yyerror hex_yyerror #define yyfatal hex_yyfatal #define yychar hex_yychar #define yydebug hex_yydebug #define yynerrs hex_yynerrs #define yyget_extra hex_yyget_extra #define yyget_lineno hex_yyget_lineno #ifndef YY_TYPEDEF_YY_SCANNER_T #define YY_TYPEDEF_YY_SCANNER_T typedef void* yyscan_t; #endif #define YY_EXTRA_TYPE RE_AST* #define YY_USE_CONST typedef struct _HEX_LEX_ENVIRONMENT { int token_count; int inside_or; int last_error_code; char last_error_message[256]; } HEX_LEX_ENVIRONMENT; #define YY_FATAL_ERROR(msg) hex_yyfatal(yyscanner, msg) #define LEX_ENV ((HEX_LEX_ENVIRONMENT*) lex_env) #include #define YY_DECL int hex_yylex \ (YYSTYPE * yylval_param , yyscan_t yyscanner, HEX_LEX_ENVIRONMENT* lex_env) YY_EXTRA_TYPE yyget_extra( yyscan_t yyscanner); int yylex( YYSTYPE* yylval_param, yyscan_t yyscanner, HEX_LEX_ENVIRONMENT* lex_env); int yyparse( void* yyscanner, HEX_LEX_ENVIRONMENT* lex_env); void yyerror( yyscan_t yyscanner, HEX_LEX_ENVIRONMENT* lex_env, const char* error_message); void yyfatal( yyscan_t yyscanner, const char* error_message); int yr_parse_hex_string( const char* hex_string, RE_AST** re_ast, RE_ERROR* error); ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/integers.h ================================================ /* Copyright (c) 2007-2015. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_INTEGERS_H #define YR_INTEGERS_H /* Integer type definitions */ #if ( defined( _MSC_VER ) && ( _MSC_VER < 1600 ) ) || ( defined( __BORLANDC__ ) && ( __BORLANDC__ <= 0x0560 ) ) #ifdef __cplusplus extern "C" { #endif /* Microsoft Visual Studio C++ before Visual Studio 2010 or earlier versions of the Borland C++ Builder * do not support the (u)int#_t type definitions but have __int# definitions instead */ typedef __int8 int8_t; typedef unsigned __int8 uint8_t; typedef __int16 int16_t; typedef unsigned __int16 uint16_t; typedef __int32 int32_t; typedef unsigned __int32 uint32_t; typedef __int64 int64_t; typedef unsigned __int64 uint64_t; #ifdef __cplusplus } #endif #else /* Other "compilers" and later versions of Microsoft Visual Studio C++ and * Borland C/C++ define the types in */ #include #endif #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/lexer.h ================================================ /* Copyright (c) 2007. Victor M. Alvarez [plusvic@gmail.com]. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "compiler.h" #undef yyparse #undef yylex #undef yyerror #undef yyfatal #undef yychar #undef yydebug #undef yynerrs #undef yyget_extra #undef yyget_lineno #undef YY_DECL #undef YY_FATAL_ERROR #undef YY_EXTRA_TYPE #define yyparse yara_yyparse #define yylex yara_yylex #define yyerror yara_yyerror #define yyfatal yara_yyfatal #define yywarning yara_yywarning #define yychar yara_yychar #define yydebug yara_yydebug #define yynerrs yara_yynerrs #define yyget_extra yara_yyget_extra #define yyget_lineno yara_yyget_lineno #ifndef YY_TYPEDEF_YY_SCANNER_T #define YY_TYPEDEF_YY_SCANNER_T typedef void* yyscan_t; #endif #ifndef YY_TYPEDEF_EXPRESSION_T #define YY_TYPEDEF_EXPRESSION_T // Expression type constants are powers of two because they are used as flags. // For example: // CHECK_TYPE(whatever, EXPRESSION_TYPE_INTEGER | EXPRESSION_TYPE_FLOAT) // The expression above is used to ensure that the type of "whatever" is either // integer or float. #define EXPRESSION_TYPE_BOOLEAN 1 #define EXPRESSION_TYPE_INTEGER 2 #define EXPRESSION_TYPE_STRING 4 #define EXPRESSION_TYPE_REGEXP 8 #define EXPRESSION_TYPE_OBJECT 16 #define EXPRESSION_TYPE_FLOAT 32 typedef struct _EXPRESSION { int type; union { int64_t integer; YR_OBJECT* object; SIZED_STRING* sized_string; } value; const char* identifier; } EXPRESSION; union YYSTYPE; #endif #define YY_DECL int yylex( \ union YYSTYPE* yylval_param, yyscan_t yyscanner, YR_COMPILER* compiler) #define YY_FATAL_ERROR(msg) yara_yyfatal(yyscanner, msg) #define YY_EXTRA_TYPE YR_COMPILER* #define YY_USE_CONST int yyget_lineno(yyscan_t yyscanner); int yylex( union YYSTYPE* yylval_param, yyscan_t yyscanner, YR_COMPILER* compiler); int yyparse( void* yyscanner, YR_COMPILER* compiler); void yyerror( yyscan_t yyscanner, YR_COMPILER* compiler, const char* error_message); void yywarning( yyscan_t yyscanner, const char* message_fmt, ...); void yyfatal( yyscan_t yyscanner, const char* error_message); YY_EXTRA_TYPE yyget_extra( yyscan_t yyscanner); int yr_lex_parse_rules_string( const char* rules_string, YR_COMPILER* compiler); int yr_lex_parse_rules_file( FILE* rules_file, YR_COMPILER* compiler); int yr_lex_parse_rules_fd( YR_FILE_DESCRIPTOR rules_fd, YR_COMPILER* compiler); ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/libyara.h ================================================ /* Copyright (c) 2014. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_LIBYARA_H #define YR_LIBYARA_H #include "utils.h" #define YR_MAJOR_VERSION 3 #define YR_MINOR_VERSION 6 #define YR_MICRO_VERSION 0 #define version_str(s) _version_str(s) #define _version_str(s) #s // Version as a string #define YR_VERSION version_str(YR_MAJOR_VERSION) \ "." version_str(YR_MINOR_VERSION) \ "." version_str(YR_MICRO_VERSION) // Version as a single 4-byte hex number, e.g. 0x030401 == 3.4.1. #define YR_VERSION_HEX ((YR_MAJOR_VERSION << 16) | \ (YR_MINOR_VERSION << 8) | \ (YR_MICRO_VERSION << 0)) // Enumerated type listing configuration options typedef enum _YR_CONFIG_NAME { YR_CONFIG_STACK_SIZE, YR_CONFIG_MAX } YR_CONFIG_NAME; #define DEFAULT_STACK_SIZE 16384 YR_API int yr_initialize(void); YR_API int yr_finalize(void); YR_API void yr_finalize_thread(void); YR_API int yr_get_tidx(void); YR_API void yr_set_tidx(int); YR_API int yr_set_configuration(YR_CONFIG_NAME, void*); YR_API int yr_get_configuration(YR_CONFIG_NAME, void*); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/limits.h ================================================ /* Copyright (c) 2013. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_LIMITS_H #define YR_LIMITS_H #if defined(_WIN32) || defined(__CYGWIN__) #include #endif #include "utils.h" // MAX_THREADS is the number of threads that can use a YR_RULES // object simultaneously. #ifndef MAX_THREADS #define MAX_THREADS 32 #endif #ifndef MAX_PATH #define MAX_PATH 1024 #endif #define MAX_COMPILER_ERROR_EXTRA_INFO 256 #define MAX_ATOM_LENGTH 4 #define MAX_LOOP_NESTING 4 #define MAX_ARENA_PAGES 32 #define MAX_INCLUDE_DEPTH 16 #define MAX_STRING_MATCHES 1000000 #define MAX_FUNCTION_ARGS 128 #define MAX_FAST_RE_STACK 300 #define MAX_OVERLOADED_FUNCTIONS 10 #define MAX_HEX_STRING_TOKENS 10000 #define MAX_MATCH_DATA 4096 #define LOOP_LOCAL_VARS 4 #define STRING_CHAINING_THRESHOLD 200 #define LEX_BUF_SIZE 8192 #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/mem.h ================================================ /* Copyright (c) 2007. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_MEM_H #define YR_MEM_H #include #ifdef DMALLOC #define yr_malloc malloc #define yr_calloc calloc #define yr_realloc realloc #define yr_free free #define yr_strdup strdup #define yr_strndup strndup #include #else void* yr_calloc( size_t count, size_t size); void* yr_malloc( size_t size); void* yr_realloc( void* ptr, size_t size); void yr_free( void* ptr); char* yr_strdup( const char* str); char* yr_strndup( const char* str, size_t n); #endif int yr_heap_alloc(void); int yr_heap_free(void); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/modules.h ================================================ /* Copyright (c) 2014. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_MODULES_H #define YR_MODULES_H #include #include #include #include #include "utils.h" #include "limits.h" #include "error.h" #include "exec.h" #include "types.h" #include "object.h" #include "libyara.h" // Concatenation that macro-expands its arguments. #define YR_CONCAT(arg1, arg2) _YR_CONCAT(arg1, arg2) // expands the arguments. #define _YR_CONCAT(arg1, arg2) arg1 ## arg2 // do the actual concatenation. #define module_declarations YR_CONCAT(MODULE_NAME, __declarations) #define module_load YR_CONCAT(MODULE_NAME, __load) #define module_unload YR_CONCAT(MODULE_NAME, __unload) #define module_initialize YR_CONCAT(MODULE_NAME, __initialize) #define module_finalize YR_CONCAT(MODULE_NAME, __finalize) #define begin_declarations \ int module_declarations(YR_OBJECT* module) { \ YR_OBJECT* stack[64]; \ int stack_top = 0; \ stack[stack_top] = module; #define end_declarations \ return ERROR_SUCCESS; } #define begin_struct(name) { \ YR_OBJECT* structure; \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_STRUCTURE, \ name, \ stack[stack_top], \ &structure)); \ assertf( \ stack_top < sizeof(stack)/sizeof(stack[0]) - 1, \ "too many nested structures"); \ stack[++stack_top] = structure; \ } #define begin_struct_array(name) { \ YR_OBJECT* structure; \ YR_OBJECT* array; \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_ARRAY, \ name, \ stack[stack_top], \ &array)); \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_STRUCTURE, \ name, \ array, \ &structure)); \ assertf( \ stack_top < sizeof(stack)/sizeof(stack[0]) - 1, \ "too many nested structures"); \ stack[++stack_top] = structure; \ } #define begin_struct_dictionary(name) { \ YR_OBJECT* structure; \ YR_OBJECT* array; \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_DICTIONARY, \ name, \ stack[stack_top], \ &array)); \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_STRUCTURE, \ name, \ array, \ &structure)); \ assertf( \ stack_top < sizeof(stack)/sizeof(stack[0]) - 1, \ "too many nested structures"); \ stack[++stack_top] = structure; \ } #define end_struct(name) { \ assert(stack[stack_top]->type == OBJECT_TYPE_STRUCTURE); \ assertf( \ strcmp(stack[stack_top]->identifier, name) == 0, \ "unbalanced begin_struct/end_struct"); \ stack_top--; \ } #define end_struct_array(name) end_struct(name) #define end_struct_dictionary(name) end_struct(name) #define declare_integer(name) { \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_INTEGER, \ name, \ stack[stack_top], \ NULL)); \ } #define declare_integer_array(name) { \ YR_OBJECT* array; \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_ARRAY, \ name, \ stack[stack_top], \ &array)); \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_INTEGER, \ name, \ array, \ NULL)); \ } #define declare_integer_dictionary(name) { \ YR_OBJECT* dict; \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_DICTIONARY, \ name, \ stack[stack_top], \ &dict)); \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_INTEGER, \ name, \ dict, \ NULL)); \ } #define declare_float(name) { \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_FLOAT, \ name, \ stack[stack_top], \ NULL)); \ } #define declare_float_array(name) { \ YR_OBJECT* array; \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_ARRAY, \ name, \ stack[stack_top], \ &array)); \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_FLOAT, \ name, \ array, \ NULL)); \ } #define declare_float_dictionary(name) { \ YR_OBJECT* dict; \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_DICTIONARY, \ name, \ stack[stack_top], \ &dict)); \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_FLOAT, \ name, \ dict, \ NULL)); \ } #define declare_string(name) { \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_STRING, \ name, \ stack[stack_top], \ NULL)); \ } #define declare_string_array(name) { \ YR_OBJECT* array; \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_ARRAY, \ name, \ stack[stack_top], \ &array)); \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_STRING, \ name, \ array, \ NULL)); \ } #define declare_string_dictionary(name) { \ YR_OBJECT* dict; \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_DICTIONARY, \ name, \ stack[stack_top], \ &dict)); \ FAIL_ON_ERROR(yr_object_create( \ OBJECT_TYPE_STRING, \ name, \ dict, \ NULL)); \ } #define declare_function(name, args_fmt, ret_fmt, func) { \ YR_OBJECT* function; \ FAIL_ON_ERROR(yr_object_function_create( \ name, \ args_fmt, \ ret_fmt, \ func, \ stack[stack_top], \ &function)); \ } #define define_function(func) \ int func ( \ YR_VALUE* __args, \ YR_SCAN_CONTEXT* __context, \ YR_OBJECT_FUNCTION* __function_obj) #define sized_string_argument(n) \ (__args[n-1].ss) #define string_argument(n) \ (sized_string_argument(n)->c_string) #define integer_argument(n) \ (__args[n-1].i) #define float_argument(n) \ (__args[n-1].d) #define regexp_argument(n) \ ((RE*)(__args[n-1].re)) #define module() yr_object_get_root((YR_OBJECT*) __function_obj) #define parent() (__function_obj->parent) #define scan_context() (__context) #define foreach_memory_block(iterator, block) \ for (block = iterator->first(iterator); \ block != NULL; \ block = iterator->next(iterator)) \ #define first_memory_block(context) \ (context)->iterator->first((context)->iterator) #define is_undefined(object, ...) \ yr_object_has_undefined_value(object, __VA_ARGS__) #define get_object(object, ...) \ yr_object_lookup(object, 0, __VA_ARGS__) #define get_integer(object, ...) \ yr_object_get_integer(object, __VA_ARGS__) #define get_float(object, ...) \ yr_object_get_float(object, __VA_ARGS__) #define get_string(object, ...) \ yr_object_get_string(object, __VA_ARGS__) #define set_integer(value, object, ...) \ yr_object_set_integer(value, object, __VA_ARGS__) #define set_float(value, object, ...) \ yr_object_set_float(value, object, __VA_ARGS__) #define set_sized_string(value, len, object, ...) \ yr_object_set_string(value, len, object, __VA_ARGS__) #define set_string(value, object, ...) \ set_sized_string(value, strlen(value), object, __VA_ARGS__) #define return_integer(integer) { \ assertf( \ __function_obj->return_obj->type == OBJECT_TYPE_INTEGER, \ "return type differs from function declaration"); \ yr_object_set_integer( \ (integer), \ __function_obj->return_obj, \ NULL); \ return ERROR_SUCCESS; \ } #define return_float(double_) { \ double d = (double) (double_); \ assertf( \ __function_obj->return_obj->type == OBJECT_TYPE_FLOAT, \ "return type differs from function declaration"); \ yr_object_set_float( \ (d != (double) UNDEFINED) ? d : NAN, \ __function_obj->return_obj, \ NULL); \ return ERROR_SUCCESS; \ } #define return_string(string) { \ char* s = (char*) (string); \ assertf( \ __function_obj->return_obj->type == OBJECT_TYPE_STRING, \ "return type differs from function declaration"); \ yr_object_set_string( \ (s != (char*) UNDEFINED) ? s : NULL, \ (s != (char*) UNDEFINED) ? strlen(s) : 0, \ __function_obj->return_obj, \ NULL); \ return ERROR_SUCCESS; \ } struct _YR_MODULE; typedef int (*YR_EXT_INITIALIZE_FUNC)( struct _YR_MODULE* module); typedef int (*YR_EXT_FINALIZE_FUNC)( struct _YR_MODULE* module); typedef int (*YR_EXT_DECLARATIONS_FUNC)( YR_OBJECT* module_object); typedef int (*YR_EXT_LOAD_FUNC)( YR_SCAN_CONTEXT* context, YR_OBJECT* module_object, void* module_data, size_t module_data_size); typedef int (*YR_EXT_UNLOAD_FUNC)( YR_OBJECT* module_object); typedef struct _YR_MODULE { char* name; YR_EXT_DECLARATIONS_FUNC declarations; YR_EXT_LOAD_FUNC load; YR_EXT_UNLOAD_FUNC unload; YR_EXT_INITIALIZE_FUNC initialize; YR_EXT_FINALIZE_FUNC finalize; } YR_MODULE; typedef struct _YR_MODULE_IMPORT { const char* module_name; void* module_data; size_t module_data_size; } YR_MODULE_IMPORT; int yr_modules_initialize(void); int yr_modules_finalize(void); int yr_modules_do_declarations( const char* module_name, YR_OBJECT* main_structure); int yr_modules_load( const char* module_name, YR_SCAN_CONTEXT* context); int yr_modules_unload_all( YR_SCAN_CONTEXT* context); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/object.h ================================================ /* Copyright (c) 2014. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_OBJECT_H #define YR_OBJECT_H #ifdef _MSC_VER #include #ifndef isnan #define isnan _isnan #endif #ifndef INFINITY #define INFINITY (DBL_MAX + DBL_MAX) #endif #ifndef NAN #define NAN (INFINITY-INFINITY) #endif #endif #include "types.h" #define OBJECT_CREATE 1 #define OBJECT_TYPE_INTEGER 1 #define OBJECT_TYPE_STRING 2 #define OBJECT_TYPE_STRUCTURE 3 #define OBJECT_TYPE_ARRAY 4 #define OBJECT_TYPE_FUNCTION 5 #define OBJECT_TYPE_DICTIONARY 6 #define OBJECT_TYPE_FLOAT 7 int yr_object_create( int8_t type, const char* identifier, YR_OBJECT* parent, YR_OBJECT** object); int yr_object_function_create( const char* identifier, const char* arguments_fmt, const char* return_fmt, YR_MODULE_FUNC func, YR_OBJECT* parent, YR_OBJECT** function); int yr_object_from_external_variable( YR_EXTERNAL_VARIABLE* external, YR_OBJECT** object); void yr_object_destroy( YR_OBJECT* object); int yr_object_copy( YR_OBJECT* object, YR_OBJECT** object_copy); YR_OBJECT* yr_object_lookup_field( YR_OBJECT* object, const char* field_name); YR_OBJECT* yr_object_lookup( YR_OBJECT* root, int flags, const char* pattern, ...); int yr_object_has_undefined_value( YR_OBJECT* object, const char* field, ...); int64_t yr_object_get_integer( YR_OBJECT* object, const char* field, ...); SIZED_STRING* yr_object_get_string( YR_OBJECT* object, const char* field, ...); int yr_object_set_integer( int64_t value, YR_OBJECT* object, const char* field, ...); int yr_object_set_float( double value, YR_OBJECT* object, const char* field, ...); int yr_object_set_string( const char* value, size_t len, YR_OBJECT* object, const char* field, ...); YR_OBJECT* yr_object_array_get_item( YR_OBJECT* object, int flags, int index); int yr_object_array_set_item( YR_OBJECT* object, YR_OBJECT* item, int index); YR_OBJECT* yr_object_dict_get_item( YR_OBJECT* object, int flags, const char* key); int yr_object_dict_set_item( YR_OBJECT* object, YR_OBJECT* item, const char* key); int yr_object_structure_set_member( YR_OBJECT* object, YR_OBJECT* member); YR_OBJECT* yr_object_get_root( YR_OBJECT* object); YR_API void yr_object_print_data( YR_OBJECT* object, int indent, int print_identifier); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/parser.h ================================================ /* Copyright (c) 2013. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_PARSER_H #define YR_PARSER_H #include "lexer.h" int yr_parser_emit( yyscan_t yyscanner, uint8_t instruction, uint8_t** instruction_address); int yr_parser_emit_with_arg( yyscan_t yyscanner, uint8_t instruction, int64_t argument, uint8_t** instruction_address, int64_t** argument_address); int yr_parser_emit_with_arg_double( yyscan_t yyscanner, uint8_t instruction, double argument, uint8_t** instruction_address, double** argument_address); int yr_parser_emit_with_arg_reloc( yyscan_t yyscanner, uint8_t instruction, void* argument, uint8_t** instruction_address, void** argument_address); int yr_parser_check_types( YR_COMPILER* compiler, YR_OBJECT_FUNCTION* function, const char* actual_args_fmt); YR_STRING* yr_parser_lookup_string( yyscan_t yyscanner, const char* identifier); int yr_parser_lookup_loop_variable( yyscan_t yyscanner, const char* identifier); YR_RULE* yr_parser_reduce_rule_declaration_phase_1( yyscan_t yyscanner, int32_t flags, const char* identifier); int yr_parser_reduce_rule_declaration_phase_2( yyscan_t yyscanner, YR_RULE* rule); YR_STRING* yr_parser_reduce_string_declaration( yyscan_t yyscanner, int32_t flags, const char* identifier, SIZED_STRING* str); YR_META* yr_parser_reduce_meta_declaration( yyscan_t yyscanner, int32_t type, const char* identifier, const char* string, int64_t integer); int yr_parser_reduce_string_identifier( yyscan_t yyscanner, const char* identifier, uint8_t instruction, uint64_t at_offset); int yr_parser_emit_pushes_for_strings( yyscan_t yyscanner, const char* identifier); int yr_parser_reduce_external( yyscan_t yyscanner, const char* identifier, uint8_t instruction); int yr_parser_reduce_import( yyscan_t yyscanner, SIZED_STRING* module_name); int yr_parser_reduce_operation( yyscan_t yyscanner, const char* operation, EXPRESSION left_operand, EXPRESSION right_operand); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/pe.h ================================================ /* Copyright (c) 2013. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_PE_H #define YR_PE_H #include "endian.h" #include "types.h" #pragma pack(push, 1) #if defined(_WIN32) || defined(__CYGWIN__) #include // These definitions are not present in older Windows headers. #ifndef IMAGE_FILE_MACHINE_ARMNT #define IMAGE_FILE_MACHINE_ARMNT 0x01c4 #endif #ifndef IMAGE_FILE_MACHINE_ARM64 #define IMAGE_FILE_MACHINE_ARM64 0xaa64 #endif #else #include #include "integers.h" typedef uint8_t BYTE; typedef uint16_t WORD; typedef uint32_t DWORD; typedef int32_t LONG; typedef uint32_t ULONG; typedef uint64_t ULONGLONG; #define FIELD_OFFSET(type, field) ((size_t)&(((type *)0)->field)) #ifndef _MAC #define IMAGE_DOS_SIGNATURE 0x5A4D // MZ #define IMAGE_OS2_SIGNATURE 0x454E // NE #define IMAGE_OS2_SIGNATURE_LE 0x454C // LE #define IMAGE_VXD_SIGNATURE 0x454C // LE #define IMAGE_NT_SIGNATURE 0x00004550 // PE00 #else #define IMAGE_DOS_SIGNATURE 0x4D5A // MZ #define IMAGE_OS2_SIGNATURE 0x4E45 // NE #define IMAGE_OS2_SIGNATURE_LE 0x4C45 // LE #define IMAGE_NT_SIGNATURE 0x50450000 // PE00 #endif #pragma pack(push, 2) typedef struct _IMAGE_DOS_HEADER // DOS .EXE header { WORD e_magic; // Magic number WORD e_cblp; // Bytes on last page of file WORD e_cp; // Pages in file WORD e_crlc; // Relocations WORD e_cparhdr; // Size of header in paragraphs WORD e_minalloc; // Minimum extra paragraphs needed WORD e_maxalloc; // Maximum extra paragraphs needed WORD e_ss; // Initial (relative) SS value WORD e_sp; // Initial SP value WORD e_csum; // Checksum WORD e_ip; // Initial IP value WORD e_cs; // Initial (relative) CS value WORD e_lfarlc; // File address of relocation table WORD e_ovno; // Overlay number WORD e_res[4]; // Reserved words WORD e_oemid; // OEM identifier (for e_oeminfo) WORD e_oeminfo; // OEM information; e_oemid specific WORD e_res2[10]; // Reserved words LONG e_lfanew; // File address of new exe header } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER; #pragma pack(pop) // // File header format. // #pragma pack(push,4) typedef struct _IMAGE_FILE_HEADER { WORD Machine; WORD NumberOfSections; DWORD TimeDateStamp; DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD SizeOfOptionalHeader; WORD Characteristics; } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; #define IMAGE_SIZEOF_FILE_HEADER 20 #define IMAGE_FILE_RELOCS_STRIPPED 0x0001 // Relocation info stripped from file. #define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved external references). #define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line numbers stripped from file. #define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // Local symbols stripped from file. #define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Aggressively trim working set #define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // App can handle >2gb addresses #define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed. #define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32 bit word machine. #define IMAGE_FILE_DEBUG_STRIPPED 0x0200 // Debugging info stripped from file in .DBG file #define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // If Image is on removable media, copy and run from the swap file. #define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // If Image is on Net, copy and run from the swap file. #define IMAGE_FILE_SYSTEM 0x1000 // System File. #define IMAGE_FILE_DLL 0x2000 // File is a DLL. #define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // File should only be run on a UP machine #define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed. #define IMAGE_FILE_MACHINE_UNKNOWN 0x0000 #define IMAGE_FILE_MACHINE_AM33 0x01d3 #define IMAGE_FILE_MACHINE_AMD64 0x8664 #define IMAGE_FILE_MACHINE_ARM 0x01c0 #define IMAGE_FILE_MACHINE_ARMNT 0x01c4 #define IMAGE_FILE_MACHINE_ARM64 0xaa64 #define IMAGE_FILE_MACHINE_EBC 0x0ebc #define IMAGE_FILE_MACHINE_I386 0x014c #define IMAGE_FILE_MACHINE_IA64 0x0200 #define IMAGE_FILE_MACHINE_M32R 0x9041 #define IMAGE_FILE_MACHINE_MIPS16 0x0266 #define IMAGE_FILE_MACHINE_MIPSFPU 0x0366 #define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466 #define IMAGE_FILE_MACHINE_POWERPC 0x01f0 #define IMAGE_FILE_MACHINE_POWERPCFP 0x01f1 #define IMAGE_FILE_MACHINE_R4000 0x0166 #define IMAGE_FILE_MACHINE_SH3 0x01a2 #define IMAGE_FILE_MACHINE_SH3DSP 0x01a3 #define IMAGE_FILE_MACHINE_SH4 0x01a6 #define IMAGE_FILE_MACHINE_SH5 0x01a8 #define IMAGE_FILE_MACHINE_THUMB 0x01c2 #define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 // Section characteristics #define IMAGE_SCN_CNT_CODE 0x00000020 #define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 #define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 #define IMAGE_SCN_GPREL 0x00008000 #define IMAGE_SCN_MEM_16BIT 0x00020000 #define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 #define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 #define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 #define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 #define IMAGE_SCN_MEM_SHARED 0x10000000 #define IMAGE_SCN_MEM_EXECUTE 0x20000000 #define IMAGE_SCN_MEM_READ 0x40000000 #define IMAGE_SCN_MEM_WRITE 0x80000000 // // Directory format. // typedef struct _IMAGE_DATA_DIRECTORY { DWORD VirtualAddress; DWORD Size; } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 #define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory #define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory #define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory #define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory #define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory #define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table #define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory #define IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage) #define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data #define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP #define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory #define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory #define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers #define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table #define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors #define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor // // Optional header format. // typedef struct _IMAGE_OPTIONAL_HEADER32 { WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32; typedef struct _IMAGE_OPTIONAL_HEADER64 { WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; ULONGLONG ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; ULONGLONG SizeOfStackReserve; ULONGLONG SizeOfStackCommit; ULONGLONG SizeOfHeapReserve; ULONGLONG SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; } IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64; #define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b #define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b typedef struct _IMAGE_NT_HEADERS32 { DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER32 OptionalHeader; } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32; typedef struct _IMAGE_NT_HEADERS64 { DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER64 OptionalHeader; } IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64; // IMAGE_FIRST_SECTION doesn't need 32/64 versions since the file header is // the same either way. #define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \ ((BYTE*)ntheader + \ FIELD_OFFSET( IMAGE_NT_HEADERS32, OptionalHeader ) + \ yr_le16toh(((PIMAGE_NT_HEADERS32)(ntheader))->FileHeader.SizeOfOptionalHeader) \ )) // Subsystem Values #define IMAGE_SUBSYSTEM_UNKNOWN 0 #define IMAGE_SUBSYSTEM_NATIVE 1 #define IMAGE_SUBSYSTEM_WINDOWS_GUI 2 #define IMAGE_SUBSYSTEM_WINDOWS_CUI 3 #define IMAGE_SUBSYSTEM_OS2_CUI 5 #define IMAGE_SUBSYSTEM_POSIX_CUI 7 #define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 #define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9 #define IMAGE_SUBSYSTEM_EFI_APPLICATION 10 #define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11 #define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12 #define IMAGE_SUBSYSTEM_EFI_ROM_IMAGE 13 #define IMAGE_SUBSYSTEM_XBOX 14 #define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16 // DllCharacteristics values #define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040 #define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 0x0080 #define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100 #define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200 #define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400 #define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800 #define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000 #define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000 // // Section header format. // #define IMAGE_SIZEOF_SHORT_NAME 8 typedef struct _IMAGE_SECTION_HEADER { BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics; } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; #define IMAGE_SIZEOF_SECTION_HEADER 40 typedef struct _IMAGE_EXPORT_DIRECTORY { DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD Name; DWORD Base; DWORD NumberOfFunctions; DWORD NumberOfNames; DWORD AddressOfFunctions; DWORD AddressOfNames; DWORD AddressOfNameOrdinals; } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY; typedef struct _IMAGE_IMPORT_DESCRIPTOR { union { DWORD Characteristics; DWORD OriginalFirstThunk; } ; DWORD TimeDateStamp; DWORD ForwarderChain; DWORD Name; DWORD FirstThunk; } IMAGE_IMPORT_DESCRIPTOR, *PIMAGE_IMPORT_DESCRIPTOR; typedef struct _IMAGE_IMPORT_BY_NAME { WORD Hint; BYTE Name[1]; } IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME; typedef struct _IMAGE_THUNK_DATA32 { union { DWORD ForwarderString; DWORD Function; DWORD Ordinal; DWORD AddressOfData; } u1; } IMAGE_THUNK_DATA32, *PIMAGE_THUNK_DATA32; #define IMAGE_ORDINAL_FLAG32 0x80000000 #define IMAGE_ORDINAL_FLAG64 0x8000000000000000L typedef struct _IMAGE_THUNK_DATA64 { union { ULONGLONG ForwarderString; ULONGLONG Function; ULONGLONG Ordinal; ULONGLONG AddressOfData; } u1; } IMAGE_THUNK_DATA64, *PIMAGE_THUNK_DATA64; typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY { DWORD Name; DWORD OffsetToData; } IMAGE_RESOURCE_DIRECTORY_ENTRY, *PIMAGE_RESOURCE_DIRECTORY_ENTRY; typedef struct _IMAGE_RESOURCE_DATA_ENTRY { DWORD OffsetToData; DWORD Size; DWORD CodePage; DWORD Reserved; } IMAGE_RESOURCE_DATA_ENTRY, *PIMAGE_RESOURCE_DATA_ENTRY; typedef struct _IMAGE_RESOURCE_DIRECTORY { DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; WORD NumberOfNamedEntries; WORD NumberOfIdEntries; } IMAGE_RESOURCE_DIRECTORY, *PIMAGE_RESOURCE_DIRECTORY; #pragma pack(pop) #endif // _WIN32 typedef struct _VERSION_INFO { WORD Length; WORD ValueLength; WORD Type; char Key[0]; } VERSION_INFO, *PVERSION_INFO; #define WIN_CERT_REVISION_1_0 0x0100 #define WIN_CERT_REVISION_2_0 0x0200 #define WIN_CERT_TYPE_X509 0x0001 #define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002 #define WIN_CERT_TYPE_RESERVED_1 0x0003 #define WIN_CERT_TYPE_TS_STACK_SIGNED 0x0004 typedef struct _WIN_CERTIFICATE { DWORD Length; WORD Revision; WORD CertificateType; BYTE Certificate[0]; } WIN_CERTIFICATE, *PWIN_CERTIFICATE; // // Rich signature. // http://www.ntcore.com/files/richsign.htm // #define RICH_VERSION_ID(id_version) (id_version >> 16) #define RICH_VERSION_VERSION(id_version) (id_version & 0xFFFF) typedef struct _RICH_VERSION_INFO { DWORD id_version; //tool id and version (use RICH_VERSION_ID and RICH_VERSION_VERSION macros) DWORD times; //number of times this tool was used } RICH_VERSION_INFO, *PRICH_VERSION_INFO; typedef struct _RICH_SIGNATURE { DWORD dans; DWORD key1; DWORD key2; DWORD key3; RICH_VERSION_INFO versions[0]; } RICH_SIGNATURE, *PRICH_SIGNATURE; #define RICH_DANS 0x536e6144 // "DanS" #define RICH_RICH 0x68636952 // "Rich" #pragma pack(pop) #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/pe_utils.h ================================================ #ifndef YR_PE_UTILS_H #define YR_PE_UTILS_H #include #define MAX_PE_SECTIONS 96 #define IS_64BITS_PE(pe) \ (yr_le16toh(pe->header64->OptionalHeader.Magic) == IMAGE_NT_OPTIONAL_HDR64_MAGIC) #define OptionalHeader(pe,field) \ (IS_64BITS_PE(pe) ? \ pe->header64->OptionalHeader.field : \ pe->header->OptionalHeader.field) // // Imports are stored in a linked list. Each node (IMPORTED_DLL) contains the // name of the DLL and a pointer to another linked list of // IMPORT_EXPORT_FUNCTION structures containing the details of imported // functions. // typedef struct _IMPORTED_DLL { char* name; struct _IMPORT_EXPORT_FUNCTION* functions; struct _IMPORTED_DLL* next; } IMPORTED_DLL, *PIMPORTED_DLL; // // This is used to track imported and exported functions. The "has_ordinal" // field is only used in the case of imports as those are optional. Every export // has an ordinal so we don't need the field there, but in the interest of // keeping duplicate code to a minimum we use this function for both imports and // exports. // typedef struct _IMPORT_EXPORT_FUNCTION { char* name; uint8_t has_ordinal; uint16_t ordinal; struct _IMPORT_EXPORT_FUNCTION* next; } IMPORT_EXPORT_FUNCTION, *PIMPORT_EXPORT_FUNCTION; typedef struct _PE { uint8_t* data; size_t data_size; union { PIMAGE_NT_HEADERS32 header; PIMAGE_NT_HEADERS64 header64; }; YR_OBJECT* object; IMPORTED_DLL* imported_dlls; IMPORT_EXPORT_FUNCTION* exported_functions; uint32_t resources; } PE; #define fits_in_pe(pe, pointer, size) \ ((size_t) size <= pe->data_size && \ (uint8_t*) (pointer) >= pe->data && \ (uint8_t*) (pointer) <= pe->data + pe->data_size - size) #define struct_fits_in_pe(pe, pointer, struct_type) \ fits_in_pe(pe, pointer, sizeof(struct_type)) PIMAGE_NT_HEADERS32 pe_get_header( uint8_t* data, size_t data_size); PIMAGE_DATA_DIRECTORY pe_get_directory_entry( PE* pe, int entry); PIMAGE_DATA_DIRECTORY pe_get_directory_entry( PE* pe, int entry); int64_t pe_rva_to_offset( PE* pe, uint64_t rva); char* ord_lookup( char* dll, uint16_t ord); #if HAVE_LIBCRYPTO #include time_t ASN1_get_time_t(ASN1_TIME* time); #endif #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/proc.h ================================================ /* Copyright (c) 2007. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_PROC_H #define YR_PROC_H #include "types.h" int yr_process_open_iterator( int pid, YR_MEMORY_BLOCK_ITERATOR* iterator); int yr_process_close_iterator( YR_MEMORY_BLOCK_ITERATOR* iterator); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/re.h ================================================ /* Copyright (c) 2013. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_RE_H #define YR_RE_H #include #include "arena.h" #include "sizedstr.h" #define RE_NODE_LITERAL 1 #define RE_NODE_MASKED_LITERAL 2 #define RE_NODE_ANY 3 #define RE_NODE_CONCAT 4 #define RE_NODE_ALT 5 #define RE_NODE_RANGE 6 #define RE_NODE_STAR 7 #define RE_NODE_PLUS 8 #define RE_NODE_CLASS 9 #define RE_NODE_WORD_CHAR 10 #define RE_NODE_NON_WORD_CHAR 11 #define RE_NODE_SPACE 12 #define RE_NODE_NON_SPACE 13 #define RE_NODE_DIGIT 14 #define RE_NODE_NON_DIGIT 15 #define RE_NODE_EMPTY 16 #define RE_NODE_ANCHOR_START 17 #define RE_NODE_ANCHOR_END 18 #define RE_NODE_WORD_BOUNDARY 19 #define RE_NODE_NON_WORD_BOUNDARY 20 #define RE_NODE_RANGE_ANY 21 #define RE_OPCODE_ANY 0xA0 #define RE_OPCODE_ANY_EXCEPT_NEW_LINE 0xA1 #define RE_OPCODE_LITERAL 0xA2 #define RE_OPCODE_MASKED_LITERAL 0xA4 #define RE_OPCODE_CLASS 0xA5 #define RE_OPCODE_WORD_CHAR 0xA7 #define RE_OPCODE_NON_WORD_CHAR 0xA8 #define RE_OPCODE_SPACE 0xA9 #define RE_OPCODE_NON_SPACE 0xAA #define RE_OPCODE_DIGIT 0xAB #define RE_OPCODE_NON_DIGIT 0xAC #define RE_OPCODE_MATCH 0xAD #define RE_OPCODE_MATCH_AT_END 0xB0 #define RE_OPCODE_MATCH_AT_START 0xB1 #define RE_OPCODE_WORD_BOUNDARY 0xB2 #define RE_OPCODE_NON_WORD_BOUNDARY 0xB3 #define RE_OPCODE_REPEAT_ANY_GREEDY 0xB4 #define RE_OPCODE_REPEAT_ANY_UNGREEDY 0xB5 #define RE_OPCODE_SPLIT_A 0xC0 #define RE_OPCODE_SPLIT_B 0xC1 #define RE_OPCODE_JUMP 0xC2 #define RE_OPCODE_REPEAT_START_GREEDY 0xC3 #define RE_OPCODE_REPEAT_END_GREEDY 0xC4 #define RE_OPCODE_REPEAT_START_UNGREEDY 0xC5 #define RE_OPCODE_REPEAT_END_UNGREEDY 0xC6 #define RE_FLAGS_FAST_REGEXP 0x02 #define RE_FLAGS_BACKWARDS 0x04 #define RE_FLAGS_EXHAUSTIVE 0x08 #define RE_FLAGS_WIDE 0x10 #define RE_FLAGS_NO_CASE 0x20 #define RE_FLAGS_SCAN 0x40 #define RE_FLAGS_DOT_ALL 0x80 #define RE_FLAGS_GREEDY 0x400 #define RE_FLAGS_UNGREEDY 0x800 typedef struct RE RE; typedef struct RE_AST RE_AST; typedef struct RE_NODE RE_NODE; typedef struct RE_ERROR RE_ERROR; typedef uint8_t RE_SPLIT_ID_TYPE; struct RE_NODE { int type; union { int value; int count; int start; }; union { int mask; int end; }; int greedy; uint8_t* class_vector; RE_NODE* left; RE_NODE* right; uint8_t* forward_code; uint8_t* backward_code; }; struct RE_AST { uint32_t flags; RE_NODE* root_node; }; // Disable warning due to zero length array in Microsoft's compiler #ifdef _MSC_VER #pragma warning(push) #pragma warning(disable:4200) #endif struct RE { uint32_t flags; uint8_t code[0]; }; #ifdef _MSC_VER #pragma warning(pop) #endif struct RE_ERROR { char message[512]; }; typedef int RE_MATCH_CALLBACK_FUNC( uint8_t* match, int match_length, int flags, void* args); int yr_re_ast_create( RE_AST** re_ast); void yr_re_ast_destroy( RE_AST* re_ast); void yr_re_ast_print( RE_AST* re_ast); SIZED_STRING* yr_re_ast_extract_literal( RE_AST* re_ast); int yr_re_ast_contains_dot_star( RE_AST* re_ast); int yr_re_ast_split_at_chaining_point( RE_AST* re_ast, RE_AST** result_re_ast, RE_AST** remainder_re_ast, int32_t* min_gap, int32_t* max_gap); int yr_re_ast_emit_code( RE_AST* re_ast, YR_ARENA* arena, int backwards_code); RE_NODE* yr_re_node_create( int type, RE_NODE* left, RE_NODE* right); void yr_re_node_destroy( RE_NODE* node); int yr_re_exec( uint8_t* re_code, uint8_t* input, size_t input_forwards_size, size_t input_backwards_size, int flags, RE_MATCH_CALLBACK_FUNC callback, void* callback_args, int* matches); int yr_re_fast_exec( uint8_t* code, uint8_t* input_data, size_t input_forwards_size, size_t input_backwards_size, int flags, RE_MATCH_CALLBACK_FUNC callback, void* callback_args, int* matches); int yr_re_parse( const char* re_string, RE_AST** re_ast, RE_ERROR* error); int yr_re_parse_hex( const char* hex_string, RE_AST** re_ast, RE_ERROR* error); int yr_re_compile( const char* re_string, int flags, YR_ARENA* code_arena, RE** re, RE_ERROR* error); int yr_re_match( RE* re, const char* target); int yr_re_initialize(void); int yr_re_finalize(void); int yr_re_finalize_thread(void); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/re_lexer.h ================================================ /* Copyright (c) 2013. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #undef yyparse #undef yylex #undef yyerror #undef yyfatal #undef yychar #undef yydebug #undef yynerrs #undef yyget_extra #undef yyget_lineno #undef YY_FATAL_ERROR #undef YY_DECL #undef LEX_ENV #define yyparse re_yyparse #define yylex re_yylex #define yyerror re_yyerror #define yyfatal re_yyfatal #define yychar re_yychar #define yydebug re_yydebug #define yynerrs re_yynerrs #define yyget_extra re_yyget_extra #define yyget_lineno re_yyget_lineno #ifndef YY_TYPEDEF_YY_SCANNER_T #define YY_TYPEDEF_YY_SCANNER_T typedef void* yyscan_t; #endif #define YY_EXTRA_TYPE RE_AST* #define YY_USE_CONST typedef struct _RE_LEX_ENVIRONMENT { int negated_class; uint8_t class_vector[32]; int last_error_code; char last_error_message[256]; } RE_LEX_ENVIRONMENT; #define LEX_ENV ((RE_LEX_ENVIRONMENT*) lex_env) #define YY_FATAL_ERROR(msg) re_yyfatal(yyscanner, msg) #include #define YY_DECL int re_yylex \ (YYSTYPE * yylval_param , yyscan_t yyscanner, RE_LEX_ENVIRONMENT* lex_env) YY_EXTRA_TYPE yyget_extra( yyscan_t yyscanner); int yylex( YYSTYPE* yylval_param, yyscan_t yyscanner, RE_LEX_ENVIRONMENT* lex_env); int yyparse( void* yyscanner, RE_LEX_ENVIRONMENT* lex_env); void yyerror( yyscan_t yyscanner, RE_LEX_ENVIRONMENT* lex_env, const char* error_message); void yyfatal( yyscan_t yyscanner, const char* error_message); int yr_parse_re_string( const char* re_string, RE_AST** re_ast, RE_ERROR* error); ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/rules.h ================================================ /* Copyright (c) 2014. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_RULES_H #define YR_RULES_H #include "types.h" #include "utils.h" #include "filemap.h" #define CALLBACK_MSG_RULE_MATCHING 1 #define CALLBACK_MSG_RULE_NOT_MATCHING 2 #define CALLBACK_MSG_SCAN_FINISHED 3 #define CALLBACK_MSG_IMPORT_MODULE 4 #define CALLBACK_MSG_MODULE_IMPORTED 5 #define CALLBACK_CONTINUE 0 #define CALLBACK_ABORT 1 #define CALLBACK_ERROR 2 #define yr_rule_tags_foreach(rule, tag_name) \ for (tag_name = rule->tags; \ tag_name != NULL && *tag_name != '\0'; \ tag_name += strlen(tag_name) + 1) #define yr_rule_metas_foreach(rule, meta) \ for (meta = rule->metas; !META_IS_NULL(meta); meta++) #define yr_rule_strings_foreach(rule, string) \ for (string = rule->strings; !STRING_IS_NULL(string); string++) #define yr_string_matches_foreach(string, match) \ for (match = STRING_MATCHES(string).head; match != NULL; match = match->next) #define yr_rules_foreach(rules, rule) \ for (rule = rules->rules_list_head; !RULE_IS_NULL(rule); rule++) YR_API int yr_rules_scan_mem( YR_RULES* rules, uint8_t* buffer, size_t buffer_size, int flags, YR_CALLBACK_FUNC callback, void* user_data, int timeout); YR_API int yr_rules_scan_file( YR_RULES* rules, const char* filename, int flags, YR_CALLBACK_FUNC callback, void* user_data, int timeout); YR_API int yr_rules_scan_fd( YR_RULES* rules, YR_FILE_DESCRIPTOR fd, int flags, YR_CALLBACK_FUNC callback, void* user_data, int timeout); YR_API int yr_rules_scan_proc( YR_RULES* rules, int pid, int flags, YR_CALLBACK_FUNC callback, void* user_data, int timeout); YR_API int yr_rules_save( YR_RULES* rules, const char* filename); YR_API int yr_rules_save_stream( YR_RULES* rules, YR_STREAM* stream); YR_API int yr_rules_load( const char* filename, YR_RULES** rules); YR_API int yr_rules_load_stream( YR_STREAM* stream, YR_RULES** rules); YR_API int yr_rules_destroy( YR_RULES* rules); YR_API int yr_rules_define_integer_variable( YR_RULES* rules, const char* identifier, int64_t value); YR_API int yr_rules_define_boolean_variable( YR_RULES* rules, const char* identifier, int value); YR_API int yr_rules_define_float_variable( YR_RULES* rules, const char* identifier, double value); YR_API int yr_rules_define_string_variable( YR_RULES* rules, const char* identifier, const char* value); YR_API void yr_rules_print_profiling_info( YR_RULES* rules); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/scan.h ================================================ /* Copyright (c) 2014. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_SCAN_H #define YR_SCAN_H #include "types.h" // Bitmasks for flags. #define SCAN_FLAGS_FAST_MODE 1 #define SCAN_FLAGS_PROCESS_MEMORY 2 #define SCAN_FLAGS_NO_TRYCATCH 4 int yr_scan_verify_match( YR_SCAN_CONTEXT* context, YR_AC_MATCH* ac_match, uint8_t* data, size_t data_size, size_t data_base, size_t offset); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/sizedstr.h ================================================ /* Copyright (c) 2007-2014. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef _SIZEDSTR_H #define _SIZEDSTR_H #include #include "integers.h" // // This struct is used to support strings containing null chars. The length of // the string is stored along the string data. However the string data is also // terminated with a null char. // #define SIZED_STRING_FLAGS_NO_CASE 1 #define SIZED_STRING_FLAGS_DOT_ALL 2 #pragma pack(push) #pragma pack(8) typedef struct _SIZED_STRING { uint32_t length; uint32_t flags; char c_string[1]; } SIZED_STRING; #pragma pack(pop) int sized_string_cmp( SIZED_STRING* s1, SIZED_STRING* s2); SIZED_STRING* sized_string_dup( SIZED_STRING* s); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/stream.h ================================================ /* Copyright (c) 2015. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_STREAM_H #define YR_STREAM_H #include typedef size_t (*YR_STREAM_READ_FUNC)( void* ptr, size_t size, size_t count, void* user_data); typedef size_t (*YR_STREAM_WRITE_FUNC)( const void* ptr, size_t size, size_t count, void* user_data); typedef struct _YR_STREAM { void* user_data; YR_STREAM_READ_FUNC read; YR_STREAM_WRITE_FUNC write; } YR_STREAM; size_t yr_stream_read( void* ptr, size_t size, size_t count, YR_STREAM* stream); size_t yr_stream_write( const void* ptr, size_t size, size_t count, YR_STREAM* stream); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/strutils.h ================================================ /* Copyright (c) 2007-2014. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_STRUTILS_H #define YR_STRUTILS_H #include #include #include "integers.h" // Cygwin already has these functions. #if defined(_WIN32) && !defined(__CYGWIN__) #if defined(_MSC_VER) && _MSC_VER < 1900 #define snprintf _snprintf #endif #define strcasecmp _stricmp #define strncasecmp _strnicmp #endif uint64_t xtoi( const char* hexstr); #if !HAVE_STRLCPY && !defined(strlcpy) size_t strlcpy( char* dst, const char* src, size_t size); #endif #if !HAVE_STRLCAT && !defined(strlcat) size_t strlcat( char* dst, const char* src, size_t size); #endif #if !HAVE_MEMMEM && !defined(memmem) void* memmem( const void* haystack, size_t haystack_size, const void* needle, size_t needle_size); #endif int strnlen_w( const char* w_str); int strcmp_w( const char* w_str, const char* str); size_t strlcpy_w( char* dst, const char* w_src, size_t n); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/threading.h ================================================ /* Copyright (c) 2016. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_MUTEX_H #define YR_MUTEX_H #if defined(_WIN32) || defined(__CYGWIN__) #include typedef DWORD YR_THREAD_ID; typedef DWORD YR_THREAD_STORAGE_KEY; typedef HANDLE YR_MUTEX; #else #include typedef pthread_t YR_THREAD_ID; typedef pthread_key_t YR_THREAD_STORAGE_KEY; typedef pthread_mutex_t YR_MUTEX; #endif YR_THREAD_ID yr_current_thread_id(void); int yr_mutex_create(YR_MUTEX*); int yr_mutex_destroy(YR_MUTEX*); int yr_mutex_lock(YR_MUTEX*); int yr_mutex_unlock(YR_MUTEX*); int yr_thread_storage_create(YR_THREAD_STORAGE_KEY*); int yr_thread_storage_destroy(YR_THREAD_STORAGE_KEY*); int yr_thread_storage_set_value(YR_THREAD_STORAGE_KEY*, void*); void* yr_thread_storage_get_value(YR_THREAD_STORAGE_KEY*); #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/types.h ================================================ /* Copyright (c) 2013. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_TYPES_H #define YR_TYPES_H #include "arena.h" #include "re.h" #include "limits.h" #include "hash.h" #include "utils.h" #include "threading.h" #ifdef PROFILING_ENABLED #include #endif #define DECLARE_REFERENCE(type, name) \ union { type name; int64_t name##_; } YR_ALIGN(8) #define NAMESPACE_TFLAGS_UNSATISFIED_GLOBAL 0x01 #define STRING_GFLAGS_REFERENCED 0x01 #define STRING_GFLAGS_HEXADECIMAL 0x02 #define STRING_GFLAGS_NO_CASE 0x04 #define STRING_GFLAGS_ASCII 0x08 #define STRING_GFLAGS_WIDE 0x10 #define STRING_GFLAGS_REGEXP 0x20 #define STRING_GFLAGS_FAST_REGEXP 0x40 #define STRING_GFLAGS_FULL_WORD 0x80 #define STRING_GFLAGS_ANONYMOUS 0x100 #define STRING_GFLAGS_SINGLE_MATCH 0x200 #define STRING_GFLAGS_LITERAL 0x400 #define STRING_GFLAGS_FITS_IN_ATOM 0x800 #define STRING_GFLAGS_NULL 0x1000 #define STRING_GFLAGS_CHAIN_PART 0x2000 #define STRING_GFLAGS_CHAIN_TAIL 0x4000 #define STRING_GFLAGS_FIXED_OFFSET 0x8000 #define STRING_GFLAGS_GREEDY_REGEXP 0x10000 #define STRING_GFLAGS_DOT_ALL 0x20000 #define STRING_IS_HEX(x) \ (((x)->g_flags) & STRING_GFLAGS_HEXADECIMAL) #define STRING_IS_NO_CASE(x) \ (((x)->g_flags) & STRING_GFLAGS_NO_CASE) #define STRING_IS_DOT_ALL(x) \ (((x)->g_flags) & STRING_GFLAGS_DOT_ALL) #define STRING_IS_ASCII(x) \ (((x)->g_flags) & STRING_GFLAGS_ASCII) #define STRING_IS_WIDE(x) \ (((x)->g_flags) & STRING_GFLAGS_WIDE) #define STRING_IS_REGEXP(x) \ (((x)->g_flags) & STRING_GFLAGS_REGEXP) #define STRING_IS_GREEDY_REGEXP(x) \ (((x)->g_flags) & STRING_GFLAGS_GREEDY_REGEXP) #define STRING_IS_FULL_WORD(x) \ (((x)->g_flags) & STRING_GFLAGS_FULL_WORD) #define STRING_IS_ANONYMOUS(x) \ (((x)->g_flags) & STRING_GFLAGS_ANONYMOUS) #define STRING_IS_REFERENCED(x) \ (((x)->g_flags) & STRING_GFLAGS_REFERENCED) #define STRING_IS_SINGLE_MATCH(x) \ (((x)->g_flags) & STRING_GFLAGS_SINGLE_MATCH) #define STRING_IS_FIXED_OFFSET(x) \ (((x)->g_flags) & STRING_GFLAGS_FIXED_OFFSET) #define STRING_IS_LITERAL(x) \ (((x)->g_flags) & STRING_GFLAGS_LITERAL) #define STRING_IS_FAST_REGEXP(x) \ (((x)->g_flags) & STRING_GFLAGS_FAST_REGEXP) #define STRING_IS_CHAIN_PART(x) \ (((x)->g_flags) & STRING_GFLAGS_CHAIN_PART) #define STRING_IS_CHAIN_TAIL(x) \ (((x)->g_flags) & STRING_GFLAGS_CHAIN_TAIL) #define STRING_IS_NULL(x) \ ((x) == NULL || ((x)->g_flags) & STRING_GFLAGS_NULL) #define STRING_FITS_IN_ATOM(x) \ (((x)->g_flags) & STRING_GFLAGS_FITS_IN_ATOM) #define STRING_FOUND(x) \ ((x)->matches[yr_get_tidx()].tail != NULL) #define STRING_MATCHES(x) \ ((x)->matches[yr_get_tidx()]) #define RULE_TFLAGS_MATCH 0x01 #define RULE_GFLAGS_PRIVATE 0x01 #define RULE_GFLAGS_GLOBAL 0x02 #define RULE_GFLAGS_REQUIRE_EXECUTABLE 0x04 #define RULE_GFLAGS_REQUIRE_FILE 0x08 #define RULE_GFLAGS_NULL 0x1000 #define RULE_IS_PRIVATE(x) \ (((x)->g_flags) & RULE_GFLAGS_PRIVATE) #define RULE_IS_GLOBAL(x) \ (((x)->g_flags) & RULE_GFLAGS_GLOBAL) #define RULE_IS_NULL(x) \ (((x)->g_flags) & RULE_GFLAGS_NULL) #define RULE_MATCHES(x) \ ((x)->t_flags[yr_get_tidx()] & RULE_TFLAGS_MATCH) #define META_TYPE_NULL 0 #define META_TYPE_INTEGER 1 #define META_TYPE_STRING 2 #define META_TYPE_BOOLEAN 3 #define META_IS_NULL(x) \ ((x) != NULL ? (x)->type == META_TYPE_NULL : TRUE) #define EXTERNAL_VARIABLE_TYPE_NULL 0 #define EXTERNAL_VARIABLE_TYPE_FLOAT 1 #define EXTERNAL_VARIABLE_TYPE_INTEGER 2 #define EXTERNAL_VARIABLE_TYPE_BOOLEAN 3 #define EXTERNAL_VARIABLE_TYPE_STRING 4 #define EXTERNAL_VARIABLE_TYPE_MALLOC_STRING 5 #define EXTERNAL_VARIABLE_IS_NULL(x) \ ((x) != NULL ? (x)->type == EXTERNAL_VARIABLE_TYPE_NULL : TRUE) #pragma pack(push) #pragma pack(8) typedef struct _YR_NAMESPACE { int32_t t_flags[MAX_THREADS]; // Thread-specific flags DECLARE_REFERENCE(char*, name); } YR_NAMESPACE; typedef struct _YR_META { int32_t type; YR_ALIGN(8) int64_t integer; DECLARE_REFERENCE(const char*, identifier); DECLARE_REFERENCE(char*, string); } YR_META; struct _YR_MATCH; typedef struct _YR_MATCHES { int32_t count; DECLARE_REFERENCE(struct _YR_MATCH*, head); DECLARE_REFERENCE(struct _YR_MATCH*, tail); } YR_MATCHES; typedef struct _YR_STRING { int32_t g_flags; int32_t length; DECLARE_REFERENCE(char*, identifier); DECLARE_REFERENCE(uint8_t*, string); DECLARE_REFERENCE(struct _YR_STRING*, chained_to); int32_t chain_gap_min; int32_t chain_gap_max; int64_t fixed_offset; YR_MATCHES matches[MAX_THREADS]; YR_MATCHES unconfirmed_matches[MAX_THREADS]; #ifdef PROFILING_ENABLED clock_t clock_ticks; #endif } YR_STRING; typedef struct _YR_RULE { int32_t g_flags; // Global flags int32_t t_flags[MAX_THREADS]; // Thread-specific flags DECLARE_REFERENCE(const char*, identifier); DECLARE_REFERENCE(const char*, tags); DECLARE_REFERENCE(YR_META*, metas); DECLARE_REFERENCE(YR_STRING*, strings); DECLARE_REFERENCE(YR_NAMESPACE*, ns); #ifdef PROFILING_ENABLED clock_t clock_ticks; #endif } YR_RULE; typedef struct _YR_EXTERNAL_VARIABLE { int32_t type; YR_ALIGN(8) union { int64_t i; double f; char* s; } value; DECLARE_REFERENCE(char*, identifier); } YR_EXTERNAL_VARIABLE; typedef struct _YR_AC_MATCH { uint16_t backtrack; DECLARE_REFERENCE(YR_STRING*, string); DECLARE_REFERENCE(uint8_t*, forward_code); DECLARE_REFERENCE(uint8_t*, backward_code); DECLARE_REFERENCE(struct _YR_AC_MATCH*, next); } YR_AC_MATCH; typedef struct _YR_AC_MATCH_TABLE_ENTRY { DECLARE_REFERENCE(YR_AC_MATCH*, match); } YR_AC_MATCH_TABLE_ENTRY; typedef uint64_t YR_AC_TRANSITION; typedef YR_AC_TRANSITION* YR_AC_TRANSITION_TABLE; typedef YR_AC_MATCH_TABLE_ENTRY* YR_AC_MATCH_TABLE; typedef struct _YARA_RULES_FILE_HEADER { DECLARE_REFERENCE(YR_RULE*, rules_list_head); DECLARE_REFERENCE(YR_EXTERNAL_VARIABLE*, externals_list_head); DECLARE_REFERENCE(uint8_t*, code_start); DECLARE_REFERENCE(YR_AC_MATCH_TABLE, match_table); DECLARE_REFERENCE(YR_AC_TRANSITION_TABLE, transition_table); } YARA_RULES_FILE_HEADER; #pragma pack(pop) // // Structs defined below are never stored in the compiled rules file // typedef struct _YR_MATCH { int64_t base; // Base address for the match int64_t offset; // Offset relative to base for the match int32_t match_length; // Match length int32_t data_length; // Pointer to a buffer containing a portion of the matched data. The size of // the buffer is data_length. data_length is always <= length and is limited // to MAX_MATCH_DATA bytes. uint8_t* data; // If the match belongs to a chained string chain_length contains the // length of the chain. This field is used only in unconfirmed matches. int32_t chain_length; struct _YR_MATCH* prev; struct _YR_MATCH* next; } YR_MATCH; struct _YR_AC_STATE; typedef struct _YR_AC_STATE { uint8_t depth; uint8_t input; uint32_t t_table_slot; struct _YR_AC_STATE* failure; struct _YR_AC_STATE* first_child; struct _YR_AC_STATE* siblings; YR_AC_MATCH* matches; } YR_AC_STATE; typedef struct _YR_AC_AUTOMATON { // Both m_table and t_table have the same number of elements, which is // stored in tables_size. uint32_t tables_size; uint32_t t_table_unused_candidate; YR_AC_TRANSITION_TABLE t_table; YR_AC_MATCH_TABLE m_table; YR_AC_STATE* root; } YR_AC_AUTOMATON; typedef struct _YR_RULES { unsigned char tidx_mask[YR_BITARRAY_NCHARS(MAX_THREADS)]; uint8_t* code_start; YR_MUTEX mutex; YR_ARENA* arena; YR_RULE* rules_list_head; YR_EXTERNAL_VARIABLE* externals_list_head; YR_AC_TRANSITION_TABLE transition_table; YR_AC_MATCH_TABLE match_table; } YR_RULES; struct _YR_MEMORY_BLOCK; struct _YR_MEMORY_BLOCK_ITERATOR; typedef uint8_t* (*YR_MEMORY_BLOCK_FETCH_DATA_FUNC)( struct _YR_MEMORY_BLOCK* self); typedef struct _YR_MEMORY_BLOCK* (*YR_MEMORY_BLOCK_ITERATOR_FUNC)( struct _YR_MEMORY_BLOCK_ITERATOR* self); typedef struct _YR_MEMORY_BLOCK { size_t size; size_t base; void* context; YR_MEMORY_BLOCK_FETCH_DATA_FUNC fetch_data; } YR_MEMORY_BLOCK; typedef struct _YR_MEMORY_BLOCK_ITERATOR { void* context; YR_MEMORY_BLOCK_ITERATOR_FUNC first; YR_MEMORY_BLOCK_ITERATOR_FUNC next; } YR_MEMORY_BLOCK_ITERATOR; typedef int (*YR_CALLBACK_FUNC)( int message, void* message_data, void* user_data); typedef struct _YR_SCAN_CONTEXT { uint64_t file_size; uint64_t entry_point; int flags; int tidx; void* user_data; YR_MEMORY_BLOCK_ITERATOR* iterator; YR_HASH_TABLE* objects_table; YR_CALLBACK_FUNC callback; YR_ARENA* matches_arena; YR_ARENA* matching_strings_arena; } YR_SCAN_CONTEXT; struct _YR_OBJECT; typedef union _YR_VALUE { int64_t i; double d; void* p; struct _YR_OBJECT* o; YR_STRING* s; SIZED_STRING* ss; RE* re; } YR_VALUE; #define OBJECT_COMMON_FIELDS \ int8_t type; \ const char* identifier; \ struct _YR_OBJECT* parent; \ void* data; typedef struct _YR_OBJECT { OBJECT_COMMON_FIELDS YR_VALUE value; } YR_OBJECT; typedef struct _YR_OBJECT_STRUCTURE { OBJECT_COMMON_FIELDS struct _YR_STRUCTURE_MEMBER* members; } YR_OBJECT_STRUCTURE; typedef struct _YR_OBJECT_ARRAY { OBJECT_COMMON_FIELDS YR_OBJECT* prototype_item; struct _YR_ARRAY_ITEMS* items; } YR_OBJECT_ARRAY; typedef struct _YR_OBJECT_DICTIONARY { OBJECT_COMMON_FIELDS YR_OBJECT* prototype_item; struct _YR_DICTIONARY_ITEMS* items; } YR_OBJECT_DICTIONARY; struct _YR_OBJECT_FUNCTION; typedef int (*YR_MODULE_FUNC)( YR_VALUE* args, YR_SCAN_CONTEXT* context, struct _YR_OBJECT_FUNCTION* function_obj); typedef struct _YR_OBJECT_FUNCTION { OBJECT_COMMON_FIELDS YR_OBJECT* return_obj; struct { const char* arguments_fmt; YR_MODULE_FUNC code; } prototypes[MAX_OVERLOADED_FUNCTIONS]; } YR_OBJECT_FUNCTION; #define object_as_structure(obj) ((YR_OBJECT_STRUCTURE*) (obj)) #define object_as_array(obj) ((YR_OBJECT_ARRAY*) (obj)) #define object_as_dictionary(obj) ((YR_OBJECT_DICTIONARY*) (obj)) #define object_as_function(obj) ((YR_OBJECT_FUNCTION*) (obj)) typedef struct _YR_STRUCTURE_MEMBER { YR_OBJECT* object; struct _YR_STRUCTURE_MEMBER* next; } YR_STRUCTURE_MEMBER; typedef struct _YR_ARRAY_ITEMS { int count; YR_OBJECT* objects[1]; } YR_ARRAY_ITEMS; typedef struct _YR_DICTIONARY_ITEMS { int used; int free; struct { char* key; YR_OBJECT* obj; } objects[1]; } YR_DICTIONARY_ITEMS; #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara/utils.h ================================================ /* Copyright (c) 2014. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_UTILS_H #define YR_UTILS_H #include #ifndef TRUE #define TRUE 1 #endif #ifndef FALSE #define FALSE 0 #endif #ifndef NULL #define NULL 0 #endif #ifdef __cplusplus #define EXTERNC extern "C" #else #define EXTERNC #endif #if defined(__GNUC__) #define YR_API EXTERNC __attribute__((visibility("default"))) #elif defined(_MSC_VER) #define YR_API EXTERNC __declspec(dllexport) #else #define YR_API EXTERNC #endif #if defined(__GNUC__) #define YR_ALIGN(n) __attribute__((aligned(n))) #elif defined(_MSC_VER) #define YR_ALIGN(n) __declspec(align(n)) #else #define YR_ALIGN(n) #endif #define yr_min(x, y) ((x < y) ? (x) : (y)) #define yr_max(x, y) ((x > y) ? (x) : (y)) #define yr_swap(x, y, T) do { T temp = x; x = y; y = temp; } while (0) #ifdef NDEBUG #define assertf(expr, msg, ...) ((void)0) #else #include #define assertf(expr, msg, ...) \ if(!(expr)) { \ fprintf(stderr, "%s:%d: " msg "\n", __FILE__, __LINE__, ##__VA_ARGS__); \ abort(); \ } #endif // Set, unset, and test bits in an array of unsigned characters by integer // index. The underlying array must be of type char or unsigned char to // ensure compatibility with the CHAR_BIT constant used in these definitions. #define YR_BITARRAY_SET(uchar_array_base, bitnum) \ (((uchar_array_base)[(bitnum)/CHAR_BIT]) = \ ((uchar_array_base)[(bitnum)/CHAR_BIT] | (1 << ((bitnum) % CHAR_BIT)))) #define YR_BITARRAY_UNSET(uchar_array_base, bitnum) \ (((uchar_array_base)[(bitnum)/CHAR_BIT]) = \ ((uchar_array_base)[(bitnum)/CHAR_BIT] & (~(1 << ((bitnum) % CHAR_BIT))))) #define YR_BITARRAY_TEST(uchar_array_base, bitnum) \ (((uchar_array_base)[(bitnum)/CHAR_BIT] & (1 << ((bitnum) % CHAR_BIT))) != 0) #define YR_BITARRAY_NCHARS(bitnum) \ (((bitnum)+(CHAR_BIT-1))/CHAR_BIT) #endif ================================================ FILE: x64dbgApiBreak/src/incl/pluginsdk/yara/yara.h ================================================ /* Copyright (c) 2007-2013. The YARA Authors. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef YR_YARA_H #define YR_YARA_H #include "yara/utils.h" #include "yara/filemap.h" #include "yara/compiler.h" #include "yara/modules.h" #include "yara/object.h" #include "yara/libyara.h" #include "yara/error.h" #include "yara/stream.h" #include "yara/hash.h" #endif ================================================ FILE: x64dbgApiBreak/src/incl/qpc.hpp ================================================ #ifndef __QPC_HPP__ #define __QPC_HPP__ #include #include static LARGE_INTEGER freq = { 0 }; #if _DEBUG #define DECL_QPREF QPerf ___qperfvar; #define QPERF_BEGIN() ___qperfvar.Begin() #define QPERF_TIME(forWhat) ___qperfvar.TimeFor(forWhat) #define QPERF_DUMP() ___qperfvar.Dump() #else #define DECL_QPREF #define QPERF_BEGIN() #define QPERF_TIME(forWhat) #define QPERF_DUMP() #endif class QPerf { private: struct PerfItem { double timesFromBegin; double timesWork; char nameFor[128]; }; double start, lastWork; PDMA list; double _GetQpc() { LARGE_INTEGER now; QueryPerformanceCounter(&now); now.QuadPart *= 1000; return now.QuadPart / double(freq.QuadPart); } public: QPerf() { if (freq.LowPart == 0) QueryPerformanceFrequency(&freq); if (!DmaCreateAdapter(sizeof(PerfItem), 10, &list)) list = NULL; } ~QPerf() { DmaDestroyAdapter((PDMA)list); } void Begin() { start = _GetQpc(); lastWork = start; } void TimeFor(const char *forWhat) { PerfItem item; double now = _GetQpc(); double elapsed = now - start; item.timesFromBegin = elapsed; elapsed = now - lastWork; item.timesWork = elapsed; lastWork = now; strcpy(item.nameFor, forWhat); DmaWrite(list, DMA_AUTO_OFFSET, sizeof(PerfItem), &item); } void Reset() { DmaSink(list); Begin(); } void Dump() { ARCHWIDE written; ULONG count; PerfItem perf; DmaGetAdapterInfo(list, &written, NULL); count = written / sizeof(PerfItem); for (ULONG i = 0;i < count;i++) { DmaReadTypeAlignedSequence(list, i, 1, &perf); DBGPRINT("%s -> TFB: %lf ms, TW: %lf ms", perf.nameFor, perf.timesFromBegin, perf.timesWork); } } }; #endif ================================================ FILE: x64dbgApiBreak/src/incl/rtf.h ================================================ #ifndef __RTF_H__ #define __RTF_H__ #include #include typedef struct __RTF_DATA { PDMA rtfDma; DWORD state; DWORD * colorTable; LPSTR * fontTable; DWORD colorCount; DWORD fontCount; }*PRTF_DATA,RTF_DATA; typedef enum __RTF_STYLE { RTFS_NONE = 0x00000000, RTFS_BOLD = 0x00000001, RTFS_ITALIC = 0x00000002, RTFS_UNDERLINE = 0x00000004, RTFS_NEWLINE = 0x00000008, RTFS_TAB = 0x00000010, RTFS_PARAGRAPH = 0x00000020 }RTF_STYLE; typedef DWORD RTFRESID; BOOL RtfCreateRtfData(PRTF_DATA *rtfData); BOOL RtfBuildRtfTextA(PRTF_DATA rtf, LPSTR *rtfText, DWORD *textLen); void RtfFreeRtfText(LPSTR rtfText); #define RtfGetRtfText RtfBuildRtfTextA BOOL RtfDestroyRtfData(PRTF_DATA *rtf); BOOL RtfRegisterColor(PRTF_DATA rtf, DWORD color, RTFRESID *resId); BOOL RtfRegisterFont(PRTF_DATA rtf, const LPCSTR fontName, int charset, RTFRESID *resId); BOOL RtfBeginStyleFor(PRTF_DATA rtf, RTF_STYLE rtfStyle, DWORD repeat); BOOL RtfBeginColor(PRTF_DATA rtf, RTFRESID resId); BOOL RtfBeginFont(PRTF_DATA rtf, RTFRESID resId); BOOL RtfBeginFontSize(PRTF_DATA rtf, WORD fontSize); BOOL RtfAppendTextFormatA(PRTF_DATA rtf, LPCSTR format, ...); BOOL RtfAppendTextFormatExA(PRTF_DATA rtf, LPCSTR format, va_list vl); class Rtf { private: PRTF_DATA data; public: Rtf() { RtfCreateRtfData(&data); } ~Rtf() { RtfDestroyRtfData(&data); } bool RegisterFont(const LPCSTR fontName, int charset) { return RtfRegisterFont(data, fontName, charset, NULL); } bool RegisterColor(DWORD color) { return RtfRegisterColor(data, color, NULL); } LPSTR GetRtf() { LPSTR rtfText; if (!RtfBuildRtfTextA(data, &rtfText, NULL)) return NULL; return rtfText; } Rtf *Style(RTF_STYLE style, DWORD repeat) { RtfBeginStyleFor(data, style, repeat); return this; } Rtf *Style(RTF_STYLE style) { return Style(style, 0); } Rtf *Color(RTFRESID colorId) { RtfBeginColor(data, colorId); return this; } Rtf *Font(RTFRESID fontId) { RtfBeginFont(data, fontId); return this; } Rtf *FontSize(WORD size) { RtfBeginFontSize(data, size); return this; } Rtf *FormatText(LPCSTR format, ...) { va_list va; va_start(va, format); RtfAppendTextFormatExA(data, format,va); va_end(va); return this; } Rtf *NewLine(int count) { return Style(RTFS_NEWLINE, count); } Rtf *NewTab(int count) { return Style(RTFS_TAB, count); } }; #endif // !__RTF_H__ ================================================ FILE: x64dbgApiBreak/src/incl/settings.h ================================================ #ifndef __SETTINGS_H_ #define __SETTINGS_H_ #include typedef struct { bool exposeDynamicApiLoads; bool includeGetModuleHandle; bool autoLoadData; bool scanAggressive; bool mapCallContext; char *mainScripts; }Settings; bool AbSettingsLoad(); bool AbSettingsSave(); bool AbSettingsReset(); Settings *AbGetSettings(); void AbSettingsDestroyResources(); #endif // !__SETTINGS_H_ ================================================ FILE: x64dbgApiBreak/src/incl/structmemmap.h ================================================ #ifndef __STRUCTMEMMAP_H__ #define __STRUCTMEMMAP_H__ #include #include typedef struct __FNSIGN *PFNSIGN; BOOL SmmMapFunctionCall(PPASSED_PARAMETER_CONTEXT passedParams, PFNSIGN fnSign, ApiFunctionInfo *afi, LPSTR *mapResult); //BOOL SmmMapRemoteMemory(duint memory, ULONG size, const char *typeName); BOOL SmmMapMemoryForType(void *memory, ULONG size, const char *typeName); BOOL SmmGetFunctionSignature(const char *module, const char *function, PFNSIGN *signInfo); BOOL SmmGetFunctionSignature2(ApiFunctionInfo *afi, PFNSIGN *signInfo); SHORT SmmGetArgumentCount(PFNSIGN signInfo); BOOL SmmSigHasOutArgument(PFNSIGN signInfo); BOOL SmmParseType(LPCSTR typeDefString, WORD *typeCount); BOOL SmmParseFromFileW(LPCWSTR fileName, WORD *typeCount); BOOL SmmParseFromFileA(LPCSTR fileName, WORD *typeCount); BOOL SmmHasParseError(LPSTR *errorString); VOID SmmInitializeResources(); VOID SmmReleaseResources(bool fullRelease); #endif // !__STRUCTMEMMAP_H__ ================================================ FILE: x64dbgApiBreak/src/incl/ui/ctrl/uicheckbox.hpp ================================================ #pragma once #include class UiCheckBox : public UiControlBase { private: public: IMPL_CTRLBASE_CTOR(UiCheckBox) { } bool GetState() { return (bool)SendControlMsg(BM_GETCHECK, NULL, NULL); } void SetState(bool state) { SendControlMsg(BM_SETCHECK, state ? BST_CHECKED : BST_UNCHECKED, NULL); } virtual void OnCommand(WPARAM wp) { if (HIWORD(wp) == BN_CLICKED) { } } }; ================================================ FILE: x64dbgApiBreak/src/incl/ui/ctrl/uicombobox.hpp ================================================ #pragma once #include class UiComboBox : public UiControlBase { private: public: IMPL_CTRLBASE_CTOR(UiComboBox) { } bool AddItem(LPCWSTR itemStr) { return SendMessageW(this->ctrlHwnd, CB_ADDSTRING, NULL, (LPARAM)itemStr) > -1; } bool AddItemA(LPCSTR itemStr) { return SendMessageA(this->ctrlHwnd, CB_ADDSTRING, NULL, (LPARAM)itemStr) > -1; } void Clear() { SendMessage(this->ctrlHwnd, CB_RESETCONTENT, NULL, NULL); } LONG GetSelectedIndex() { return SendMessageW(this->ctrlHwnd, CB_GETCURSEL, NULL, NULL); } bool SetSelectedIndex(LONG index) { return SendMessageW(this->ctrlHwnd, CB_SETCURSEL, (WPARAM)index, NULL) == index; } bool GetSelectedIndexTextA(LPSTR buffer) { LONG selIndex = GetSelectedIndex(); return SendMessageA(this->ctrlHwnd, CB_GETLBTEXT, selIndex, (LPARAM)buffer) > 0; } }; ================================================ FILE: x64dbgApiBreak/src/incl/ui/ctrl/uicontrolbase.hpp ================================================ #pragma once #include #include #define IMPL_CTRLBASE_CTOR(t) t(UIOBJECT *ui, ULONG ctrlId, UiWrapper *parent) : UiControlBase(ui,ctrlId,parent) class UiControlBase { private: struct OwnerStringDrawInfo { char value[512]; COLORREF foreColor; POINT xy; }; protected: UIOBJECT *ui; DWORD ctrlId; HWND ctrlHwnd; UiWrapper *parent; OwnerStringDrawInfo ownerStringDrawData; DWORD MyId() const { return this->ctrlId; } HWND MyHandle() const { return this->ctrlHwnd; } ULONG GetStringCommon(BYTE **pValue, ULONG size) { LONG reqLen, readLen; reqLen = SendControlMsg(WM_GETTEXTLENGTH, NULL, NULL); if (reqLen <= 0) return 0; reqLen++; //Include null term if (size == 0) { if (IsWindowUnicode(MyHandle())) *pValue = (BYTE *)ALLOCSTRINGW(reqLen); else *pValue = (BYTE *)ALLOCSTRINGA(reqLen); if (*pValue == NULL) return 0; } else if ((ULONG)reqLen > size) { return 0; } readLen = SendControlMsg(WM_GETTEXT, (WPARAM)reqLen, (LPARAM)*pValue); if (readLen <= 0) return 0; return readLen; } public: UiControlBase() { this->ui = NULL; this->ctrlId = 0; } UiControlBase(UIOBJECT *ui, DWORD ctrlId, UiWrapper *parent) { this->ui = ui; this->ctrlId = ctrlId; this->parent = parent; this->ctrlHwnd = GetDlgItem(this->ui->hwnd, this->ctrlId); } LONG SendControlMsg(UINT msg, WPARAM wp, LPARAM lp) { return (LONG)::SendMessage(this->ctrlHwnd, msg, wp, lp); } void EnableOwnerDraw() { LONG style = GetWindowLong(MyHandle(), GWL_STYLE); style |= SS_OWNERDRAW; SetWindowLong(MyHandle(), GWL_STYLE, style); } void Disable() { ::EnableWindow(MyHandle(), FALSE); } void Enable() { ::EnableWindow(MyHandle(), TRUE); } void SetEnableState(bool enable) { ::EnableWindow(MyHandle(), enable); } ULONG GetStringA(LPSTR *pValue, ULONG size) { BYTE *pVal=NULL; ULONG readLen; LPSTR strA; if (IsWindowUnicode(MyHandle())) { readLen = GetStringCommon(&pVal, 0); if (!readLen) return 0; if (readLen > size - 1) { FREESTRING(*pVal); return 0; } strA = HlpWideToAnsiString((LPCWSTR)pVal); if (!size) *pValue = strA; else { strcpy(*pValue, strA); FREESTRING(strA); } } else readLen = GetStringCommon((BYTE **)pValue, size); return readLen; } ULONG GetStringW(LPWSTR *pValue, ULONG size) { BYTE *pVal = NULL; ULONG readLen; LPWSTR strW; if (!IsWindowUnicode(MyHandle())) { readLen = GetStringCommon(&pVal, 0); if (!readLen) return 0; if (readLen > size - 1) { FREESTRING(*pVal); return 0; } strW = HlpAnsiToWideString((LPCSTR)pVal); if (!size) *pValue = strW; else { wcscpy(*pValue, strW); FREESTRING(strW); } } else readLen = GetStringCommon((BYTE **)pValue, size); return readLen; } BOOL SetStringA(LPCSTR value) { return SetWindowTextA(MyHandle(), value); } BOOL SetStringW(LPCWSTR value) { return SetWindowTextW(MyHandle(), value); } void DrawStringA(LPCSTR text, INT x, INT y, COLORREF foreColor) { strcpy(ownerStringDrawData.value, text); ownerStringDrawData.xy.x = x; ownerStringDrawData.xy.y = y; ownerStringDrawData.foreColor = foreColor; InvalidateRect(MyHandle(), NULL, TRUE); } void DrawStringFormatA(INT x, INT y, COLORREF foreColor, LPCSTR format, ...) { va_list va; LPSTR buffer; va_start(va, format); if (!HlpPrintFormatBufferExA(&buffer, format, va)) return; DrawStringA(buffer, x, y, foreColor); FREESTRING(buffer); va_end(va); } virtual void OnInitControl() { } virtual void OnCommand(WPARAM wp) { } virtual void OnDrawItem(LPDRAWITEMSTRUCT dis) { UiDrawStringA( dis->hDC, ownerStringDrawData.value, ownerStringDrawData.xy.x, ownerStringDrawData.xy.y, ownerStringDrawData.foreColor, 0); } }; ================================================ FILE: x64dbgApiBreak/src/incl/ui/ui.h ================================================ #ifndef __UI_H_ #define __UI_H_ #include #include typedef struct { DWORD flag; POINT point; SIZE size; }WINDOWREGIONINFO; #define WRIF_CENTER 0x00000001 #define WRIF_LOCATION 0x00000002 #define WRIF_SIZE 0x00000004 typedef struct tagPreCreateWindowInfo { WINDOWREGIONINFO wri; }PRECREATEWINDOWINFO; typedef struct tagWindowCreationInfo { PRECREATEWINDOWINFO *pci; }WINDOWCREATIONINFO; typedef INT_PTR(CALLBACK* UIDLGPROC)(HWND, UINT, WPARAM, LPARAM, PVOID); typedef VOID(*UIAFTEREXITDISPOSER)(); typedef struct tagUiResult { HWND hwnd; UIDLGPROC dlgProc; UIAFTEREXITDISPOSER uiDisposer; HANDLE uiThread; DWORD uiThreadId; HANDLE uiEvent; INT_PTR result; UINT dlgResourceId; BOOL seperateThread; HWND parentWnd; PVOID param; BOOL isUiOutside; BOOL isRunning; }UIOBJECT; #define SetTextW(hwnd,idc,wstr) ::SetWindowTextW(::GetDlgItem(hwnd,idc),wstr) #define SetDlgCaptionW(wnd,wstr) ::SetWindowTextW(wnd,wstr) #define GetControlHwnd(ui,item) ::GetDlgItem(ui->hwnd,item) BOOL UiIsRunning(UIOBJECT *ui); VOID UiRegisterDisposer(UIOBJECT *uiObject, UIAFTEREXITDISPOSER disposer); UIOBJECT *UiCreateDialog( UIDLGPROC dlgProc, HWND parentWnd, UINT dialogResourceId, BOOL seperateThread, PVOID param, WINDOWCREATIONINFO *wci, BOOL *wasSucceeded); BOOL UiDrawStringA(HDC dc, LPCSTR text, FLOAT x, FLOAT y, COLORREF forecolor, COLORREF backcolor); void UiReleaseObject(UIOBJECT *ui); BOOL UiDestroyDialog(UIOBJECT *ui); void UiForceCloseAllActiveWindows(); #endif //__UI_H_ ================================================ FILE: x64dbgApiBreak/src/incl/ui/uiwrapper.hpp ================================================ #pragma once class UiWrapper; #include #include #include using namespace std; class UiWrapper { private: static UINT_PTR CALLBACK DialogProc(HWND hwnd, UINT msg, WPARAM wp, LPARAM lp, PVOID arg) { UiWrapper *_this = (UiWrapper *)arg; switch (msg) { case WM_INITDIALOG: { _this->uiObject = (UIOBJECT *)lp; _this->OnInitInternal(); } break; case WM_WINDOWPOSCHANGED: case WM_ACTIVATE: case WM_SHOWWINDOW: { if (!_this->isFullyLoaded) { if (IsWindowVisible(hwnd)) { _this->isFullyLoaded = true; _this->OnLoaded(); } } } break; case WM_COMMAND: _this->OnCommand(wp, lp); break; case WM_PAINT: _this->OnPaint(); break; case WM_TIMER: _this->OnTimerTick((LONG)wp); break; case WM_CLOSE: _this->OnClose(); break; case WM_DRAWITEM: _this->OnDrawItem((LPDRAWITEMSTRUCT)lp, (LONG)wp); return TRUE; case WM_QUIT: _this->OnDestroyed(); break; } return 0; } private: HANDLE initCompletedEvent; UIOBJECT *uiObject; WINDOWCREATIONINFO wci; LONG dlgId; bool isFullyLoaded; bool killingSelf; unordered_map childControls; UiControlBase *LookupControl(HWND hwnd) { unordered_map::iterator it; if (childControls.size() == 0) return nullptr; it = childControls.find(hwnd); if (it == childControls.end()) return NULL; return it->second; } void DestroyControlResources() { unordered_map::iterator it; UiControlBase *control = NULL; if (childControls.size() == 0) return; while (childControls.size() > 0) { it = childControls.begin(); control = it->second; childControls.erase(it); delete control; } } private: bool SetControlEnableState(ULONG ctrlId, bool state) { HWND ctrlHwnd = GetDlgItem(GetHWND(), ctrlId); if (!ctrlHwnd) return false; return (bool)EnableWindow(ctrlHwnd, (BOOL)state); } void InitCommon(LONG dlgId, bool center) { this->killingSelf = false; this->isFullyLoaded = false; this->initCompletedEvent = CreateEvent(NULL, FALSE, FALSE, NULL); this->dlgId = dlgId; this->wci.pci = NULL; if (center) { this->wci.pci = ALLOCOBJECT(PRECREATEWINDOWINFO); this->wci.pci->wri.flag = WRIF_CENTER; } } void OnInitInternal() { this->OnInit(); SetEvent(this->initCompletedEvent); } public: UiWrapper(LONG dlgId, bool center) { InitCommon(dlgId, center); } UiWrapper(LONG dlgId) { InitCommon(dlgId, false); } ~UiWrapper(void) { DestroyControlResources(); if (this->wci.pci != NULL) FREEOBJECT(this->wci.pci); CloseHandle(this->initCompletedEvent); if (!this->killingSelf) { if (UiIsRunning(this->uiObject)) Close(); } } static void DestroyAllActiveWindows() { UiForceCloseAllActiveWindows(); } virtual bool ShowDialog() { return ShowDialog(true); } virtual bool ShowDialog(bool seperateUiThread) { BOOL succeeded; this->uiObject = UiCreateDialog( (UIDLGPROC)this->DialogProc, NULL, this->dlgId, (BOOL)seperateUiThread, this, &this->wci, &succeeded); if (!seperateUiThread) return (bool)succeeded; return this->uiObject != NULL; } HWND GetHWND() const { return this->uiObject->hwnd; } bool SetTimer(LONG timerId, ULONG period) { return ::SetTimer(GetHWND(), (UINT_PTR)timerId, (UINT)period, NULL) == timerId; } void KillTimer(LONG timerId) { ::KillTimer(GetHWND(), (UINT_PTR)timerId); } LONG MessageBox(LPWSTR msg, LPWSTR title, ULONG flags) { return ::MessageBoxW(GetHWND(), (LPCWSTR)msg, (LPCWSTR)title, flags); } LONG MsgBoxInfo(LPCSTR msg, LPCSTR title) { return ::MessageBoxA(GetHWND(), msg, title, MB_ICONINFORMATION); } LONG MsgBoxError(LPCSTR msg, LPCSTR title) { return ::MessageBoxA(GetHWND(), msg, title, MB_ICONERROR); } LONG MsgBoxQuestion(LPCSTR msg, LPCSTR title) { return ::MessageBoxA(GetHWND(), msg, title, MB_YESNO | MB_ICONQUESTION); } void WaitForInitCompletion() { WaitForSingleObject(this->initCompletedEvent, INFINITE); } void Close() { if (UiDestroyDialog(this->uiObject)) { this->uiObject = NULL; } } ULONG GetControlTextA(ULONG ctrlId, LPSTR strBuf, ULONG bufSize) { LPWSTR wbuf = ALLOCSTRINGW(bufSize); LPSTR as; ULONG textLen; if (!wbuf) return 0; textLen = GetControlText(ctrlId, wbuf, bufSize); if (textLen > 0) { as = HlpWideToAnsiString(wbuf); if (as != NULL) { strncpy(strBuf, as, textLen); FREESTRING(as); } } FREESTRING(wbuf); return textLen; } ULONG GetControlText(ULONG ctrlId, LPWSTR strBuf, ULONG bufSize) { HWND ctrlHwnd = GetDlgItem(GetHWND(), ctrlId); if (!ctrlHwnd) return 0; return GetWindowTextW(ctrlHwnd, (LPWSTR)strBuf, bufSize); } void SetWindowTitleW(LPWSTR title) { SetWindowTextW(GetHWND(), title); } void SetWindowTitleA(LPSTR title) { SetWindowTextA(GetHWND(),title); } bool SetControlTextA(ULONG ctrlId, LPSTR str) { bool ret; LPWSTR wstr; wstr = HlpAnsiToWideString(str); ret = SetControlText(ctrlId, wstr); FREESTRING(wstr); return ret; } bool SetControlText(ULONG ctrlId, LPWSTR str) { HWND ctrlHwnd = GetDlgItem(GetHWND(), ctrlId); if (!ctrlHwnd) return false; return (bool)SetWindowTextW(ctrlHwnd, (LPCWSTR)str); } bool SetControlTextFormatA(ULONG ctrlId, const char *format, ...) { char *buffer; bool success = false; va_list vl; va_start(vl, format); if (HlpPrintFormatBufferExA(&buffer, format, vl) > 0) { SetControlTextA(ctrlId, buffer); FREESTRING(buffer); success = true; } va_end(vl); return success; } bool EnableControl(ULONG ctrlId) { return SetControlEnableState(ctrlId, true); } bool DisableControl(ULONG ctrlId) { return SetControlEnableState(ctrlId, false); } template T *GetControlById(ULONG ctrlId) { HWND ctrlHwnd; T *ctrl = NULL; ctrlHwnd = GetDlgItem(GetHWND(), ctrlId); if ((ctrl = (T *)LookupControl(ctrlHwnd)) != NULL) return ctrl; ctrl = new T(this->uiObject, ctrlId, this); childControls.insert(std::pair(ctrlHwnd, ctrl)); ctrl->OnInitControl(); return ctrl; } virtual void OnTimerTick(LONG timerId) { } virtual void OnDestroyed() { delete this; } virtual void OnClose() { this->killingSelf = true; } virtual void OnPaint() { } virtual void OnLoaded() { } virtual void OnCommand(WPARAM wp, LPARAM lp) { UiControlBase *ctrl = NULL; if (lp != NULL) { ctrl = LookupControl((HWND)lp); if (ctrl != nullptr) ctrl->OnCommand(wp); } } virtual void OnDrawItem(LPDRAWITEMSTRUCT dis, LONG ctrlId) { UiControlBase *ctrl = NULL; HWND wnd = GetDlgItem(GetHWND(), ctrlId); ctrl = LookupControl(wnd); if (ctrl != nullptr) ctrl->OnDrawItem(dis); } virtual void OnInit() { } }; ================================================ FILE: x64dbgApiBreak/src/incl/util.h ================================================ #ifndef __UTIL_H__ #define __UTIL_H__ #include typedef enum { Cdecl, Stdcall, Fastcall, Thiscall }CALLCONVENTION; typedef struct { REGDUMP regCtx; CALLCONVENTION convention; USHORT paramCount; duint * paramList; }*PPASSED_PARAMETER_CONTEXT,PASSED_PARAMETER_CONTEXT; #ifdef _WIN64 typedef ULONGLONG ARCHWIDE; #else typedef ULONG ARCHWIDE; #endif typedef struct __DMA { WORD sizeOfType; ULONG count; ARCHWIDE writeBoundary; ARCHWIDE totalSize; LONG needsSynchronize; BOOL ownershipTaken; CRITICAL_SECTION areaGuard; DWORD oldProtect; struct { ULONG offset; ARCHWIDE size; ULONG beginCookie; ULONG endCookie; }UnsafeWriteCheckInfo; void * memory; }*PDMA,DMA; //DYNAMIC MEMORY ADAPTER #define DMA_AUTO_OFFSET ULONG_MAX BOOL DmaCreateAdapter(WORD sizeOfType, ULONG initialCount, PDMA *dma); BOOL DmaWriteNeedsExpand(PDMA dma, ARCHWIDE needByteSize, ULONG writeBeginOffset, BOOL autoIssue); BOOL DmaIssueExpansion(PDMA dma, LONG expansionDelta); BOOL DmaRead(PDMA dma, ULONG offset, ARCHWIDE size, void *destMemory); BOOL DmaWrite(PDMA dma, ULONG offset, ARCHWIDE size, void *srcMemory); BOOL DmaStringWriteA(PDMA dma, LPCSTR format,...); BOOL DmaStringWriteW(PDMA dma, LPCWSTR format, ...); BOOL DmaReadTypeAlignedSequence(PDMA dma, ULONG index, ULONG count, void *destMemory); BOOL DmaTakeMemoryOwnership(PDMA dma, void **nativeMem); BOOL DmaPrepareForDirectWrite(PDMA dma, ULONG writeOffset, ARCHWIDE writeSize, void **nativeMem); void DmaGetAdapterInfo(PDMA dma, ARCHWIDE *writtenSize, ARCHWIDE *totalSize); BOOL DmaPrepareForRead(PDMA dma, void **nativeMem); BOOL DmaSink(PDMA dma); void DmaDestroyAdapter(PDMA dma); BOOL UtlExtractPassedParameters(USHORT paramCount, CALLCONVENTION callConv, REGDUMP *regdump, BOOL ipOnStack, PPASSED_PARAMETER_CONTEXT *paramInfo); duint UtlGetCallerAddress(REGDUMP *regdump); BOOL UtlInternetReadW(LPCWSTR url, BYTE **content, ULONG *contentLength); BOOL UtlInternetReadA(LPCSTR url, BYTE **content, ULONG *contentLength); #endif // !__UTIL_H__ ================================================ FILE: x64dbgApiBreak/src/instparse.cpp ================================================ #include const char *regs[17] { "*ax", "*bx", "*cx", "*dx", "*si", "*di", "*bp", "*sp", "*ip", "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15" }; #define TOKLIST_SIZE 32 #define TOKLIST_MAX (TOKLIST_SIZE - 1) #define RT_IMM 0 #define RT_REG 1 typedef struct { struct { char tok[16]; }tokenList[TOKLIST_SIZE]; duint count; duint index; }token_data; #define Currtoken(td) (char *)(td)->tokenList[(td)->index].tok __forceinline void Skiptoken(token_data *td, int skip) { //prevent the possible overflow if skip delta is negative (to the back) if ((duint)abs(skip) > td->index) return; td->index += skip; } __forceinline char * Nexttoken(token_data *td) { char *tok = NULL; if (td->index < td->count) tok = (char *)td->tokenList[++td->index].tok; return tok; } __forceinline char * Prevtoken(token_data *td) { char *tok = NULL; if (td->index != 0) tok = (char *)td->tokenList[--td->index].tok; return tok; } __forceinline char *Nextslot(token_data *td) { if (td->count >= TOKLIST_MAX) return NULL; return td->tokenList[++td->count].tok; } void AbpTokenize(char *inst, token_data *tokdata) { char *p,*pbuf; int pbi = 0; memset(tokdata, 0, sizeof(token_data)); p = inst; pbuf = tokdata->tokenList[0].tok; tokdata->index = 0; while (*p != 0) { if (*p == ' ' || *p == ',' || *p == ':') { if (pbi > 0) { pbuf = Nextslot(tokdata); pbi = 0; } } else if (*p == '*' || *p == '+' || *p == '-' || *p == '[' || *p == ']') { if (pbi > 0) { pbuf = Nextslot(tokdata); pbi = 0; } *pbuf = *p; pbuf = Nextslot(tokdata); } else { pbuf[pbi++] = *p; } p++; } } bool _AbpParseRegister(token_data *td, InstInfo *instInfo, dsint *val, short *size, unsigned char *type); /* Direct Operand: displacement (often just the symbolic name for a memory location) Indirect Operand: (base) Base+displacement: (index*scale)+displacement Base + index + displacement Base+(index*scale)+ displacement */ #define MAO_ADD 1 #define MAO_MUL 2 #define ADM_BORD 0 #define ADM_BD MAO_ADD // + #define ADM_ISD MAO_MUL + MAO_ADD // * + #define ADM_BID MAO_ADD + MAO_ADD // + + #define ADM_BISD MAO_ADD + MAO_MUL + MAO_ADD // + * + bool AbpParseMemoryAccess(token_data *td, InstInfo *linst) { int adr_mode = 0; struct { dsint ident; short size; unsigned char type; }idents[5]; int idx = 0; char *p = NULL; if (linst->op == OP_PUSH || linst->reg != RegNone) linst->mem_access = MA_READ; else if (linst->reg == RegNone) linst->mem_access = MA_WRITE; do { p = Nexttoken(td); if (*p == '*') { adr_mode += MAO_MUL; continue; } else if (*p == '-' || *p == '+') { adr_mode += MAO_ADD; continue; } else if (*p == ']') break; if (!_AbpParseRegister(td, NULL, &idents[idx].ident, &idents[idx].size, &idents[idx].type)) return false; idx++; } while (*p); switch (adr_mode) { case ADM_BORD: if (idents[0].type == RT_IMM) linst->memory_info.disp = (int)idents[0].ident; else linst->memory_info.base = (unsigned char)idents[0].ident; break; case ADM_BD: linst->memory_info.base = (unsigned char)idents[0].ident; linst->memory_info.disp = (int)idents[1].ident; break; case ADM_BID: linst->memory_info.base = (unsigned char)idents[0].ident; linst->memory_info.index = (unsigned char)idents[1].ident; linst->memory_info.disp = (int)idents[2].ident; break; case ADM_BISD: linst->memory_info.base = (unsigned char)idents[0].ident; linst->memory_info.index = (unsigned char)idents[1].ident; linst->memory_info.scale = (unsigned char)idents[2].ident; //1, 2 ,4, 8 linst->memory_info.disp = (int)idents[2].ident; break; case ADM_ISD: linst->memory_info.index = (unsigned char)idents[0].ident; linst->memory_info.scale = (unsigned char)idents[1].ident; linst->memory_info.disp = (unsigned char)idents[2].ident; break; } return true; } inline bool AbpIsNumStr(const char *str) { char *p = const_cast(str); while (*p) { if (!isdigit(*p)) return false; p++; } return true; } bool _AbpParseRegister(token_data *td, InstInfo *instInfo, dsint *val, short *size, unsigned char *type) { char *p = Currtoken(td); char pfx = *p; int beg = 0, end = 8, rx = -1; bool ok = false; dsint nval; short nsize; unsigned char ntype; if (*p == '[') { ok = AbpParseMemoryAccess(td, instInfo); if (ok) { if (instInfo->reg == RegNone) instInfo->reg = ImmMem; else instInfo->reg_oper = ImmMem; } return ok; } if (strstr(p, "0x") || AbpIsNumStr(p)) { #ifdef _WIN64 nval = (dsint)strtoll(p, NULL, 0); nsize = 64; #else nval = (dsint)strtol(p, NULL, 0); nsize = 32; #endif ntype = RT_IMM; ok = true; goto oneWayExit; } nsize = GET_REGSIZE(pfx); if (pfx == 'r') { beg = 0; end = 17; } for (;beg < end;beg++) { if (!strcmp(p + 1, regs[beg] + 1)) { rx = beg; break; } } nval = rx; ntype = RT_REG; ok = true; oneWayExit: if (instInfo != NULL) { switch (ntype) { case RT_IMM: { instInfo->imm = (duint)nval; if (instInfo->reg == (char)RegNone) instInfo->reg = ImmMem; else instInfo->reg_oper = ImmMem; break; } case RT_REG: { if (instInfo->reg == (char)RegNone) instInfo->reg = (char)nval; else instInfo->reg_oper = (char)nval; break; } } instInfo->size = nsize; } else { *val = nval; *size = nsize; *type = ntype; } return ok; } bool AbpParseRegister(token_data *td, InstInfo *instInfo) { return _AbpParseRegister(td, instInfo, NULL, NULL, NULL); } bool AbpParseOperand(token_data *td, InstInfo *linst) { char *p = Currtoken(td); if (!strcmp(p, "byte") || !strcmp(p, "word") || !strcmp(p, "dword") || !strcmp(p, "qword")) { Skiptoken(td, 1); p = Nexttoken(td); if (p[1] == 's' && p[2] == '\0') //if segment identifier skip to the next token p = Nexttoken(td); //grab register if (!p) return false; } if (!AbpParseRegister(td, linst)) return false; return true; } #if _DEBUG #define _PRSLOG DBGPRINT #define CONCAT_BUF(buf,format, ...) HlpConcateStringFormatA(buf,1024,format,__VA_ARGS__) void __AbpPrintMemData(InstInfo *inst, char *buf) { if (inst->memory_info.base != uchar(RegNone)) CONCAT_BUF(buf, "(base: %s) ", regs[inst->memory_info.base]); if (inst->memory_info.index != uchar(RegNone)) CONCAT_BUF(buf, "(index: %s) ", regs[inst->memory_info.index]); if (inst->memory_info.scale != 0) CONCAT_BUF(buf, "(scale: %d) ", inst->memory_info.scale); if (inst->memory_info.disp != 0) CONCAT_BUF(buf, "(disp: 0x%x)", inst->memory_info.disp); CONCAT_BUF(buf, " - "); } void __AbpPrintInstructionInfo(InstInfo *inst) { char inst_info_buf[1024] = { 0 }; bool single = false; if (inst->reg_oper == uchar(RegNone)) { if (inst->reg == uchar(RegNone)) { CONCAT_BUF(inst_info_buf, "Invalid instruction"); goto doPrint; } CONCAT_BUF(inst_info_buf, "Single operand. Operand: "); single = true; } else CONCAT_BUF(inst_info_buf,"Source operand: "); if (inst->reg == ImmMem) __AbpPrintMemData(inst, inst_info_buf); else CONCAT_BUF(inst_info_buf, "Reg: %s ", regs[inst->reg]); if (!single) { CONCAT_BUF(inst_info_buf, "Dest operand: "); if (inst->reg_oper == ImmMem) __AbpPrintMemData(inst, inst_info_buf); else CONCAT_BUF(inst_info_buf, "Reg: %s ", regs[inst->reg_oper]); } doPrint: _PRSLOG("%s",inst_info_buf); } #else #define _PRSLOG #endif bool AbParseInstruction(BASIC_INSTRUCTION_INFO *inst, InstInfo *linst) { char *p; token_data tokdata; char order = 0; AbpTokenize(inst->instruction, &tokdata); if (!tokdata.count) return false; p = Currtoken(&tokdata); memset(linst, 0, sizeof(InstInfo)); linst->reg = RegNone; linst->reg_oper = RegNone; linst->memory_info.base = RegNone; linst->memory_info.index = RegNone; while (p != NULL && order != ORD_DONE) { if (order == ORD_OP) { if (!strcmp(p, "mov")) linst->op = OP_MOV; else if (!strcmp(p, "lea")) linst->op = OP_LEA; else if (!strcmp(p, "push")) linst->op = OP_PUSH; else return false; order++; } else if (order == ORD_DREG) { if (!AbpParseOperand(&tokdata, linst)) return false; order++; if (linst->op == OP_PUSH) { order++; } } else if (order == ORD_SREG) { if (!AbpParseOperand(&tokdata, linst)) return false; order++; } p = Nexttoken(&tokdata); } return true; } ================================================ FILE: x64dbgApiBreak/src/plugin.cpp ================================================ #include #include #include #include #include #define MN_BASE 0xFA00FA #define MN_ABOUT MN_BASE #define MN_SHOWMAINFORM MN_BASE + 1 #define MN_SHOWSETTINGSFORM MN_BASE + 2 #define MN_TESTSLOT MN_BASE + 3 #define DWS_IDLE 0 #define DWS_CREATEPROCESS 1 #define DWS_ATTACHEDPROCESS 2 #define DWS_EXITEDPROCESS 3 #define DWS_DETACHEDPROCESS 4 const char *DBGSTATE_STRINGS[5] = { "Idle", "Process Created", "Process Attached", "Process Exited", "Process Detached" }; BYTE AbpDbgState; Script::Module::ModuleInfo AbpCurrentMainModule; BOOL AbfNeedsReload=FALSE; INTERNAL int AbPluginHandle; INTERNAL HWND AbHwndDlgHandle; INTERNAL int AbMenuHandle; INTERNAL int AbMenuDisasmHandle; INTERNAL int AbMenuDumpHandle; INTERNAL int AbMenuStackHandle; INTERNAL HMODULE AbPluginModule; INTERNAL WORD AbParsedTypeCount = 0; INTERNAL void AbiRaiseDeferredLoader(const char *dllName, duint base); INTERNAL void AbiInitDynapi(); INTERNAL void AbiUninitDynapi(); INTERNAL void AbiReleaseDeferredResources(); INTERNAL void AbiEmptyInstructionCache(); BOOL AbpHasPendingInit = FALSE; INTERNAL_EXPORT Script::Module::ModuleInfo *AbiGetCurrentModuleInfo() { return &AbpCurrentMainModule; } int WINAPI Loader(void *) { AbLoadAvailableModuleAPIs(true); return 0; } void AbpParseScripts() { char *tokCtx; char *scripts = NULL; char *line; LPSTR errStr; if (!AbGetSettings()->mainScripts) return; scripts = HlpCloneStringA(AbGetSettings()->mainScripts); if (!scripts) { DBGPRINT("memory error"); return; } line = strtok_s(scripts, "\r\n;", &tokCtx); while (line) { DBGPRINT("Parsing '%s'", line); SmmParseFromFileA(line, &AbParsedTypeCount); line = strtok_s(NULL, "\r\n;", &tokCtx); } if (SmmHasParseError(&errStr)) { MessageBoxA(NULL, errStr, "x64dbg Api Break - script parse error", MB_ICONERROR); FREESTRING(errStr); } DBGPRINT("%d type(s) parsed.", AbParsedTypeCount); FREESTRING(scripts); FREESTRING(line); } void AbpOnDebuggerStateChanged(BYTE state, const char *module) { switch (state) { case DWS_ATTACHEDPROCESS: case DWS_CREATEPROCESS: { if (AbGetSettings()->autoLoadData) { AbpHasPendingInit = TRUE; } } break; case DWS_DETACHEDPROCESS: case DWS_EXITEDPROCESS: { AbReleaseAllSystemResources(false); } break; } } void AbpRaiseDbgStateChangeEvent() { DBGPRINT("%s (%s)", AbpCurrentMainModule.name, DBGSTATE_STRINGS[AbpDbgState]); AbpOnDebuggerStateChanged(AbpDbgState, AbpCurrentMainModule.name); if (AbpDbgState > DWS_ATTACHEDPROCESS) { //And after the handler callback. //set it to dbg is now idle if current state exited or detached AbpDbgState = DWS_IDLE; } } void AbReleaseAllSystemResources(bool isInShutdown) { DBGPRINT("Releasing used resources. shutdown=%d",isInShutdown); SmmReleaseResources(isInShutdown); AbSettingsDestroyResources(); AbiEmptyInstructionCache(); AbiReleaseDeferredResources(); AbpReleaseBreakpointResources(); AbReleaseModuleResources(); if (isInShutdown) { AbiUninitDynapi(); UiForceCloseAllActiveWindows(); } } BOOL AbRaiseSystemError(const char *errorDesc, int errCode,const char *func, const int line) { LPSTR msg; BOOL dbgBreak; HlpPrintFormatBufferA(&msg, "An error occurred at %s:%d;\r\n\r\n%s\r\nDo you want to break into debugger?", func,line,errorDesc); dbgBreak = MessageBoxA(NULL, msg, "Error", MB_ICONERROR | MB_YESNO) == IDYES; FREESTRING(msg); if (dbgBreak) { __debugbreak(); return TRUE; } return FALSE; } typedef bool(*pfnDbgGetRegDumpEx)(REGDUMP* regdump, size_t size); HMODULE g_DbgLib = NULL; pfnDbgGetRegDumpEx _DbgGetRegDumpEx = NULL; #define VALTOSTRFY(val) _stringfy(val) #define BRIDGE_DLL "x" VALTOSTRFY(PLATFORM_SIZE) "bridge.dll" bool AbpNeedsNewerx64Dbg() { bool needsNew = false; g_DbgLib = GetModuleHandleA(BRIDGE_DLL); if (!g_DbgLib) { RAISEGLOBALERROR("dbglib error"); return false; } if (!(_DbgGetRegDumpEx = (pfnDbgGetRegDumpEx)GetProcAddress(g_DbgLib, "DbgGetRegDumpEx"))) needsNew = true; return needsNew; } void __AbpInitMenu() { _plugin_menuaddentry(AbMenuHandle, MN_SHOWMAINFORM, "set an API breakpoint"); _plugin_menuaddentry(AbMenuHandle, MN_SHOWSETTINGSFORM, "settings"); _plugin_menuaddentry(AbMenuHandle, MN_ABOUT, "about?"); } DBG_LIBEXPORT bool pluginit(PLUG_INITSTRUCT* initStruct) { #if _DEBUG if (MessageBoxA(NULL, "Wanna break into debugger?", "Dive-in", MB_YESNO | MB_ICONQUESTION) == IDYES) { __debugbreak(); } #endif initStruct->sdkVersion = PLUG_SDKVERSION; initStruct->pluginVersion = (AB_VERSION_MAJOR * 10) + AB_VERSION_MINOR; strcpy_s(initStruct->pluginName, 256, "Api Break"); AbPluginHandle = initStruct->pluginHandle; if (AbpNeedsNewerx64Dbg()) { MessageBoxA(NULL, "this version of plugin uses new x64dbg API. Consider update x64dbg to the new version.", "warning", MB_OK | MB_ICONWARNING); return false; } SmmInitializeResources(); AbSettingsLoad(); AbiInitDynapi(); LoadLibraryA("Riched20.dll"); return true; } DBG_LIBEXPORT bool plugstop() { HMODULE hmod; AbReleaseAllSystemResources(true); hmod = GetModuleHandleA("Riched20.dll"); if (hmod) FreeLibrary(hmod); AbRevealPossibleMemoryLeaks(); return true; } DBG_LIBEXPORT void plugsetup(PLUG_SETUPSTRUCT* setupStruct) { AbHwndDlgHandle = setupStruct->hwndDlg; AbMenuHandle = setupStruct->hMenu; AbMenuDisasmHandle = setupStruct->hMenuDisasm; AbMenuDumpHandle = setupStruct->hMenuDump; AbMenuStackHandle = setupStruct->hMenuStack; __AbpInitMenu(); AbpParseScripts(); } #include INTERNAL ApiFunctionInfo *AbiGetAfi(const char *module, const char *afiName); DBG_LIBEXPORT void CBMENUENTRY(CBTYPE cbType, PLUG_CB_MENUENTRY* info) { if (info->hEntry == MN_ABOUT) { MessageBoxA(AbHwndDlgHandle, AB_APPNAME " - ver: " AB_VERSTR "\r\n" "build on: " AB_BUILD_TIME "\r\n\r\n" "by oguz (ozzy) kartal (2017)\r\n\r\n" "http://oguzkartal.net ;)", "About - " AB_APPTITLE, MB_ICONINFORMATION); } else if (info->hEntry == MN_SHOWMAINFORM) { //Ps. Form object will be deleted automatically when the window closed. MainForm *mainForm = new MainForm(); mainForm->ShowDialog(); } else if (info->hEntry == MN_SHOWSETTINGSFORM) { SettingsForm *settingsForm = new SettingsForm(); settingsForm->ShowDialog(); } } DBG_LIBEXPORT void CBLOADDLL(CBTYPE cbType, PLUG_CB_LOADDLL *dllLoad) { duint base = DbgModBaseFromName(dllLoad->modname); if (!base) { DBGPRINT("Could not get dll base fro %s", dllLoad->modname); return; } AbiRaiseDeferredLoader(dllLoad->modname, base); } DBG_LIBEXPORT void CBSYSTEMBREAKPOINT(CBTYPE cbType, PLUG_CB_SYSTEMBREAKPOINT *sysbp) { if (AbpHasPendingInit) { AbpHasPendingInit = FALSE; QueueUserWorkItem((LPTHREAD_START_ROUTINE)Loader, NULL, WT_EXECUTEDEFAULT); } } PPASSED_PARAMETER_CONTEXT AbpExtractPassedParameterContext(REGDUMP *regdump, PFNSIGN fnSign, BOOL ipOnStack) { SHORT argCount; PPASSED_PARAMETER_CONTEXT ppc; CALLCONVENTION conv; argCount = SmmGetArgumentCount(fnSign); #ifdef _WIN64 conv = Fastcall; #else conv = Stdcall; #endif if (!UtlExtractPassedParameters(argCount, conv, regdump,ipOnStack, &ppc)) { DBGPRINT("Parameter extraction failed"); return NULL; } return ppc; } void AbpGhostBreakpointHandler(BpCallbackContext *bpx) { } #include void AbpWaitUntilHandlerDone(PBREAKPOINT_INFO pbi) { while (pbi->status & BPS_EXECUTING_HANDLER) _mm_pause(); //Give a bit time to the handler to make sure it returned SleepEx(10, FALSE); } LONG WINAPI AbpShowOutputArgumentQuestion(LPVOID p) { PFNSIGN fnSign; BOOL willContinue = FALSE; PPASSED_PARAMETER_CONTEXT ppc=NULL; BASIC_INSTRUCTION_INFO instr; duint addr; char msgBuf[512]; LPSTR mapResult; BpCallbackContext *bpcb = (BpCallbackContext *)p; sprintf(msgBuf, "One of the parameters of the %s is marked as out. " "That Means, you need to execute the api, to get all parameter result correctly.\n\n" "Want to execute the API now?",bpcb->afi->name); willContinue = MessageBoxA(NULL, msgBuf, "Quest", MB_ICONQUESTION | MB_YESNO) == IDYES; if (willContinue) { ppc = (PPASSED_PARAMETER_CONTEXT)bpcb->user; //Is it alreadly backtraced for caller? if (!(bpcb->ownerBreakpoint->options & BPO_BACKTRACK)) { //if not, we must do that. addr = UtlGetCallerAddress(&bpcb->regContext); } else addr = bpcb->regContext.regcontext.cip; DbgDisasmFastAt(addr, &instr); addr += instr.size; if (!AbSetInstructionBreakpoint(addr, AbpGhostBreakpointHandler, bpcb, true)) { DBGPRINT("Bpx set failed"); return EXIT_FAILURE; } AbDebuggerRun(); AbDebuggerWaitUntilPaused(); AbpWaitUntilHandlerDone(bpcb->ownerBreakpoint); SmmGetFunctionSignature2(bpcb->afi, &fnSign); SmmMapFunctionCall(ppc, fnSign, bpcb->afi, &mapResult); ApiCallMapForm *acmf = new ApiCallMapForm(mapResult); acmf->ShowDialog(); } return EXIT_SUCCESS; } DBG_LIBEXPORT void CBBREAKPOINT(CBTYPE cbType, PLUG_CB_BREAKPOINT* info) { BpCallbackContext *bpcb = NULL; PBREAKPOINT_INFO pbi; BOOL isBacktrackBp; PPASSED_PARAMETER_CONTEXT ppc; PFNSIGN fnSign = NULL; pbi = AbpLookupBreakpoint(info->breakpoint->addr); if (pbi != NULL) { DBGPRINT("Special breakpoint detected."); pbi->status |= BPS_EXECUTING_HANDLER; bpcb = pbi->cbctx; pbi->hitCount++; if (bpcb != NULL) { DBGPRINT("Breakpoint has registered callback. Raising the breakpoint callback"); //get current register context for current state _DbgGetRegDumpEx(&bpcb->regContext,sizeof(REGDUMP)); bpcb->bp = info->breakpoint; if (bpcb->callback != NULL) { pbi->status |= BPS_EXECUTING_CALLBACK; bpcb->callback(bpcb); pbi->status &= ~BPS_EXECUTING_CALLBACK; } } if (AbGetSettings()->mapCallContext) { if (SmmGetFunctionSignature2(bpcb->afi, &fnSign)) { DBGPRINT("Function mapping signature found. Mapping..."); isBacktrackBp = (pbi->options & BPO_BACKTRACK) == BPO_BACKTRACK; ppc = AbpExtractPassedParameterContext(&bpcb->regContext, fnSign,!isBacktrackBp); if (SmmSigHasOutArgument(fnSign)) { DBGPRINT("%s has an out marked function. ", bpcb->afi->name); bpcb->user = ppc; QueueUserWorkItem((LPTHREAD_START_ROUTINE)AbpShowOutputArgumentQuestion, bpcb, WT_EXECUTELONGFUNCTION); } else SmmMapFunctionCall(ppc, fnSign, bpcb->afi,NULL); //TODO: URGENT: FIX PARAMETER } } if (pbi->options & BPO_SINGLESHOT) AbDeleteBreakpoint(pbi->addr); pbi->status &= ~BPS_EXECUTING_HANDLER; } else { if (AbpHasPendingInit) { AbpHasPendingInit = FALSE; QueueUserWorkItem((LPTHREAD_START_ROUTINE)Loader, NULL, WT_EXECUTEDEFAULT); } } } DBG_LIBEXPORT void CBCREATEPROCESS(CBTYPE cbType, PLUG_CB_CREATEPROCESS *newProc) { if (AbpDbgState == DWS_ATTACHEDPROCESS) { //get module info. cuz we cant get the modinfo from in the attach callback goto resumeExec; } AbpDbgState = DWS_CREATEPROCESS; resumeExec: AbGetDebuggedModuleInfo(&AbpCurrentMainModule); AbfNeedsReload = TRUE; AbpRaiseDbgStateChangeEvent(); } DBG_LIBEXPORT void CBEXITPROCESS(CBTYPE cbType, PLUG_CB_EXITPROCESS *exitProc) { AbpDbgState = DWS_EXITEDPROCESS; AbpRaiseDbgStateChangeEvent(); } DBG_LIBEXPORT void CBATTACH(CBTYPE cbType, PLUG_CB_ATTACH *attachedProc) { AbpDbgState = DWS_ATTACHEDPROCESS; } DBG_LIBEXPORT void CBDETACH(CBTYPE cbType, PLUG_CB_DETACH *detachedProc) { AbpDbgState = DWS_DETACHEDPROCESS; AbpRaiseDbgStateChangeEvent(); } BOOL WINAPI DllMain( _In_ HINSTANCE hinstDLL, _In_ DWORD fdwReason, _In_ LPVOID lpvReserved ) { AbPluginModule = (HMODULE)hinstDLL; return TRUE; } ================================================ FILE: x64dbgApiBreak/src/rtf.cpp ================================================ #include #define RDS_NEEDS_SPACE 0x00000001 #define RTF_SETSTATE(rtf,x) if (!(rtf->state & x)) \ rtf->state |= x BOOL RtfCreateRtfData(PRTF_DATA *rtfData) { PRTF_DATA rtf; rtf = ALLOCOBJECT(RTF_DATA); if (!rtf) return FALSE; if (!DmaCreateAdapter(sizeof(char), 0x100, &rtf->rtfDma)) { FREEOBJECT(rtf); return FALSE; } *rtfData = rtf; return TRUE; } BOOL RtfBuildRtfTextA(PRTF_DATA rtf, LPSTR *rtfText, DWORD *textLen) { PDMA dma; LPSTR rtfBody; DWORD color; ARCHWIDE len; if (!rtf) return FALSE; if (!rtfText) return FALSE; DmaGetAdapterInfo(rtf->rtfDma, &len, NULL); DmaCreateAdapter(sizeof(char), len, &dma); DmaStringWriteA(dma, "{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033 "); //Font table DmaStringWriteA(dma, "{\\fonttbl "); for (DWORD i = 0;i < rtf->fontCount;i++) { DmaStringWriteA(dma, "{\\f%d\\fnil\\fcharset%d %s;}", i, 0, rtf->fontTable[i]); } DmaStringWriteA(dma, "}"); //Color table DmaStringWriteA(dma, "{\\colortbl ;"); for (DWORD i = 0;i < rtf->colorCount;i++) { color = rtf->colorTable[i]; DmaStringWriteA(dma, "\\red%d\\green%d\\blue%d;", GetRValue(color), GetGValue(color), GetBValue(color)); } DmaStringWriteA(dma, "}"); DmaStringWriteA(dma, "\\viewkind4\\pard\\sa200\\sl276\\slmult1\\lang9 "); DmaPrepareForRead(rtf->rtfDma, (void **)&rtfBody); DmaStringWriteA(dma, rtfBody); DmaStringWriteA(dma, "}"); DmaTakeMemoryOwnership(dma, (void **)rtfText); DmaDestroyAdapter(dma); return TRUE; } void RtfFreeRtfText(LPSTR rtfText) { FREESTRING(rtfText); } BOOL RtfDestroyRtfData(PRTF_DATA *rtf) { PRTF_DATA prtf; if (!rtf) return FALSE; prtf = *rtf; if (prtf->colorTable) FREEOBJECT(prtf->colorTable); if (prtf->fontTable) FREEOBJECT(prtf->fontTable); DmaDestroyAdapter(prtf->rtfDma); FREEOBJECT(prtf); *rtf = NULL; return NULL; } BOOL RtfRegisterColor(PRTF_DATA rtf, DWORD color, RTFRESID *resId) { DWORD *newPtr; RTFRESID index; if (!rtf) return FALSE; newPtr = (DWORD *)AbMemoryRealloc(rtf->colorTable, sizeof(DWORD) * (rtf->colorCount + 1)); if (!newPtr) { return FALSE; } rtf->colorTable = newPtr; index = rtf->colorCount; rtf->colorCount++; rtf->colorTable[index] = color; if (resId) *resId = index; return TRUE; } BOOL RtfRegisterFont(PRTF_DATA rtf, const LPCSTR fontName, int charset, RTFRESID *resId) { LPSTR fontNameBuffer; LPSTR *newPtr; RTFRESID index; if (!rtf) return FALSE; newPtr = (LPSTR *)AbMemoryRealloc(rtf->fontTable, sizeof(LPSTR) * (rtf->fontCount + 1)); if (!newPtr) { return FALSE; } rtf->fontTable = newPtr; index = rtf->fontCount; rtf->fontCount++; fontNameBuffer = HlpCloneStringA(fontName); rtf->fontTable[index] = fontNameBuffer; if (resId) *resId = index; return TRUE; } BOOL RtfBeginStyleFor(PRTF_DATA rtf, RTF_STYLE rtfStyle, DWORD repeat) { if (!repeat) repeat = 1; if (rtfStyle & RTFS_BOLD) DmaStringWriteA(rtf->rtfDma, "\\b"); if (rtfStyle & RTFS_ITALIC) DmaStringWriteA(rtf->rtfDma, "\\i"); if (rtfStyle & RTFS_UNDERLINE) DmaStringWriteA(rtf->rtfDma, "\\u"); if (rtfStyle & RTFS_NEWLINE) { for (DWORD i=0;irtfDma, "\\line"); } if (rtfStyle & RTFS_TAB) { for (DWORD i=0;irtfDma, "\\tab"); } RTF_SETSTATE(rtf, RDS_NEEDS_SPACE); return TRUE; } BOOL RtfBeginColor(PRTF_DATA rtf, RTFRESID resId) { RTF_SETSTATE(rtf, RDS_NEEDS_SPACE); return DmaStringWriteA(rtf->rtfDma, "\\cf%d", resId); } BOOL RtfBeginFont(PRTF_DATA rtf, RTFRESID resId) { RTF_SETSTATE(rtf, RDS_NEEDS_SPACE); return DmaStringWriteA(rtf->rtfDma, "\\f%d", resId); } BOOL RtfBeginFontSize(PRTF_DATA rtf, WORD fontSize) { RTF_SETSTATE(rtf, RDS_NEEDS_SPACE); return DmaStringWriteA(rtf->rtfDma, "\\fs%d", fontSize); } BOOL RtfAppendTextFormatA(PRTF_DATA rtf, LPCSTR format, ...) { va_list va; va_start(va, format); RtfAppendTextFormatExA(rtf, format, va); va_end(va); return TRUE; } BOOL RtfAppendTextFormatExA(PRTF_DATA rtf, LPCSTR format, va_list vl) { BOOL result; LPSTR buffer; if (!HlpPrintFormatBufferExA(&buffer, format, vl)) return FALSE; if (rtf->state & RDS_NEEDS_SPACE) { DmaStringWriteA(rtf->rtfDma, " "); rtf->state &= ~RDS_NEEDS_SPACE; } result = DmaStringWriteA(rtf->rtfDma, buffer); FREESTRING(buffer); return result; } ================================================ FILE: x64dbgApiBreak/src/settings.cpp ================================================ #include #define ABP_INT_VALUE 0 #define ABP_BOOL_VALUE 1 #define ABP_DOUBLE_VALUE 2 #define ABP_STRING_VALUE 3 #define ABP_SETTING_COUNT 6 #define ABS_EXPOSEDYNLDR 0 #define ABS_GETMODHANDLE 1 #define ABS_AUTOLOAD 2 #define ABS_SCANAGGRESSIVE 3 #define ABS_MAPCALLCONTEXT 4 #define ABS_SCRIPTS 5 struct { const char *key; int type; }AbpSettingList[ABP_SETTING_COUNT] = { {"ExposeDynLoads",ABP_BOOL_VALUE}, {"InclGetModHandle",ABP_BOOL_VALUE}, {"Autoload", ABP_BOOL_VALUE}, {"Scanaggrs", ABP_BOOL_VALUE}, {"Mapcallctx",ABP_BOOL_VALUE}, {"Scripts",ABP_STRING_VALUE} }; #define STNG_LOAD(id,val) AbpGetSetting(AbpSettingList[id].key,(char *)val,AbpSettingList[id].type) #define STNG_SAVE(id,val) AbpSetSetting(AbpSettingList[id].key,(char *)val,AbpSettingList[id].type) Settings AbpSettings = { 0 }; #define MAX_SETTING_STRING_SIZE 65536 bool AbpGetSetting(const char *key, char *valueBuf,int valueType) { union { int vint; double vdouble; }val; char valStack[32] = { 0 }; char *value; if (valueType == ABP_STRING_VALUE) value = valueBuf; else value = valStack; if (BridgeSettingGet("apibreak", key, value)) { switch (valueType) { case ABP_INT_VALUE: val.vint = atoi(value); memcpy(valueBuf, &val.vint, sizeof(int)); break; case ABP_BOOL_VALUE: *valueBuf = !(*value == '0'); break; case ABP_DOUBLE_VALUE: val.vdouble = atof(value); memcpy(valueBuf, &val.vdouble, sizeof(double)); break; case ABP_STRING_VALUE: //strcpy(valueBuf, value); break; } return true; } return false; } bool AbpSetSetting(const char *key, char *value, int valueType) { bool ok; union { char *intptr; int vint; bool vbool; double vdouble; }val; char vbStack[32] = { 0 }; char *valueBuf = NULL; if (valueType == ABP_STRING_VALUE) valueBuf = value; else valueBuf = vbStack; val.intptr = value; switch (valueType) { case ABP_INT_VALUE: _itoa(val.vdouble, valueBuf, 10); break; case ABP_BOOL_VALUE: *valueBuf = val.vbool ? '1' : '0'; *(valueBuf + 1) = 0; break; case ABP_DOUBLE_VALUE: sprintf(valueBuf, "%3.2f", val.vdouble); break; case ABP_STRING_VALUE: strcpy(valueBuf, value); break; } ok = BridgeSettingSet("apibreak", key, valueBuf); return ok; } bool AbSettingsLoad() { if (!AbpSettings.mainScripts) AbpSettings.mainScripts = ALLOCSTRINGA(MAX_SETTING_STRING_SIZE); if (!STNG_LOAD(ABS_EXPOSEDYNLDR, &AbpSettings.exposeDynamicApiLoads)) AbpSettings.exposeDynamicApiLoads = false; if (!STNG_LOAD(ABS_GETMODHANDLE, &AbpSettings.includeGetModuleHandle)) AbpSettings.includeGetModuleHandle = false; if (!STNG_LOAD(ABS_AUTOLOAD, &AbpSettings.autoLoadData)) AbpSettings.autoLoadData = false; if (!STNG_LOAD(ABS_SCANAGGRESSIVE, &AbpSettings.scanAggressive)) AbpSettings.scanAggressive = false; if (!STNG_LOAD(ABS_MAPCALLCONTEXT, &AbpSettings.mapCallContext)) AbpSettings.mapCallContext = false; STNG_LOAD(ABS_SCRIPTS, AbpSettings.mainScripts); return true; } bool AbSettingsSave() { if (!STNG_SAVE(ABS_EXPOSEDYNLDR, AbpSettings.exposeDynamicApiLoads)) return false; if (!STNG_SAVE(ABS_GETMODHANDLE, AbpSettings.includeGetModuleHandle)) return false; if (!STNG_SAVE(ABS_AUTOLOAD, AbpSettings.autoLoadData)) return false; if (!STNG_SAVE(ABS_SCANAGGRESSIVE, AbpSettings.scanAggressive)) return false; if (!STNG_SAVE(ABS_MAPCALLCONTEXT, AbpSettings.mapCallContext)) return false; if (!STNG_SAVE(ABS_SCRIPTS, AbpSettings.mainScripts)) return false; return true; } bool AbSettingsReset() { NOTIMPLEMENTED(); return false; } Settings *AbGetSettings() { return &AbpSettings; } void AbSettingsDestroyResources() { if (AbpSettings.mainScripts) { FREESTRING(AbpSettings.mainScripts); AbpSettings.mainScripts = NULL; } } ================================================ FILE: x64dbgApiBreak/src/structmemmap.cpp ================================================ #include #define MAX_TYPENAME_SIZE 128 #define ALLOCOBJECTLIST(type,count) RESIZEOBJECTLIST(type,NULL,count) #define SIZEOF_INT sizeof(int) #define SIZEOF_POINTER sizeof(void *) #define SIZEOF_CHAR 1 #define SIZEOF_WCHAR 2 #define SIZEOF_BYTE 1 #define SIZEOF_SHORT 2 #define SIZEOF_LONG 4 #define SIZEOF_LONGLONG 8 #define SIZEOF_WORD SIZEOF_SHORT #define SIZEOF_DWORD SIZEOF_LONG #define SIZEOF_QWORD SIZEOF_LONGLONG #define FAILBASE_SYSTEM 0 #define FAILBASE_PARSER FAILBASE_SYSTEM + 4 #define FS_MEMERR FAILBASE_SYSTEM + 1 #define FS_RESERVED1 FAILBASE_SYSTEM + 2 #define FS_RESERVED2 FAILBASE_SYSTEM + 3 #define FS_RESERVED3 FAILBASE_SYSTEM + 4 #define FS_MAPTYPE FAILBASE_PARSER + 1 #define FS_TYPENAME FAILBASE_PARSER + 2 #define FS_BRACKOPEN FAILBASE_PARSER + 3 #define FS_EXPECTFIELD FAILBASE_PARSER + 4 #define FS_BRACKCLOSE FAILBASE_PARSER + 5 #define FS_NOFIELDTYPE FAILBASE_PARSER + 6 #define FS_EXPECTFIELDNAME FAILBASE_PARSER + 7 #define FS_EXPECTSQUBRCKOPEN FAILBASE_PARSER + 8 #define FS_EXPECTSQUBRCKCLOSE FAILBASE_PARSER + 9 #define FS_EXPECTARRSIZE FAILBASE_PARSER + 10 #define FS_EXPECTSEMICOLON FAILBASE_PARSER + 11 #define FS_EXPECTNOTOP FAILBASE_PARSER + 12 #define FS_EXPECTPARANOPEN FAILBASE_PARSER + 13 #define FS_EXPECTPARANCLOSE FAILBASE_PARSER + 14 #define FS_EXPECTTYPE FAILBASE_PARSER + 15 #define FS_EXPECTARGNAME FAILBASE_PARSER + 16 #define FS_EXPECTMODNAME FAILBASE_PARSER + 17 #define FS_UNEXPECTED_TOKEN FAILBASE_PARSER + 18 #define FS_UNEXPECTED_SYTX_END FAILBASE_PARSER + 19 #define FS_TYPENOTFOUND FAILBASE_PARSER + 20 #define FS_EXPECTINCLFILEPATH FAILBASE_PARSER + 21 #define FS_EXPECTIDENT FAILBASE_PARSER + 22 typedef struct __Token { char token[256]; int col; int line; }*PToken, Token; //LINKED LIST #define RECORD_OF(node, type) ( (type)((node)->value) ) typedef struct __SLISTNODE { struct __SLISTNODE * next; void * value; }*PSLISTNODE, SLISTNODE; typedef struct { PSLISTNODE head; PSLISTNODE tail; LONG count; }*PSLIST, SLIST; //TYPED MEMORY MAP typedef void(*CONVERTER_METHOD)(char *, void *, bool); typedef struct { WORD cbSize; char typeName[MAX_TYPENAME_SIZE]; }*PGENERIC_DATATYPE_INFO; typedef struct { WORD cbSize; char typeName[MAX_TYPENAME_SIZE]; WORD size; BOOL isSigned; WORD linkIndex; CONVERTER_METHOD method; }*PPRIMITIVETYPEINFO, PRIMITIVETYPEINFO; #define SmmListOf(x) PSLIST typedef struct { WORD cbSize; char name[MAX_TYPENAME_SIZE]; DWORD structSize; SmmListOf(PSTRUCTMEMBERFIELD) fields; }*PSTRUCTINFO, STRUCTINFO; //////////////////////// typedef struct { char fieldName[128]; WORD arrSize; BOOL isArray; BOOL isPointer; BOOL isStruct; union { PPRIMITIVETYPEINFO primitiveType; PSTRUCTINFO structType; }type; }*PSTRUCTMEMBERFIELD, STRUCTMEMBERFIELD; typedef struct { char name[64]; BOOL isStructure; BOOL isPointer; BOOL isOutArg; union { PVOID holder; PSTRUCTINFO structInfo; PPRIMITIVETYPEINFO primitiveInfo; }typeInfo; }*PARGINFO, ARGINFO; typedef struct { union { PVOID u; PSTRUCTINFO typeStruct; PPRIMITIVETYPEINFO typePrimitive; }typeInfo; }*PRETINFO, RETINFO; #define CDI_FUNCTION_ARGUMENT 1 #define CDI_FUNCTION_RETURN 2 #define CDI_STRUCTURE_FIELD 3 typedef struct { USHORT type; union { PARGINFO argInfo; PRETINFO retInfo; PSTRUCTMEMBERFIELD fieldInfo; }u; }*PCOMMON_DATAFIELD_INFO,COMMON_DATAFIELD_INFO; typedef struct __FNSIGN { char name[256]; char module[256]; PARGINFO args; PRETINFO ret; SHORT argCount; BOOL hasOutArg; }*PFNSIGN, FNSIGN; typedef struct { const char * identName; PPRIMITIVETYPEINFO pti; }typeidents; typedef struct { char alias[64]; PVOID mappedType; }*PTYPEALIAS,TYPEALIAS; #define SMMP_PATH_STACKSIZE 10 typedef struct { struct { BOOL isLocal; WCHAR workDir[MAX_PATH]; }Stack[SMMP_PATH_STACKSIZE]; WORD spi; }PATH_STACK; static typeidents TYPE_IDENTS[] = { { "int",NULL }, { "uint",NULL }, { "char",NULL }, { "wchar",NULL }, { "byte",NULL }, { "ubyte",NULL }, { "short",NULL }, { "ushort",NULL }, { "long", NULL }, { "ulong",NULL }, { "long64",NULL }, { "ulong64",NULL }, //SPECIALS { "string",NULL }, { "wstring",NULL }, { "pointer",NULL }, { "archex", NULL } }; #define SMM_SPECIAL_PRIMITIVE_COUNT 4 #define MAX_TYPE_IDENTS sizeof(TYPE_IDENTS) / sizeof(typeidents) #define MAX_USABLE_TYPE_IDENTS (MAX_TYPE_IDENTS - SMM_SPECIAL_PRIMITIVE_COUNT) WCHAR SmmpScriptWorkDir[MAX_PATH] = { 0 }; WCHAR SmmpCurrentParsingFile[MAX_PATH] = { 0 }; BOOL SmmpWorkDirIsLocal = TRUE; PSLIST SmmpUserTypeList = NULL, SmmpFnSignList = NULL; PSLIST SmmpAliasList = NULL; PSLIST SmmpTypeList = NULL; PDMA SmmpParseErrorContent = NULL; PATH_STACK SmmpWorkDirStack; PATH_STACK SmmpParsingFileStack; #include #define RTFC_DEFAULT 0 #define RTFC_DARKRED 1 #define RTFC_DARKBLUE 2 #define RTFC_LIGHTBLUE 3 #define RTFC_LIGHTGREEN 4 #define RTFF_DEFAULT 0 void SmmpRegisterRtfColorAndFonts(Rtf * data) { //Build rtf color table data->RegisterColor(RGB(185, 0, 0)); //DARKRED data->RegisterColor(RGB(0, 0, 139)); //DARKBLUE data->RegisterColor(RGB(0, 77, 187)); //LIGHTBLUE data->RegisterColor(RGB(0, 176, 80)); //LIGHTGREEN data->RegisterFont("Segoe UI", 0); } const char *FAIL_MESSAGES[] = { "Memory alloc error", "", "", "", ///////////// "maptype keyword expected", "expected 'typename'", "expected '{'", "maptype body definition expected", "expected '}'", ///////////////////// "field type is not valid", "expected 'field name'", "expected '['", "expected ']", "expected array size", "expected ';' to complete field definition", /////////////// "expected '!'", "expected '('", "expected ')'", "type expected", "argument name expected", "module name expected", "unexpected token", "unexpected syntax ending", "Type not found", "filepath expected for @incl.", "identifier expected." }; void SmmpInitPathStack(PATH_STACK *pwds) { memset(pwds->Stack, 0, sizeof(pwds->Stack)); pwds->spi = SMMP_PATH_STACKSIZE; } void SmmpPushPath(PATH_STACK *pwds,WCHAR *path) { WORD spi = pwds->spi - 1; //Ps. Dont be confused. WORD is an unsinged type and //when it gets a less than zero value for exam (-1) //It's sign bit will be overflowed, and its evaluated as WORD's max value //That means the spi value will be greater than WORKDIR_STACKSIZE, //And We will know that the stack is full if (spi > SMMP_PATH_STACKSIZE) return; pwds->Stack[spi].isLocal = !HlpBeginsWithW(path, L"http", FALSE, 4); wcscpy(pwds->Stack[spi].workDir, path); pwds->spi--; } BOOL SmmpIsPreviousWorkdirLocal(PATH_STACK *pwds) { if (pwds->spi == SMMP_PATH_STACKSIZE) return FALSE; return pwds->Stack[pwds->spi + 1].isLocal; } BOOL SmmpPopPath(PATH_STACK *pwds, WCHAR *popPath, BOOL *isLocal) { WORD spi = pwds->spi; if (spi == SMMP_PATH_STACKSIZE) return FALSE; wcscpy(popPath, pwds->Stack[spi].workDir); if (isLocal) { *isLocal = pwds->Stack[spi].isLocal; SmmpWorkDirIsLocal = *isLocal; } pwds->spi++; return TRUE; } void SmmpRaiseParseError(LONG err, PToken tok) { const LONG totalErrString = sizeof(FAIL_MESSAGES) / sizeof(char *); LPSTR errorMessage = NULL, fileName = NULL; if (err >= 0 && err <= totalErrString) { if (!tok) { if (SmmpParseErrorContent) DmaStringWriteA(SmmpParseErrorContent, "%s\r\n", FAIL_MESSAGES[err - 1]); else DBGPRINT("%s", FAIL_MESSAGES[err - 1]); } else { fileName = HlpWideToAnsiString(SmmpCurrentParsingFile); HlpPrintFormatBufferA(&errorMessage, "Parsing error at \r\n%s\r\ncolumn: %d, line: %d\r\nerror: %s", fileName, tok->col, tok->line, FAIL_MESSAGES[err - 1]); MessageBoxA(NULL, errorMessage, "parse error", MB_ICONWARNING); FREESTRING(fileName); } } } BOOL SmmpCreateSLIST(PSLIST *list) { *list = ALLOCOBJECT(SLIST); if (*list != NULL) { RtlZeroMemory(*list, sizeof(SLIST)); return TRUE; } return FALSE; } BOOL SmmpAddSList(PSLIST list, void *value) { PSLISTNODE node; node = ALLOCOBJECT(SLISTNODE); if (!node) return FALSE; node->value = value; node->next = NULL; if (list->count == 0) { list->head = list->tail = node; list->count = 1; return TRUE; } list->tail->next = node; list->tail = node; list->count++; return TRUE; } void SmmpClearList(PSLIST list, BOOL memFreeValue) { PSLISTNODE tmp; while (list->head != NULL) { tmp = list->head->next; if (memFreeValue) FREEOBJECT(list->head->value); FREEOBJECT(list->head); list->head = tmp; } list->count = 0; } void SmmpDestroySList(PSLIST list) { if (list->head) SmmpClearList(list,FALSE); FREEOBJECT(list); } BOOL SmmCreateMapTypeInfo(const char *name, WORD size, BOOL isSigned, CONVERTER_METHOD method, WORD *index) { PPRIMITIVETYPEINFO pmti = NULL; if (strcmp(TYPE_IDENTS[*index].identName, name)) return FALSE; pmti = ALLOCOBJECT(PRIMITIVETYPEINFO); if (!pmti) return FALSE; pmti->cbSize = sizeof(PRIMITIVETYPEINFO); strcpy(pmti->typeName, name); pmti->size = size; pmti->isSigned = isSigned; TYPE_IDENTS[*index].pti = pmti; pmti->linkIndex = *index; pmti->method = method; (*index)++; SmmpAddSList(SmmpTypeList, pmti); return TRUE; } #include #define VALOFPTR(type, ptr) (*((type *)ptr)) #ifdef MAP_LOCAL #define IMPLEMENT_CONVERTER(name, type, format) #else #define IMPLEMENT_CONVERTER(name, type,format) void Convert ## name (char *buf, void *mem, bool isValue) { \ type tval; \ if (!isValue) \ AbMemReadGuaranteed((duint)mem,&tval,sizeof(tval)); \ else \ tval = (type)mem; \ sprintf(buf,format,tval); \ } #endif #pragma warning(disable:4477) IMPLEMENT_CONVERTER(Int, int, "%d") IMPLEMENT_CONVERTER(Uint, unsigned int, "%du") IMPLEMENT_CONVERTER(Char, CHAR, "%c") IMPLEMENT_CONVERTER(Wchar, WCHAR, "%c") IMPLEMENT_CONVERTER(Byte, CHAR, "%d") IMPLEMENT_CONVERTER(UByte, UCHAR, "%du") IMPLEMENT_CONVERTER(Short, SHORT, "%d") IMPLEMENT_CONVERTER(UShort, USHORT, "%du") IMPLEMENT_CONVERTER(Long, LONG, "%ld") IMPLEMENT_CONVERTER(ULong, ULONG, "%lu") IMPLEMENT_CONVERTER(Long64, LONGLONG, "%lld") IMPLEMENT_CONVERTER(ULong64, ULONGLONG, "%llu") IMPLEMENT_CONVERTER(Pointer, ARCHWIDE, "%p") #ifdef _WIN64 IMPLEMENT_CONVERTER(ArchHex, ULONGLONG,"%016x") #else IMPLEMENT_CONVERTER(ArchHex, ULONG, "%08x") #endif void ConvertString(char *buf, void *mem, bool dummy) { #ifdef MAP_LOCAL sprintf(buf, "\"%s\"", ((LPSTR)mem)); #else char lbuf[512]; if (!DbgGetStringAt((duint)mem, lbuf)) return; sprintf(buf, "\"%s\"", lbuf); #endif } void ConvertStringW(char *buf, void *mem, bool dummy) { #ifdef MAP_LOCAL ULONG slen; wchar_t exBuf[512]; slen = wsprintf(exBuf, L"L\"%s\"", (LPWSTR)mem); if (!slen) { *buf = '\0'; return; } if (!buf) return; WideCharToMultiByte(CP_ACP, WC_COMPOSITECHECK, exBuf, slen, buf, slen, NULL, NULL); #else char lbuf[512]; if (!DbgGetStringAt((duint)mem, lbuf)) return; sprintf(buf, "%s", lbuf); #endif } BOOL SmmpTypeIsPrimitive(LPVOID typeData, BOOL *isPrimitive) { PGENERIC_DATATYPE_INFO gdti = (PGENERIC_DATATYPE_INFO)typeData; if (gdti->cbSize == sizeof(PRIMITIVETYPEINFO)) { *isPrimitive = TRUE; return TRUE; } else if (gdti->cbSize == sizeof(STRUCTINFO)) { *isPrimitive = FALSE; return TRUE; } return FALSE; } BOOL SmmpGetTypeInfoByName(const char *name, PVOID *info, BOOL *isPrimitive, BOOL dontCheckForUserTypes) { BOOL infoPtrPresent = info != NULL; BOOL isPrimitivePtrPresent = isPrimitive != NULL; //Search for primitives. for (DWORD nx=0; nx < MAX_TYPE_IDENTS; nx++) { if (!strcmp(TYPE_IDENTS[nx].identName, name)) { if (infoPtrPresent) *info = TYPE_IDENTS[nx].pti; if (isPrimitivePtrPresent) *isPrimitive = TRUE; return TRUE; } } //scan the alias list. for (PSLISTNODE node = SmmpAliasList->head; node != NULL; node = node->next) { if (!strcmp(RECORD_OF(node, PTYPEALIAS)->alias, name)) { if (infoPtrPresent) *info = RECORD_OF(node, PTYPEALIAS)->mappedType; if (isPrimitivePtrPresent) SmmpTypeIsPrimitive(*info, isPrimitive); return TRUE; } } if (dontCheckForUserTypes) { if (isPrimitivePtrPresent) *isPrimitive = FALSE; return FALSE; } if (isPrimitivePtrPresent) *isPrimitive = FALSE; for (PSLISTNODE node = SmmpUserTypeList->head; node != NULL; node = node->next) { if (!strcmp(RECORD_OF(node, PSTRUCTINFO)->name, name)) { if (infoPtrPresent) *info = RECORD_OF(node, PSTRUCTINFO); return TRUE; } } return FALSE; } BOOL SmmpRegisterAlias(const char *alias, const char *typeName) { PTYPEALIAS palias = NULL; PVOID type; if (!SmmpGetTypeInfoByName(typeName, &type, NULL, FALSE)) return FALSE; palias = ALLOCOBJECT(TYPEALIAS); if (!palias) return FALSE; if (strlen(alias) + 1 > 64) { FREEOBJECT(palias); return FALSE; } strcpy(palias->alias, alias); palias->mappedType = type; SmmpAddSList(SmmpAliasList, palias); return TRUE; } BOOL SmmpInitBaseAliases() { LONG success = 0; success += SmmpRegisterAlias("BYTE", "ubyte"); success += SmmpRegisterAlias("WORD", "ushort"); success += SmmpRegisterAlias("DWORD", "ulong"); success += SmmpRegisterAlias("QWORD", "ulong64"); return success; } BOOL SmmpInitBasePrimitiveTypes() { LONG success = 0; WORD index = 0; if (TYPE_IDENTS[0].pti != NULL) return TRUE; success += (LONG)SmmCreateMapTypeInfo("int", SIZEOF_INT, FALSE, ConvertInt, &index); success += (LONG)SmmCreateMapTypeInfo("uint", SIZEOF_INT, TRUE, ConvertUint, &index); success += (LONG)SmmCreateMapTypeInfo("char", SIZEOF_CHAR, FALSE, ConvertChar, &index); success += (LONG)SmmCreateMapTypeInfo("wchar", SIZEOF_WCHAR, FALSE, ConvertWchar, &index); success += (LONG)SmmCreateMapTypeInfo("byte", SIZEOF_BYTE, FALSE, ConvertByte, &index); success += (LONG)SmmCreateMapTypeInfo("ubyte", SIZEOF_BYTE, TRUE, ConvertUByte, &index); success += (LONG)SmmCreateMapTypeInfo("short", SIZEOF_SHORT, FALSE, ConvertShort, &index); success += (LONG)SmmCreateMapTypeInfo("ushort", SIZEOF_SHORT, FALSE, ConvertUShort, &index); success += (LONG)SmmCreateMapTypeInfo("long", SIZEOF_LONG, FALSE, ConvertLong, &index); success += (LONG)SmmCreateMapTypeInfo("ulong", SIZEOF_LONG, FALSE, ConvertULong, &index); success += (LONG)SmmCreateMapTypeInfo("long64", SIZEOF_LONGLONG, FALSE, ConvertLong64, &index); success += (LONG)SmmCreateMapTypeInfo("ulong64", SIZEOF_LONGLONG, FALSE, ConvertULong64, &index); success += (LONG)SmmCreateMapTypeInfo("string", SIZEOF_INT, FALSE, ConvertString, &index); success += (LONG)SmmCreateMapTypeInfo("wstring", SIZEOF_INT, FALSE, ConvertStringW, &index); success += (LONG)SmmCreateMapTypeInfo("pointer", SIZEOF_INT, FALSE, ConvertPointer, &index); success += (LONG)SmmCreateMapTypeInfo("archex", SIZEOF_POINTER, FALSE, ConvertArchHex, &index); if (success != index) { return FALSE; } return TRUE; } //maptype NAME { //typename fieldname1; //typename fieldname2; //typename[2] fieldname3; //typename * fieldname4; //} __forceinline BOOL SmmpNextnode(PSLISTNODE *node) { if ((*node)->next == NULL) return FALSE; (*node) = (*node)->next; return TRUE; } #define Stringof(node) (RECORD_OF((node), PToken)->token) #define OneWayExit(fs, exitLabel) { failStep = fs; goto exitLabel; } #define IsCurlyBrckOpen(node) (*Stringof(node) == '{') #define IsCurlyBrckClose(node) (*Stringof(node) == '}') #define IsSquareBrckOpen(node) (*Stringof(node) == '[') #define IsSquareBrckClose(node) (*Stringof(node) == ']') #define IsPtrChar(node) (*Stringof(node) == '*') #define IsSemiColon(node) (*Stringof(node) == ';') BOOL SmmpIsSpecialToken(char chr) { switch (chr) { case '(': case ')': case '[': case ']': case '{': case '}': case '*': case ';': case ',': case '!': return TRUE; } return FALSE; } BOOL SmmpIsNumeric(char c) { return c >= '0' && c <= '9'; } BOOL SmmpIsWhitespace(char c) { switch (c) { case '\r': case '\n': case '\t': case ' ': return TRUE; } return FALSE; } BOOL SmmpIsChar(char c) { return !SmmpIsWhitespace(c) && !SmmpIsNumeric(c) && !SmmpIsSpecialToken(c); } #define SmmpPushToken() { \ tok = ALLOCOBJECT(Token); \ strcpy(tok->token, buf); \ tok->col = col; \ tok->line = line; \ memset(buf, 0, sizeof(buf)); \ bufi = 0; \ SmmpAddSList(tokList, tok); \ } BOOL SmmpTokenize(LPCSTR typeDefString, PSLIST *tokenList) { char buf[512] = { 0 }; const char *p = typeDefString; int bufi = 0; PToken tok; BOOL numLoad = FALSE; BOOL skip = FALSE; int line = 1, col = 1; PSLIST tokList; if (!SmmpCreateSLIST(&tokList)) return FALSE; while (*p) { if (*p == '\n') { line++; col = 1; } else if (*p != '\r') col++; if (skip) { if (*p == '*' && *(p + 1) == '/') { p++; skip = FALSE; } p++; continue; } if (SmmpIsSpecialToken(*p)) { if (bufi > 0) SmmpPushToken(); tok = ALLOCOBJECT(Token); tok->token[0] = *p; tok->token[1] = 0; tok->col = col; tok->line = line; SmmpAddSList(tokList, tok); } else if (SmmpIsWhitespace(*p)) { if (bufi > 0) SmmpPushToken(); } else { //comment begin if (!skip && *p == '/' && *(p+1) == '*') { p++; skip = TRUE; } else buf[bufi++] = *p; } p++; } if (bufi > 0) SmmpPushToken(); *tokenList = tokList; return TRUE; } BOOL SmmpParseTypeField(PSLISTNODE *beginNode, PSTRUCTMEMBERFIELD *fieldPtr) { PSLISTNODE node = NULL; PPRIMITIVETYPEINFO pmti = NULL; PSTRUCTINFO pstr = NULL; PSTRUCTMEMBERFIELD field = NULL; BOOL success = FALSE; LONG failStep = 0; node = *beginNode; PVOID info; BOOL isPrimitive; if (!SmmpGetTypeInfoByName(Stringof(node), &info, &isPrimitive,FALSE)) OneWayExit(FS_NOFIELDTYPE, exit); field = ALLOCOBJECT(STRUCTMEMBERFIELD); memset(field, 0, sizeof(STRUCTMEMBERFIELD)); if (!field) OneWayExit(FS_MEMERR, exit); if (isPrimitive) field->type.primitiveType = (PPRIMITIVETYPEINFO)info; else { field->type.structType = (PSTRUCTINFO)info; field->isStruct = TRUE; } if (!SmmpNextnode(&node)) OneWayExit(FS_EXPECTFIELDNAME, exit); if (IsSquareBrckOpen(node)) { if (!SmmpNextnode(&node)) OneWayExit(FS_EXPECTARRSIZE, exit); if (!IsSquareBrckClose(node)) { field->arrSize = atoi(Stringof(node)); if (field->arrSize == 0) OneWayExit(FS_EXPECTARRSIZE, exit); if (!SmmpNextnode(&node)) OneWayExit(FS_EXPECTSQUBRCKCLOSE, exit); field->isArray = TRUE; } else { field->arrSize = 1; field->isArray = TRUE; } if (!SmmpNextnode(&node)) OneWayExit(FS_EXPECTFIELDNAME, exit); } else if (IsPtrChar(node)) { field->isPointer = TRUE; if (!SmmpNextnode(&node)) OneWayExit(FS_EXPECTFIELDNAME, exit); } if (SmmpIsSpecialToken(*Stringof(node))) OneWayExit(FS_EXPECTFIELDNAME, exit); strcpy(field->fieldName, Stringof(node)); if (!SmmpNextnode(&node)) OneWayExit(FS_EXPECTSEMICOLON, exit); if (!IsSemiColon(node)) OneWayExit(FS_EXPECTSEMICOLON, exit); if (!SmmpNextnode(&node)) OneWayExit(-1, exit); success = TRUE; exit: *beginNode = node; *fieldPtr = field; if (!success) SmmpRaiseParseError(failStep,RECORD_OF(node,PToken)); return success; } WORD SmmpParseTypeFields(PSLISTNODE *beginNode, PSTRUCTINFO typeInfo) { PSLISTNODE node; PSTRUCTMEMBERFIELD field; BOOL success = FALSE; node = *beginNode; if (!SmmpCreateSLIST(&typeInfo->fields)) return 0; while (node != NULL) { if (IsCurlyBrckClose(node)) break; if (SmmpParseTypeField(&node, &field)) { SmmpAddSList(typeInfo->fields, field); if (field->isArray) { if (field->isStruct) typeInfo->structSize += field->type.structType->structSize * field->arrSize; else typeInfo->structSize += field->type.primitiveType->size * field->arrSize; } else if (field->isPointer) typeInfo->structSize += SIZEOF_POINTER; else { if (field->isStruct) typeInfo->structSize += field->type.structType->structSize; else typeInfo->structSize += field->type.primitiveType->size; } } else break; } *beginNode = node; return (WORD)typeInfo->fields->count; } #define ARG_IN 1 #define ARG_OUT 2 BOOL SmmpParseFunctionSignature(PSLISTNODE *startNode, PFNSIGN *funcSign) { char name[128] = { 0 }, module[128] = { 0 }, buf[128] = { 0 }; char argType[64], argName[128]; PARGINFO argList = NULL; PRETINFO retInfo; SHORT argCount = 0; PFNSIGN fnSign = NULL; PVOID argTypeInfo = NULL, retTypeInfo = NULL; BOOL isPrimitive=FALSE,isPtr=FALSE; int argInOut = 0,failStep=0; PSLISTNODE node = (*startNode)->next; if (SmmpGetTypeInfoByName(Stringof(node), &retTypeInfo, NULL, FALSE)) { retInfo = ALLOCOBJECT(RETINFO); if (!retInfo) { RAISEGLOBALERROR("Memory allocation failed."); return FALSE; } retInfo->typeInfo.u = retTypeInfo; if (!SmmpNextnode(&node)) OneWayExit(FS_EXPECTMODNAME, finish); } strcpy(module, Stringof(node)); if (!SmmpNextnode(&node)) OneWayExit(FS_EXPECTNOTOP, finish); if (*Stringof(node) != '!') OneWayExit(FS_EXPECTNOTOP, finish); if (!SmmpNextnode(&node)) OneWayExit(FS_EXPECTMODNAME, finish); strcpy(name, Stringof(node)); if (!SmmpNextnode(&node)) OneWayExit(FS_EXPECTPARANOPEN, finish); if (*Stringof(node) != '(') OneWayExit(FS_EXPECTPARANOPEN, finish); argList = ALLOCOBJECTLIST(ARGINFO, 10); fnSign = ALLOCOBJECT(FNSIGN); DBGPRINT("parsing signature %s!%s", module, name); if (SmmpIsSpecialToken(*Stringof(node))) { if (*Stringof(node) == ')') { FREEOBJECT(argList); argList = NULL; argCount = 0; goto finish; } } do { if (!SmmpNextnode(&node)) OneWayExit(FS_UNEXPECTED_SYTX_END, finish); memset(argType, 0, sizeof(argType)); memset(argName, 0, sizeof(argName)); argInOut = 0; isPtr = FALSE; if (SmmpIsSpecialToken(*Stringof(node))) OneWayExit(FS_UNEXPECTED_TOKEN, finish); if (!_stricmp(Stringof(node), "out")) argInOut = ARG_OUT; else if (!_stricmp(Stringof(node), "in")) argInOut = ARG_IN; if (argInOut > 0) { if (!SmmpNextnode(&node)) OneWayExit(FS_EXPECTTYPE, finish); if (SmmpIsSpecialToken(*Stringof(node))) OneWayExit(FS_EXPECTTYPE, finish); } strcpy(argType, Stringof(node)); if (!SmmpNextnode(&node)) OneWayExit(FS_EXPECTARGNAME, finish); if (IsPtrChar(node)) { isPtr = TRUE; if (!SmmpNextnode(&node)) OneWayExit(FS_EXPECTARGNAME, finish); if (SmmpIsSpecialToken(*Stringof(node))) OneWayExit(FS_EXPECTARGNAME, finish); } strcpy(argName, Stringof(node)); if (!SmmpNextnode(&node)) OneWayExit(FS_UNEXPECTED_SYTX_END, finish); strcpy(argList[argCount].name, argName); if (!SmmpGetTypeInfoByName(argType, &argTypeInfo, &isPrimitive,FALSE)) { OneWayExit(FS_TYPENOTFOUND, finish); } argList[argCount].isStructure = !isPrimitive; argList[argCount].typeInfo.holder = argTypeInfo; argList[argCount].isOutArg = argInOut == ARG_OUT; argList[argCount].isPointer = isPtr; DBGPRINT("name: %s", argName); DBGPRINT("isStruct?: %d", !isPrimitive); DBGPRINT("isOut?: %d", argInOut == ARG_OUT); DBGPRINT("isPointer?: %d", isPtr); DBGPRINT("\n"); if (argInOut == ARG_OUT && !fnSign->hasOutArg) fnSign->hasOutArg = TRUE; argCount++; } while (*Stringof(node) == ','); if (*Stringof(node) != ')') { OneWayExit(FS_EXPECTPARANCLOSE, finish); } if (!SmmpNextnode(&node)) node = NULL; finish: if (failStep > 0) { SmmpRaiseParseError(failStep,RECORD_OF(node,PToken)); if (fnSign != NULL) FREEOBJECT(fnSign); if (argList != NULL) FREEOBJECT(argList); return FALSE; } fnSign->argCount = argCount; fnSign->args = argList; fnSign->ret = retInfo; strcpy(fnSign->name, name); strcpy(fnSign->module, module); *funcSign = fnSign; *startNode = node; return TRUE; } BOOL SmmpParseAlias(PSLISTNODE *startNode) { PSLISTNODE node = *startNode; char *realType, *aliasName; if (strcmp(Stringof(node), "alias")) return FALSE; if (!SmmpNextnode(&node)) { SmmpRaiseParseError(FS_EXPECTTYPE,RECORD_OF(node,PToken)); return FALSE; } realType = Stringof(node); if (!SmmpNextnode(&node)) { SmmpRaiseParseError(FS_EXPECTIDENT, RECORD_OF(node, PToken)); return FALSE; } aliasName = Stringof(node); if (!SmmpRegisterAlias(aliasName, realType)) { SmmpRaiseParseError(FS_TYPENOTFOUND, RECORD_OF(node, PToken)); return FALSE; } if (!SmmpNextnode(&node)) node = NULL; *startNode = node; return TRUE; } BOOL _SmmpParseType(PSLISTNODE *startNode, PSTRUCTINFO *typeInfo) { PSLISTNODE node = NULL; PSTRUCTINFO pti = NULL; BOOL success = FALSE; LONG failStep = 0; node = *startNode; if (strcmp(Stringof(node), "maptype")) { OneWayExit(FS_MAPTYPE, exit); } if (!SmmpNextnode(&node)) OneWayExit(FS_TYPENAME, exit); //typename expected pti = ALLOCOBJECT(STRUCTINFO); if (!pti) OneWayExit(FS_MEMERR, exit); memset(pti, 0, sizeof(STRUCTINFO)); pti->cbSize = sizeof(STRUCTINFO); if (SmmpIsSpecialToken(*Stringof(node))) OneWayExit(FS_TYPENAME, exit); strcpy(pti->name, Stringof(node)); if (!SmmpNextnode(&node)) OneWayExit(FS_BRACKOPEN, exit); //{ Expected if (!IsCurlyBrckOpen(node)) OneWayExit(FS_BRACKOPEN, exit); //{ expected if (!SmmpNextnode(&node)) OneWayExit(FS_EXPECTFIELD, exit); //Field definition expected //Compile fields if (!SmmpParseTypeFields(&node, pti)) OneWayExit(FS_EXPECTFIELD, exit); if (!IsCurlyBrckClose(node)) OneWayExit(FS_BRACKCLOSE, exit); //} expected if (!SmmpNextnode(&node)) node = NULL; success = TRUE; exit: *startNode = node; if (!success) SmmpRaiseParseError(failStep, RECORD_OF(node, PToken)); *typeInfo = pti; return success; } void SmmpDumpMapTypeInfo(PPRIMITIVETYPEINFO mti) { _DBGPRINT("Typename: %s\n", mti->typeName); _DBGPRINT("Size: %d\n", mti->size); _DBGPRINT("Signed: %d\n", mti->isSigned); } void SmmpDumpType(PSTRUCTINFO type) { PSTRUCTMEMBERFIELD field; _DBGPRINT("Name: %s\n", type->name); _DBGPRINT("---Fields---\n\n"); for (PSLISTNODE n = type->fields->head; n != NULL; n = n->next) { field = RECORD_OF(n, PSTRUCTMEMBERFIELD); if (field->isStruct) { SmmpDumpType(field->type.structType); return; } _DBGPRINT("Name: %s\n", field->fieldName); SmmpDumpMapTypeInfo(field->type.primitiveType); _DBGPRINT("Is Array: %d\n", field->isArray); if (field->isArray) _DBGPRINT("Array size: %d\n", field->arrSize); _DBGPRINT("Is pointer: %d\n\n", field->isPointer); } } //TODO: detect value or not value? BOOL SmmpMapForPrimitiveType(PGENERIC_DATATYPE_INFO pdi, Rtf *rtf, BYTE *mem, SHORT lastDepth, PCOMMON_DATAFIELD_INFO pcdi) { PPRIMITIVETYPEINFO pmti; BOOL pcdiPresent = pcdi != NULL; BOOL isPointer = FALSE, isArray = FALSE; ULONG arraySize = 0; char buffer[1024]; BOOL result = TRUE; bool isValue = false; if (pcdiPresent) { switch (pcdi->type) { case CDI_FUNCTION_ARGUMENT: if (!pcdi->u.argInfo->isStructure) pmti = pcdi->u.argInfo->typeInfo.primitiveInfo; else return FALSE; isPointer = pcdi->u.argInfo->isPointer; isArray = FALSE; arraySize = 0; break; case CDI_STRUCTURE_FIELD: if (!pcdi->u.fieldInfo->isStruct) pmti = pcdi->u.fieldInfo->type.primitiveType; else return FALSE; isPointer = pcdi->u.fieldInfo->isPointer; isArray = pcdi->u.fieldInfo->isArray; arraySize = isArray ? pcdi->u.fieldInfo->arrSize : 0; break; default: return FALSE; } } else pmti = (PPRIMITIVETYPEINFO)pdi; //Ignore return if (isPointer) { //'*' marked pointer type. we need to dereference and map isValue = false; if (!strcmp(pdi->typeName, "char")) pmti = TYPE_IDENTS[MAX_TYPE_IDENTS - 3].pti; //assume string converter else if (!strcmp(pdi->typeName, "wchar")) pmti = TYPE_IDENTS[MAX_TYPE_IDENTS - 2].pti; //assume wstring converter else if (!strcmp(pdi->typeName, "pointer")) pmti = TYPE_IDENTS[MAX_TYPE_IDENTS - 1].pti; //pointer itself converter pmti->method(buffer, mem, isValue); } else if (isArray) { //if char[] or wchar[] we can assume as string again if (!strcmp(pdi->typeName, "char")) pmti = TYPE_IDENTS[MAX_TYPE_IDENTS - 3].pti; else if (!strcmp(pdi->typeName, "wchar")) pmti = TYPE_IDENTS[MAX_TYPE_IDENTS - 2].pti; else { BYTE *arrPtr = (BYTE *)mem; for (ULONG i = 0;i < arraySize;i++) { //Map n. index of memory pmti->method(buffer, arrPtr, false); //increment pointer type of array memory mem += pmti->size; } memset(buffer, 0, sizeof(buffer)); goto oneWayExit; } } else { if (!strcmp(pdi->typeName, "string") || !strcmp(pdi->typeName, "wstring")) isValue = false; else isValue = true; pmti->method(buffer, mem, isValue); } oneWayExit: if (result) { rtf->Color(RTFC_DEFAULT)->FormatText(buffer); } return result; } BOOL SmmpMapForStructureType(PGENERIC_DATATYPE_INFO pdi, Rtf *rtf, BYTE *mem, SHORT lastDepth, PCOMMON_DATAFIELD_INFO pcdi); BOOL SmmpMapField(PSTRUCTMEMBERFIELD ptif, Rtf* rtf, BYTE *mem,SHORT lastDepth) { COMMON_DATAFIELD_INFO cdi; PPRIMITIVETYPEINFO pmti = NULL; BYTE *memArr = NULL; cdi.type = CDI_STRUCTURE_FIELD; cdi.u.fieldInfo = ptif; if (ptif->isStruct) return SmmpMapForStructureType((PGENERIC_DATATYPE_INFO)ptif->type.structType, rtf, mem, lastDepth + 1, &cdi); return SmmpMapForPrimitiveType((PGENERIC_DATATYPE_INFO)ptif->type.primitiveType, rtf, mem, lastDepth + 1, &cdi); } BOOL SmmpMapForStructureType(PGENERIC_DATATYPE_INFO pdi, Rtf *rtf, BYTE *mem, SHORT lastDepth, PCOMMON_DATAFIELD_INFO pcdi) { PSTRUCTMEMBERFIELD ptif = NULL; PSTRUCTINFO psi = (PSTRUCTINFO)pdi; DWORD typeSize = 0; char buf[512]; rtf->FormatText("(Struct of %s) = ", psi->name)->NewLine(1); rtf->NewTab(lastDepth)->FormatText("[")->NewLine(1); for (PSLISTNODE node = psi->fields->head; node != NULL; node = node->next) { ptif = RECORD_OF(node, PSTRUCTMEMBERFIELD); memset(buf, 0, sizeof(buf)); rtf->Style(RTFS_TAB, lastDepth + 1)->FormatText("%s = ", ptif->fieldName); if (!SmmpMapField(ptif, rtf, mem,lastDepth)) return FALSE; rtf->Style(RTFS_NEWLINE); typeSize = ptif->isStruct ? ptif->type.structType->structSize : ptif->type.primitiveType->size; if (ptif->isArray) mem += typeSize * ptif->arrSize; else if (ptif->isPointer) mem += SIZEOF_POINTER; else mem += typeSize; } rtf->NewTab(lastDepth)->FormatText("]")->NewLine(1); return TRUE; } BOOL SmmMapFunctionCall(PPASSED_PARAMETER_CONTEXT passedParams, PFNSIGN fnSign, ApiFunctionInfo *afi, LPSTR *mapResult) { PARGINFO argInfo; BOOL isPrimitive; BYTE *mem; PGENERIC_DATATYPE_INFO pdi; COMMON_DATAFIELD_INFO cdi; Rtf *rtf; rtf = new Rtf(); SmmpRegisterRtfColorAndFonts(rtf); if (_stricmp(fnSign->module, afi->ownerModule->name) || _stricmp(fnSign->name, afi->name)) return FALSE; rtf->Style(RTFS_BOLD)->Font(RTFF_DEFAULT)->FontSize(22) ->FormatText("Map for ")->Color(RTFC_DARKBLUE) ->FormatText("%s", fnSign->module)->Color(RTFC_DEFAULT) ->FormatText("!")->Color(RTFC_DARKRED) ->FormatText("%s", fnSign->name)->Color(RTFC_DEFAULT) ->FormatText("(")->NewLine(1); for (int i = 0;i < fnSign->argCount;i++) { argInfo = &fnSign->args[i]; pdi = (PGENERIC_DATATYPE_INFO)argInfo->typeInfo.holder; isPrimitive = pdi->cbSize == sizeof(PRIMITIVETYPEINFO); rtf->Style(RTFS_TAB, 1)->Color(RTFC_DEFAULT) ->FormatText("Arg#%d (", i + 1)->Color(RTFC_LIGHTGREEN) ->FormatText("Name")->Color(RTFC_DARKRED) ->FormatText(": %s, ", argInfo->name) ->Color(RTFC_LIGHTGREEN)->FormatText("Type") ->Color(RTFC_DEFAULT)->FormatText(": %s) = ", pdi->typeName); mem = (BYTE *)passedParams->paramList[i]; cdi.type = CDI_FUNCTION_ARGUMENT; cdi.u.argInfo = argInfo; if (isPrimitive) SmmpMapForPrimitiveType(pdi, rtf, mem, 0, &cdi); else { //I need a special formatting for function map of the user types!! SmmpMapForStructureType(pdi, rtf, mem, 0,&cdi); } rtf->Style(RTFS_NEWLINE); } rtf->FormatText(");")->NewLine(2); *mapResult = rtf->GetRtf(); delete rtf; return TRUE; } BOOL SmmMapMemoryForType(void *memory, ULONG size, const char *typeName) { Rtf *rtf; BOOL result, isPrimitive; PGENERIC_DATATYPE_INFO pdi; rtf = new Rtf(); for (PSLISTNODE node = SmmpTypeList->head; node != NULL; node = node->next) { pdi = RECORD_OF(node, PGENERIC_DATATYPE_INFO); if (!strcmp(pdi->typeName, typeName)) { isPrimitive = pdi->cbSize == sizeof(PRIMITIVETYPEINFO); if (isPrimitive) result = SmmpMapForPrimitiveType(pdi, rtf, (BYTE *)memory, 0, NULL); else result = SmmpMapForStructureType(pdi, rtf, (BYTE *)memory, 0, NULL); break; } } delete rtf; return result; } BOOL SmmGetFunctionSignature(const char *module, const char *function, PFNSIGN *signInfo) { PFNSIGN fnSign; if (!signInfo) return FALSE; for (PSLISTNODE node = SmmpFnSignList->head; node != NULL; node = node->next) { fnSign = RECORD_OF(node, PFNSIGN); if (!_stricmp(fnSign->module, module) && !_stricmp(fnSign->name, function)) { *signInfo = fnSign; return TRUE; } } *signInfo = NULL; return FALSE; } BOOL SmmGetFunctionSignature2(ApiFunctionInfo *afi, PFNSIGN *signInfo) { if (!afi) return FALSE; if (!signInfo) return FALSE; return SmmGetFunctionSignature(afi->ownerModule->name, afi->name, signInfo); } SHORT SmmGetArgumentCount(PFNSIGN signInfo) { if (!signInfo) return -1; return signInfo->argCount; } BOOL SmmSigHasOutArgument(PFNSIGN signInfo) { if (!signInfo) return FALSE; return signInfo->hasOutArg; } BOOL SmmpIsFullPathOrURL(LPCWSTR str, BOOL *isLocal) { if (HlpBeginsWithW(str + 1, L":\\\\", TRUE, 3)) { *isLocal = TRUE; return TRUE; } if (HlpBeginsWithW(str, L"http", FALSE, 4)) { *isLocal = FALSE; return TRUE; } return FALSE; } void SmmpBuildNewFileOrURL(LPWSTR buffer, ULONG bufSize, LPWSTR objectName) { BOOL isLocal; WCHAR sepFind, sepRepl; LPWSTR ptr; if (SmmpIsFullPathOrURL(objectName, &isLocal)) { wcscpy(buffer, objectName); return; } SmmpIsFullPathOrURL(SmmpScriptWorkDir, &isLocal); if (!isLocal) { sepFind = '\\'; sepRepl = '/'; } else { sepFind = '/'; sepRepl = '\\'; } memset(buffer, 0, bufSize); wsprintfW(buffer, L"%s%s", SmmpScriptWorkDir, objectName); ptr = (LPWSTR)buffer; while (*ptr) { if (*ptr == sepFind) *ptr = sepRepl; ptr++; } } BOOL SmmpParseType(LPCSTR typeDefString, WORD *typeCount) { PSLIST tokenList; PSLISTNODE node; PSTRUCTINFO typeInfo = NULL; PFNSIGN fnSign = NULL; WORD compiledTypeCount = 0; LONG err = -1; LPWSTR inclFileW = NULL; WCHAR fullInclFileW[MAX_PATH]; BOOL success = FALSE; if (!SmmpTokenize(typeDefString, &tokenList)) return FALSE; node = tokenList->head; while (node != NULL) { if (!_stricmp(Stringof(node),"@incl")) { if (!SmmpNextnode(&node)) err = FS_EXPECTINCLFILEPATH; if (!HlpTrimChar(Stringof(node), '\'', HLP_TRIM_BOTH)) err = FS_EXPECTINCLFILEPATH; if (err >= 0) { SmmpRaiseParseError(err, RECORD_OF(node, PToken)); goto exit; } inclFileW = HlpAnsiToWideString(Stringof(node)); if (!inclFileW) goto exit; SmmpBuildNewFileOrURL(fullInclFileW, sizeof(fullInclFileW), inclFileW); FREESTRING(inclFileW); SmmParseFromFileW(fullInclFileW, typeCount); if (!SmmpNextnode(&node)) node = NULL; continue; } else if (!_stricmp(Stringof(node), "fnsign")) { if (!SmmpParseFunctionSignature(&node, &fnSign)) { goto exit; } SmmpAddSList(SmmpFnSignList, fnSign); } else if (!_stricmp(Stringof(node), "maptype")) { if (!_SmmpParseType(&node, &typeInfo)) { //release all goto exit; } SmmpAddSList(SmmpUserTypeList, typeInfo); SmmpAddSList(SmmpTypeList, typeInfo); compiledTypeCount++; SmmpDumpType(typeInfo); } else if (!_stricmp(Stringof(node), "alias")) { if (!SmmpParseAlias(&node)) goto exit; } else { SmmpRaiseParseError(FS_UNEXPECTED_TOKEN, RECORD_OF(node, PToken)); goto exit; } } success = TRUE; if (typeCount) *typeCount += compiledTypeCount; exit: for (PSLISTNODE node = tokenList->head; node != NULL; node = node->next) FREEOBJECT(node->value); SmmpDestroySList(tokenList); return success; } BOOL SmmParseType(LPCSTR typeDefString, WORD *typeCount) { BOOL success = FALSE; if (!typeCount) return FALSE; success = SmmpParseType(typeDefString,typeCount); if (!success) SmmReleaseResources(false); return success; } BOOL SmmpParseFromInternet(LPCWSTR sourceUrl, WORD *typeCount) { BYTE* content; ULONG contentLen; BOOL result; if (!UtlInternetReadW(sourceUrl, &content, &contentLen)) return FALSE; result = SmmParseType((LPCSTR)content, typeCount); if (result) AbMemoryFree(content); return result; } BOOL SmmParseFromFileW(LPCWSTR fileName, WORD *typeCount) { HANDLE fileHandle = NULL; char *fileContent = NULL; DWORD fsLo, fsHi, read; BOOL result = FALSE; WCHAR workDir[MAX_PATH]; BOOL isInetSource,workDirStacked=FALSE; wcscpy(SmmpCurrentParsingFile, fileName); SmmpPushPath(&SmmpParsingFileStack, (WCHAR *)fileName); isInetSource = HlpBeginsWithW(fileName, L"http", FALSE, 4); //Initial if (!SmmpFnSignList) { //change prototype to const wstr if (!HlpPathFromFilenameW((LPWSTR)fileName, SmmpScriptWorkDir, MAX_PATH,isInetSource?L'/':L'\\')) return FALSE; SmmpWorkDirIsLocal = !isInetSource; } else { HlpPathFromFilenameW((LPWSTR)fileName, workDir, MAX_PATH, isInetSource ? L'/' : L'\\'); if (_wcsicmp(workDir, SmmpScriptWorkDir)) { SmmpPushPath(&SmmpWorkDirStack, SmmpScriptWorkDir); SmmpWorkDirIsLocal = !isInetSource; wcscpy(SmmpScriptWorkDir, workDir); workDirStacked = TRUE; } } if (isInetSource) { result = SmmpParseFromInternet((LPCWSTR)fileName, typeCount); if (workDirStacked) { SmmpPopPath(&SmmpWorkDirStack,SmmpScriptWorkDir,&isInetSource); } SmmpPopPath(&SmmpParsingFileStack, SmmpCurrentParsingFile, NULL); return result; } fileHandle = CreateFileW(fileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); if (fileHandle == INVALID_HANDLE_VALUE) goto exit; fsLo = GetFileSize(fileHandle, &fsHi); if (fsHi > 0) { //Hollyshit. Are you really sure that is it contains plain text? goto exit; } //Is it also larger than 1Meg for a standart text file. if (fsLo >= 0x100000) goto exit; fileContent = (char *)AbMemoryAlloc(fsLo); if (!fileContent) goto exit; if (!ReadFile(fileHandle, fileContent, fsLo, &read, NULL)) goto exit; result = SmmParseType(fileContent, typeCount); exit: SmmpPopPath(&SmmpParsingFileStack, SmmpCurrentParsingFile, NULL); if (fileContent) AbMemoryFree(fileContent); CloseHandle(fileHandle); if (workDirStacked) { SmmpPopPath(&SmmpWorkDirStack,SmmpScriptWorkDir, &isInetSource); } return result; } BOOL SmmParseFromFileA(LPCSTR fileName, WORD *typeCount) { LPCWSTR fileNameW = NULL; BOOL result; fileNameW = HlpAnsiToWideString(fileName); if (!fileNameW) return FALSE; result = SmmParseFromFileW(fileNameW, typeCount); FREESTRING(fileNameW); return result; } BOOL SmmHasParseError(LPSTR *errorString) { ARCHWIDE written = 0; if (!SmmpParseErrorContent) return FALSE; DmaGetAdapterInfo(SmmpParseErrorContent, &written, NULL); if (written > 0) { DmaTakeMemoryOwnership(SmmpParseErrorContent, (void **)errorString); return TRUE; } return FALSE; } VOID SmmInitializeResources() { bool success = false; if (!SmmpCreateSLIST(&SmmpFnSignList)) goto exit; if (!SmmpCreateSLIST(&SmmpTypeList)) goto exit; if (!SmmpCreateSLIST(&SmmpUserTypeList)) goto exit; if (!SmmpCreateSLIST(&SmmpAliasList)) goto exit; if (!SmmpInitBasePrimitiveTypes()) goto exit; if (!SmmpInitBaseAliases()) goto exit; DmaCreateAdapter(sizeof(char), 64, &SmmpParseErrorContent); SmmpInitPathStack(&SmmpParsingFileStack); SmmpInitPathStack(&SmmpWorkDirStack); success = true; exit: if (!success) SmmReleaseResources(true); } VOID SmmReleaseResources(bool fullRelease) { PGENERIC_DATATYPE_INFO gdi; PFNSIGN fnSign; BOOL isPrimv = FALSE; if (fullRelease) { RtlZeroMemory(TYPE_IDENTS, sizeof(typeidents) * MAX_TYPE_IDENTS); } if (SmmpUserTypeList != NULL) { SmmpClearList(SmmpUserTypeList,FALSE); if (fullRelease) { SmmpDestroySList(SmmpUserTypeList); SmmpUserTypeList = NULL; } } if (SmmpAliasList != NULL) { SmmpClearList(SmmpAliasList,TRUE); if (fullRelease) { SmmpDestroySList(SmmpAliasList); SmmpAliasList = NULL; } } if (SmmpTypeList != NULL) { for (PSLISTNODE node = SmmpTypeList->head; node != NULL; node = node->next) { gdi = RECORD_OF(node, PGENERIC_DATATYPE_INFO); SmmpTypeIsPrimitive(gdi, &isPrimv); if (!isPrimv) { for (PSLISTNODE fieldNode = ((PSTRUCTINFO)gdi)->fields->head; fieldNode != NULL; fieldNode = fieldNode->next) { FREEOBJECT(RECORD_OF(fieldNode, PSTRUCTMEMBERFIELD)); } SmmpDestroySList(((PSTRUCTINFO)gdi)->fields); } FREEOBJECT(gdi); } SmmpClearList(SmmpTypeList,FALSE); if (fullRelease) { SmmpDestroySList(SmmpTypeList); SmmpTypeList = NULL; } } if (SmmpFnSignList != NULL) { for (PSLISTNODE node = SmmpFnSignList->head; node != NULL; node = node->next) { fnSign = RECORD_OF(node, PFNSIGN); if (fnSign->ret) FREEOBJECT(fnSign->ret); if (fnSign->args) FREEOBJECT(fnSign->args); RtlZeroMemory(fnSign, sizeof(FNSIGN)); FREEOBJECT(fnSign); } SmmpClearList(SmmpFnSignList,FALSE); if (fullRelease) { SmmpDestroySList(SmmpFnSignList); SmmpFnSignList = NULL; } } SmmpInitPathStack(&SmmpWorkDirStack); SmmpInitPathStack(&SmmpParsingFileStack); if (SmmpParseErrorContent) { DmaDestroyAdapter(SmmpParseErrorContent); SmmpParseErrorContent = NULL; } } ================================================ FILE: x64dbgApiBreak/src/syslib.cpp ================================================ #include #define TRY_MAX_WAITMS 1000 #define TRY_WAIT_PERCALL 20 #define TRY_COUNT (TRY_MAX_WAITMS / TRY_WAIT_PERCALL) #include typedef struct __MEMLIST_ENTRY { ULONG magic; struct __MEMLIST_ENTRY * next; struct __MEMLIST_ENTRY * prev; void * mem; ULONG size; BOOL track; char function[128]; char filename[256]; ULONG line; }*PMEMLIST_ENTRY,MEMLIST_ENTRY; typedef struct __MEMLIST { PMEMLIST_ENTRY head; PMEMLIST_ENTRY tail; volatile ULONG spinLock; }*PMEMLIST,MEMLIST; #define MEMLIST_ENTRY_MAGIC 0xBAAD7337 MEMLIST AbpMemList = { 0 }; void AcqMemListSpinlock() { while (InterlockedCompareExchange(&AbpMemList.spinLock, 1, 0) == 1) _mm_pause(); } void RelMemListSpinlock() { InterlockedExchange(&AbpMemList.spinLock, 0); } bool AbMemReadGuaranteed(duint va, void *dest, duint size) { bool success = false; int limit = TRY_COUNT; if (!AbHasDebuggingProcess()) return false; //Another ugly hack here //x64dbg has a bug https://github.com/x64dbg/x64dbg/issues/1475 while (limit-- != 0) { if (!DbgMemRead(va, dest, size)) Sleep(TRY_WAIT_PERCALL); else { success = true; break; } } return success; } void *_AbMemoryAlloc(int size) { if (size <= 0) return NULL; return HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (SIZE_T)size); } void *_AbMemoryRealloc(void *memPtr, int newSize) { if (newSize <= 0) return NULL; if (!memPtr) return _AbMemoryAlloc(newSize); return HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, memPtr, newSize); } void _AbMemoryFree(void *memPtr) { if (!memPtr) return; HeapFree(GetProcessHeap(), 0, (LPVOID)memPtr); } #ifdef TRACK_MEMORY_ALLOCATIONS void AbRevealPossibleMemoryLeaks() { DBGPRINT("Checking for possible leaked memory blocks"); if (!AbpMemList.head) { DBGPRINT("Great! Everything's fine. No leaked memory!"); return; } DBGPRINT("Oh no. There is a some memory leak."); for (PMEMLIST_ENTRY entry = AbpMemList.head; entry != NULL; entry = entry->next) { DBGPRINT("Leaked memory at %p (%d bytes) | %s %s:%d", entry->mem, entry->size, entry->filename, entry->function, entry->line); } } void *AbMemoryAlloc_DBG(int size, const char *file, const char *func, const int line) { PMEMLIST_ENTRY entry; PVOID umem; int realSize = size + sizeof(MEMLIST_ENTRY); entry = (PMEMLIST_ENTRY)_AbMemoryAlloc(realSize); if (!entry) return FALSE; umem = ((BYTE *)entry) + sizeof(MEMLIST_ENTRY); entry->magic = MEMLIST_ENTRY_MAGIC; entry->next = NULL; entry->prev = NULL; entry->mem = umem; entry->size = size; if (file != NULL) strcpy_s(entry->filename, file); else strcpy_s(entry->filename, "vclib"); if (func != NULL) strcpy_s(entry->function, func); else strcpy_s(entry->function, "unknown"); entry->line = line; AcqMemListSpinlock(); if (!AbpMemList.head) { AbpMemList.head = AbpMemList.tail = entry; } else { entry->prev = AbpMemList.tail; AbpMemList.tail->next = entry; AbpMemList.tail = entry; } RelMemListSpinlock(); return umem; } #define ASSERT(x) if (!(x)) DBGPRINT("Assertation failed. %s",#x) void dumpNode(PMEMLIST_ENTRY entry) { DBGPRINT("ENTRY_DUMP_BEGIN"); DBGPRINT("entry = %p, entry->next = %p, entry->prev = %p", entry, entry->next, entry->prev); DBGPRINT("entry data: %s %s:%d", entry->filename, entry->function, entry->line); DBGPRINT("entry->mem = %p", entry->mem); DBGPRINT("\n"); } PMEMLIST_ENTRY AbpValidateAndProbe(void *memPtr) { PMEMLIST_ENTRY entry = NULL; BYTE *realMemAddr = NULL; realMemAddr = ((BYTE *)memPtr) - sizeof(MEMLIST_ENTRY); entry = (PMEMLIST_ENTRY)realMemAddr; __try { if (entry->magic != MEMLIST_ENTRY_MAGIC) return NULL; if (entry->mem != memPtr) return NULL; } __except(EXCEPTION_CONTINUE_EXECUTION) { return NULL; } return entry; } void *AbMemoryRealloc_DBG(void *memPtr, int newSize, const char *file, const char *func, const int line) { PMEMLIST_ENTRY entry, oldEntry,prevEntry, nextEntry; BYTE *realMem, *reallocMem; if (!memPtr) return AbMemoryAlloc_DBG(newSize, file, func, line); entry = AbpValidateAndProbe(memPtr); if (!entry) { DBGPRINT("Invalid memory address %p", memPtr); return NULL; } realMem = (BYTE *)entry; AcqMemListSpinlock(); prevEntry = entry->prev; nextEntry = entry->next; reallocMem = (BYTE *)AbMemoryRealloc_DBG(realMem, sizeof(MEMLIST_ENTRY) + newSize,file,func,line); if (!reallocMem) return NULL; oldEntry = entry; entry = (PMEMLIST_ENTRY)reallocMem; if (entry->track) DBGPRINT("reallocating memory %p. old = %p, new = %p (%s:%d)", entry, entry, reallocMem, entry->filename, entry->line); if (realMem != reallocMem) { entry->mem = reallocMem + sizeof(MEMLIST_ENTRY); //Update previous's next with new allocated node address if (prevEntry) prevEntry->next = entry; //Update next's previous with new alloacted node address if (nextEntry) nextEntry->prev = entry; //if oldentry was list's head. we have to also update head if (oldEntry == AbpMemList.head) AbpMemList.head = entry; //if oldentry was list's tail we have to also update tail if (oldEntry == AbpMemList.tail) AbpMemList.tail = entry; } ASSERT(entry->prev == prevEntry); ASSERT(entry->next == nextEntry); entry->size = newSize; RelMemListSpinlock(); return reallocMem + sizeof(MEMLIST_ENTRY); } void AbMemoryFree_DBG(void *memPtr) { PMEMLIST_ENTRY entry; if (!memPtr) return; entry = AbpValidateAndProbe(memPtr); if (!entry) { DBGPRINT("invalid memory %p", memPtr); return; } if (entry->track) DBGPRINT("%p is being freed", memPtr); AcqMemListSpinlock(); if (entry == AbpMemList.head && entry == AbpMemList.tail) { AbpMemList.head = AbpMemList.tail = NULL; } else if (entry == AbpMemList.head) { AbpMemList.head = entry->next; if (entry->next) entry->next->prev = NULL; } else if (entry == AbpMemList.tail) { AbpMemList.tail = entry->prev; if (entry->prev) entry->prev->next = NULL; } else { entry->prev->next = entry->next; entry->next->prev = entry->prev; } RtlZeroMemory(entry, sizeof(MEMLIST_ENTRY)); _AbMemoryFree(entry); RelMemListSpinlock(); } //#define SKIP_UNNAMED_ALLOCATION #ifdef __cplusplus #if defined(new) #undef new #endif void *operator new(size_t size, char *func, char *file, int line) { return AbMemoryAlloc_DBG(size, func, file, line); } void *operator new(size_t size) { #ifdef SKIP_UNNAMED_ALLOCATION return malloc(size); #else return AbMemoryAlloc_DBG(size, NULL, NULL, 0); #endif } void operator delete(void *memory, char *func, char *file, int line) { operator delete(memory); } void operator delete(void *memory) { AbMemoryFree_DBG(memory); } #endif #else void AbRevealPossibleMemoryLeaks() { DBGPRINT("Memory allocation tracker disabled.!"); } #endif void AbTrackMemory_DBG(void *memPtr) { PMEMLIST_ENTRY entry; if (!memPtr) return; entry = AbpValidateAndProbe(memPtr); if (!entry) { DBGPRINT("invalid memory %p", memPtr); return; } DBGPRINT("memory %p will be tracked.", memPtr); entry->track = TRUE; } ================================================ FILE: x64dbgApiBreak/src/ui/ui.cpp ================================================ #include #include #include using namespace std; #pragma comment(lib,"Comctl32.lib") #define SWP_FLAG_ONLY_RESIZE (SWP_NOMOVE | SWP_NOREPOSITION | SWP_NOZORDER) #define SWP_FLAG_RESIZE_AND_MOVE (SWP_NOREPOSITION | SWP_NOZORDER) #define PSEUDO_HANDLE_VALUE ((HANDLE)((ULONG_PTR)-2)) #if _DEBUG #define UITHREAD_WAIT_TIME INFINITE #else #define UITHREAD_WAIT_TIME 10 * 1000 #endif #ifdef _DEBUG volatile UCHAR UiStepTraceEnd = 0; #endif typedef struct tagIntParam { WORD intParamMagic; void *userParam; WINDOWCREATIONINFO *wci; }INTPARAM; map *gp_windowMap; void __UiRaiseDisposeCallback(UIOBJECT *ui); UIOBJECT *__UiGetMappedUiObject(HWND hwnd) { map::iterator iter; if (gp_windowMap == NULL) return NULL; iter = gp_windowMap->find(hwnd); if (iter == gp_windowMap->end()) return NULL; return iter->second; } #define __UiIsMappedHwnd(hwnd) (__UiGetMappedUiObject(hwnd) != NULL) BOOL __UiMapUiObject(UIOBJECT *uiObj) { if (gp_windowMap == NULL) { gp_windowMap = new map(); } if (__UiIsMappedHwnd(uiObj->hwnd)) return FALSE; gp_windowMap->insert(make_pair(uiObj->hwnd, uiObj)); return TRUE; } UIOBJECT *__UiUnmapHwnd(HWND hwnd) { UIOBJECT *uiObj; map::iterator iter; iter = gp_windowMap->find(hwnd); if (iter == gp_windowMap->end()) return NULL; uiObj = iter->second; gp_windowMap->erase(iter); return uiObj; } __forceinline PVOID _UiDecodeParamPointer(PVOID param) { INTPARAM *intParam; if (param == NULL) return NULL; intParam = (INTPARAM *)param; if (intParam->intParamMagic == 0x4950) { return intParam->userParam; } return param; } void __UiRaiseDisposeCallback(UIOBJECT *ui) { if (ui->uiDisposer) ui->uiDisposer(); } BOOL UipWaitUiThreadUntilExit(HANDLE thread) { HANDLE realHandle; if (thread == PSEUDO_HANDLE_VALUE) { //If thread has pseudo handle. We must convert //to real handle using DuplicateHandle if (!DuplicateHandle( GetCurrentProcess(), thread, GetCurrentProcess(), &realHandle, 0, FALSE, DUPLICATE_SAME_ACCESS) ) { return FALSE; } } else realHandle = thread; if (WaitForSingleObject(realHandle, UITHREAD_WAIT_TIME) == WAIT_OBJECT_0) CloseHandle(realHandle); //else, the ui thread is also using for another job. return TRUE; } INT_PTR CALLBACK _UiMainWndProc(HWND hwnd, UINT Msg, WPARAM wParam, LPARAM lParam) { INITCOMMONCONTROLSEX icc; INT_PTR ret; UIOBJECT *uiObject = __UiGetMappedUiObject(hwnd); PVOID validParam = NULL; if (uiObject != NULL) validParam = _UiDecodeParamPointer(uiObject->param); switch (Msg) { case WM_INITDIALOG: { uiObject = (UIOBJECT *)lParam; uiObject->hwnd = hwnd; __UiMapUiObject(uiObject); validParam = _UiDecodeParamPointer(uiObject->param); icc.dwSize = sizeof(INITCOMMONCONTROLSEX); icc.dwICC = ICC_STANDARD_CLASSES; InitCommonControlsEx(&icc); ret = uiObject->dlgProc(hwnd, Msg, wParam, lParam, validParam); return ret; } break; case WM_CLOSE: { ret = uiObject->dlgProc(hwnd, Msg, wParam, lParam, validParam); uiObject->result = 0; DestroyWindow(hwnd); //Dispatch WM_DESTROY return ret; } break; case WM_DESTROY: { uiObject->isUiOutside = FALSE; PostQuitMessage(0); return 0; } break; default: { if (!uiObject) return FALSE; } } return uiObject->dlgProc(hwnd, Msg, wParam, lParam, validParam); } //We need unicode resource #undef RT_DIALOG #define RT_DIALOG MAKEINTRESOURCEW(5) LPCDLGTEMPLATEW IntUiGetDialogTemplate(UINT dlgResourceId) { HRSRC res; HGLOBAL templ; res = FindResourceW(AbPluginModule, MAKEINTRESOURCEW(dlgResourceId), RT_DIALOG); if (res == NULL) { DBGPRINT("dlg res not found"); return NULL; } templ = LoadResource(AbPluginModule, res); return (LPCDLGTEMPLATE)templ; } VOID IntUiResizeAndLocateWindow(HWND hwnd, PRECREATEWINDOWINFO *pci) { SIZE referenceSize; RECT wndRc; UINT swpFlag = SWP_NOZORDER | SWP_NOOWNERZORDER | SWP_NOMOVE | SWP_NOSIZE; int sysScrWidth, sysScrHeight; sysScrWidth = GetSystemMetrics(SM_CXSCREEN); sysScrHeight = GetSystemMetrics(SM_CYSCREEN); if (pci->wri.flag & WRIF_SIZE) { swpFlag &= ~SWP_NOSIZE; referenceSize = pci->wri.size; } else { GetWindowRect(hwnd, &wndRc); referenceSize.cx = wndRc.right - wndRc.left; referenceSize.cy = wndRc.bottom - wndRc.top; } if (pci->wri.flag & WRIF_LOCATION) { swpFlag &= ~SWP_NOMOVE; } if (pci->wri.flag & WRIF_CENTER) { if (swpFlag & SWP_NOMOVE) swpFlag &= ~SWP_NOMOVE; pci->wri.point.x = (sysScrWidth / 2) - (referenceSize.cx / 2); pci->wri.point.y = (sysScrHeight / 2) - (referenceSize.cy / 2); } SetWindowPos( hwnd, NULL, pci->wri.point.x, pci->wri.point.y, referenceSize.cx, referenceSize.cy, swpFlag); } DWORD WINAPI IntUiWorker(VOID *Arg) { MSG msg; INTPARAM *internParam; UIOBJECT *uiObj = (UIOBJECT *)Arg; WINDOWCREATIONINFO *wciPtr = NULL; uiObj->isUiOutside = TRUE; internParam = (INTPARAM *)uiObj->param; uiObj->hwnd = CreateDialogIndirectParamW(GetModuleHandle(NULL), IntUiGetDialogTemplate(uiObj->dlgResourceId), uiObj->parentWnd, (DLGPROC)_UiMainWndProc, (LPARAM)uiObj); if (internParam->wci != NULL) { wciPtr = internParam->wci; } if (wciPtr) { if (wciPtr->pci != NULL) IntUiResizeAndLocateWindow(uiObj->hwnd, wciPtr->pci); } InterlockedExchangePointer((volatile PVOID *)&uiObj->param, internParam->userParam); FREEOBJECT(internParam); uiObj->isRunning = TRUE; SetEvent(uiObj->uiEvent); ShowWindow(uiObj->hwnd, SW_NORMAL); #ifdef _DEBUG if (IsDebuggerPresent()) UiStepTraceEnd = 1; #endif //Enter UI Message Loop while (GetMessageW(&msg, NULL, 0, 0)) { TranslateMessage(&msg); DispatchMessageW(&msg); } uiObj->isRunning = FALSE; //Post fake WM_QUIT message uiObj->dlgProc(uiObj->hwnd, WM_QUIT, 0, 0, _UiDecodeParamPointer(uiObj->param)); __UiUnmapHwnd(uiObj->hwnd); __UiRaiseDisposeCallback(uiObj); if (uiObj->seperateThread) { UiReleaseObject(uiObj); } DBGPRINT("Ui thread exited %x (%d)", GetCurrentThreadId(), GetCurrentThreadId()); return 0; } BOOL IntUiCreateDialog(UIOBJECT *uiObj) { DWORD tid; uiObj->uiEvent = CreateEventW(NULL, FALSE, FALSE, NULL); if (uiObj->seperateThread) { uiObj->uiThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)IntUiWorker, uiObj, 0, &tid); uiObj->uiThreadId = tid; DBGPRINT("Ui worker thread id: %d", tid); } else { uiObj->uiThread = GetCurrentThread(); uiObj->uiThreadId = GetCurrentThreadId(); IntUiWorker(uiObj); } if (WaitForSingleObject(uiObj->uiEvent, 30 * 1000) == WAIT_TIMEOUT) { #ifdef _DEBUG if (IsDebuggerPresent()) { //Stall until debug step finished while (!UiStepTraceEnd) Sleep(1); } else __debugbreak(); #else __debugbreak(); #endif } CloseHandle(uiObj->uiEvent); return uiObj->uiThread != NULL; } BOOL UiIsRunning(UIOBJECT *ui) { if (!ui) return FALSE; return ui->isRunning; } VOID UiRegisterDisposer(UIOBJECT *uiObject, UIAFTEREXITDISPOSER disposer) { uiObject->uiDisposer = disposer; } UIOBJECT *UiCreateDialog( UIDLGPROC dlgProc, HWND parentWnd, UINT dialogResourceId, BOOL seperateThread, PVOID param, WINDOWCREATIONINFO *wci, BOOL *wasSucceeded) { UIOBJECT *uiObject = NULL; INTPARAM *internParam; if (!wasSucceeded) return NULL; uiObject = ALLOCOBJECT(UIOBJECT); uiObject->dlgResourceId = dialogResourceId; uiObject->seperateThread = seperateThread; uiObject->parentWnd = parentWnd; internParam = ALLOCOBJECT(INTPARAM); internParam->intParamMagic = 0x4950; internParam->wci = wci; internParam->userParam = param; uiObject->param = internParam; uiObject->dlgProc = dlgProc; if (IntUiCreateDialog(uiObject) == FALSE) { if (!seperateThread) *wasSucceeded = FALSE; UiReleaseObject(uiObject); return NULL; } if (!uiObject->seperateThread) { *wasSucceeded = TRUE; UiReleaseObject(uiObject); return NULL; } return uiObject; } void UipGetWinVer(LPOSVERSIONINFOA lposv) { //Microsoft has deprecated the version getting API's a while ago. //And introduced some stupid version helper APIs //like IsWindowsXPOrGreater. I dont need that shit. //We are still need the GetVersionXXX API's for backward //compability. lposv->dwOSVersionInfoSize = sizeof(OSVERSIONINFOA); //Shit I'm bored of typedef declaration for the API procs. //Thats why I did it. ((BOOL (WINAPI *)(LPOSVERSIONINFOA)) GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetVersionExA"))(lposv); } BOOL UipIsServer2003XpOrEarlier() { OSVERSIONINFOA osw; UipGetWinVer(&osw); //No needed to check minor version. return osw.dwMajorVersion <= 5; } BOOL UiDrawStringA(HDC dc, LPCSTR text, FLOAT x, FLOAT y, COLORREF forecolor, COLORREF backcolor) { RECT rc; SIZE textSize; HFONT font; HGDIOBJ obj; LOGFONTA logFont; NONCLIENTMETRICSA ncm; if (!dc) return FALSE; ncm.cbSize = sizeof(NONCLIENTMETRICSA); //https://msdn.microsoft.com/en-us/library/windows/desktop/ff729175.aspx //See remarks section if (UipIsServer2003XpOrEarlier()) ncm.cbSize -= sizeof(ncm.iPaddedBorderWidth); SystemParametersInfoA(SPI_GETNONCLIENTMETRICS, ncm.cbSize, &ncm, 0); memcpy(&logFont, &ncm.lfMessageFont, sizeof(LOGFONTA)); logFont.lfWeight = FW_BOLD; font = CreateFontIndirectA(&logFont); SetTextColor(dc, forecolor); obj = SelectObject(dc, font); GetTextExtentPoint32A(dc, text, strlen(text), &textSize); rc.left = x; rc.top = y; rc.right = textSize.cx; rc.bottom = textSize.cy; DrawTextA(dc, text, -1, &rc , DT_SINGLELINE | DT_LEFT); SelectObject(dc, obj); DeleteObject(font); return TRUE; } void UiReleaseObject(UIOBJECT *ui) { if (!ui) return; RtlZeroMemory(ui, sizeof(UIOBJECT)); FREEOBJECT(ui); } BOOL UiDestroyDialog(UIOBJECT *ui) { HANDLE uiThread = NULL; BOOL success = FALSE; //Who called? if (ui->isUiOutside) { ui->isUiOutside = FALSE; //we must wait only async destroy request to avoid from a deadlock if (ui->uiThreadId != GetCurrentThreadId()) uiThread = ui->uiThread; //Hmm. This function called from outside of UIMgr //Post close message and wait WM_DESTROY success = PostMessage(ui->hwnd, WM_CLOSE, 0, 0); } //else, the destroy message already initiated. if (uiThread != NULL) { success = UipWaitUiThreadUntilExit(uiThread); } return success; } void UiForceCloseAllActiveWindows() { map::iterator it; UIOBJECT *uiObj = NULL; if (!gp_windowMap) return; if (gp_windowMap->size() == 0) return; while (gp_windowMap->size() > 0) { it = gp_windowMap->begin(); uiObj = it->second; UiDestroyDialog(uiObj); } } ================================================ FILE: x64dbgApiBreak/src/util.cpp ================================================ #include #include #pragma comment(lib,"Winhttp.lib") BOOL UtlpExtractPassedParameters(PPASSED_PARAMETER_CONTEXT paramInfo, BOOL ipOnStack) { REGDUMP *regs; duint *paramList; duint csp, offset; paramInfo->paramList = (duint *)AbMemoryAlloc(paramInfo->paramCount * sizeof(duint)); if (!paramInfo->paramList) return FALSE; regs = ¶mInfo->regCtx; paramList = paramInfo->paramList; #ifdef _WIN64 if (paramInfo->convention != Fastcall) { paramInfo->convention = Fastcall; DBGPRINT("Calling convention revert to fastcall on Win64"); } csp = regs->regcontext.csp; offset = 0x20; if (ipOnStack) offset += sizeof(duint); for (int i = 0;i < paramInfo->paramCount;i++) { switch (i) { case 0: paramList[0] = regs->regcontext.ccx; break; case 1: paramList[1] = regs->regcontext.cdx; break; case 2: paramList[2] = regs->regcontext.r8; break; case 3: paramList[3] = regs->regcontext.r9; break; } if (i > 3) { AbMemReadGuaranteed(csp + offset, ¶mList[i], sizeof(duint)); offset += sizeof(duint); } } #else csp = regs->regcontext.csp; offset = 0; if (ipOnStack) offset = sizeof(duint); for (int i = 0;i < paramInfo->paramCount;i++) { AbMemReadGuaranteed(csp + offset, ¶mList[i], sizeof(duint)); offset += sizeof(duint); } #endif return TRUE; } BOOL DmaCreateAdapter(WORD sizeOfType, ULONG initialCount, PDMA *dma) { PDMA pdma = NULL; pdma = ALLOCOBJECT(DMA); if (!pdma) return FALSE; pdma->sizeOfType = sizeOfType; pdma->count = initialCount; pdma->totalSize = sizeOfType * initialCount; pdma->writeBoundary = 0; pdma->memory = AbMemoryAlloc(pdma->totalSize); if (!pdma->memory) { DBGPRINT("Dma memory alloc fail"); FREEOBJECT(pdma); return FALSE; } InitializeCriticalSection(&pdma->areaGuard); pdma->needsSynchronize = FALSE; pdma->ownershipTaken = FALSE; *dma = pdma; return TRUE; } BOOL DmaWriteNeedsExpand(PDMA dma, ARCHWIDE needByteSize, ULONG writeBeginOffset, BOOL autoIssue) { BOOL needed; if (writeBeginOffset == DMA_AUTO_OFFSET) writeBeginOffset = dma->writeBoundary; needed = needByteSize > dma->totalSize - writeBeginOffset; if (needed && autoIssue) DmaIssueExpansion(dma, needByteSize / dma->sizeOfType); return needed; } BOOL DmaIssueExpansion(PDMA dma, LONG expansionDelta) { BOOL isReducing = expansionDelta < 0; if (isReducing && dma->totalSize + expansionDelta < dma->writeBoundary) return FALSE; EnterCriticalSection(&dma->areaGuard); InterlockedCompareExchange((volatile LONG *)&dma->needsSynchronize, TRUE, FALSE); dma->memory = AbMemoryRealloc(dma->memory, (dma->count + expansionDelta) * dma->sizeOfType); dma->count += expansionDelta; dma->totalSize = dma->count * dma->sizeOfType; InterlockedCompareExchange((volatile LONG *)&dma->needsSynchronize, FALSE, TRUE); LeaveCriticalSection(&dma->areaGuard); return TRUE; } #define DmapNeedsSynch(pdma) InterlockedCompareExchange((volatile LONG *)&pdma->needsSynchronize, FALSE, FALSE) #define DmapIsAccessValid(pdma, addr, size) (addr + size <= dma->totalSize && !dma->ownershipTaken) BOOL DmapMemIo(PDMA dma, ULONG offset, ARCHWIDE size, void *mem, BOOL write) { ARCHWIDE realAddr; ULONG requiredCount; void *source, *dest; if (offset == DMA_AUTO_OFFSET) offset = dma->writeBoundary; requiredCount = (size / dma->sizeOfType) + 1; if (write && dma->oldProtect != 0) { if (!VirtualProtectEx(GetCurrentProcess(), dma->memory, dma->totalSize, dma->oldProtect, &dma->oldProtect)) return FALSE; dma->oldProtect = 0; } if (write && offset + size > dma->totalSize) { if (!DmaIssueExpansion(dma, requiredCount + (dma->count / 3))) return FALSE; } realAddr = ((ARCHWIDE)dma->memory) + offset; if (write) { source = (void *)mem; dest = (void *)realAddr; } else { source = (void *)realAddr; dest = (void *)mem; } if (!DmapIsAccessValid(dma, offset, size)) return FALSE; memcpy(dest, source, size); if (write) { if (offset + size > dma->writeBoundary) dma->writeBoundary = offset + size; } return TRUE; } BOOL DmaRead(PDMA dma, ULONG offset, ARCHWIDE size, void *destMemory) { BOOL success; BOOL owned = FALSE; if (DmapNeedsSynch(dma)) { EnterCriticalSection(&dma->areaGuard); owned = TRUE; } success = DmapMemIo(dma, offset, size, destMemory,FALSE); if (owned) LeaveCriticalSection(&dma->areaGuard); return success; } BOOL DmaWrite(PDMA dma, ULONG offset, ARCHWIDE size, void *srcMemory) { BOOL success; BOOL owned = FALSE; if (DmapNeedsSynch(dma)) { EnterCriticalSection(&dma->areaGuard); owned = TRUE; } success = DmapMemIo(dma, offset, size, srcMemory,TRUE); if (owned) LeaveCriticalSection(&dma->areaGuard); return success; } BOOL DmaStringWriteA(PDMA dma, LPCSTR format, ...) { BOOL success = FALSE; LPSTR buffer = NULL; LONG len = 0; va_list va; va_start(va, format); len = HlpPrintFormatBufferExA(&buffer, format, va); if (len > 0) { success = DmaWrite(dma, DMA_AUTO_OFFSET, len * sizeof(char), buffer); FREESTRING(buffer); } va_end(va); return success; } BOOL DmaStringWriteW(PDMA dma, LPCWSTR format, ...) { BOOL success = FALSE; LPWSTR buffer = NULL; LONG len = 0; va_list va; va_start(va, format); len = HlpPrintFormatBufferExW(&buffer, format, va); if (len > 0) { success = DmaWrite(dma, DMA_AUTO_OFFSET, len * sizeof(wchar_t), buffer); FREESTRING(buffer); } va_end(va); return success; } BOOL DmaReadTypeAlignedSequence(PDMA dma, ULONG index, ULONG count, void *destMemory) { ARCHWIDE offset,size; if (!dma) return FALSE; offset = index * dma->sizeOfType; size = count * dma->sizeOfType; return DmaRead(dma, offset, size, destMemory); } BOOL DmaCopyWrittenMemory(PDMA dma, void **destMemory, BOOL allocForDest) { if (allocForDest) *destMemory = AbMemoryAlloc(dma->writeBoundary); if (!*destMemory) return FALSE; memcpy(*destMemory, dma->memory, dma->writeBoundary); return TRUE; } BOOL DmaTakeMemoryOwnership(PDMA dma, void **nativeMem) { if (dma->ownershipTaken) return FALSE; *nativeMem = dma->memory; dma->ownershipTaken = TRUE; return TRUE; } BOOL DmaPrepareForDirectWrite(PDMA dma, ULONG writeOffset, ARCHWIDE writeSize, void **nativeMem) { if (dma->UnsafeWriteCheckInfo.offset) return FALSE; if (!DmapIsAccessValid(dma, writeOffset, writeSize)) return FALSE; /* dma->UnsafeWriteCheckInfo.offset = writeOffset; dma->UnsafeWriteCheckInfo.size = writeSize; if (writeOffset < sizeof(ULONG)) { } */ NOTIMPLEMENTED(); return FALSE; } void DmaGetAdapterInfo(PDMA dma, ARCHWIDE *writtenSize, ARCHWIDE *totalSize) { if (!dma) return; if (writtenSize) *writtenSize = dma->writeBoundary; if (totalSize) *totalSize = dma->totalSize; } void DmaEndDirectWrite(PDMA dma) { NOTIMPLEMENTED(); } BOOL DmaPrepareForRead(PDMA dma, void **nativeMem) { //For now, let the caller get the memory as is. BOOL success = true; if (success) *nativeMem = dma->memory; return success; } BOOL DmaSink(PDMA dma) { if (!dma) return FALSE; if (dma->ownershipTaken) return FALSE; if (dma->oldProtect != 0) { VirtualProtectEx(GetCurrentProcess(), dma->memory, dma->totalSize, dma->oldProtect, &dma->oldProtect); dma->oldProtect = 0; } memset(dma->memory, 0, dma->writeBoundary); dma->writeBoundary = 0; return TRUE; } void DmaDestroyAdapter(PDMA dma) { if (!dma) return; if (dma->oldProtect != 0) VirtualProtectEx(GetCurrentProcess(), dma->memory, dma->totalSize, dma->oldProtect, &dma->oldProtect); if (!dma->ownershipTaken) AbMemoryFree(dma->memory); memset(dma, 0, sizeof(DMA)); AbMemoryFree(dma); } //UTILITY FUNCS BOOL UtlExtractPassedParameters(USHORT paramCount, CALLCONVENTION callConv, REGDUMP *regdump, BOOL ipOnStack, PPASSED_PARAMETER_CONTEXT *paramInfo) { PPASSED_PARAMETER_CONTEXT ppi = NULL; ppi = ALLOCOBJECT(PASSED_PARAMETER_CONTEXT); if (!ppi) return FALSE; ppi->paramCount = paramCount; ppi->convention = callConv; memcpy(&ppi->regCtx, regdump, sizeof(REGDUMP)); if (!UtlpExtractPassedParameters(ppi,ipOnStack)) { FREEOBJECT(ppi); return FALSE; } *paramInfo = ppi; return TRUE; } duint UtlGetCallerAddress(REGDUMP *regdump) { int limit = 20; BASIC_INSTRUCTION_INFO inst = { 0 }; duint callerIp; duint sp; sp = (duint)regdump->regcontext.csp; AbMemReadGuaranteed(sp, &callerIp, sizeof(duint)); //Prevent to getting next call as previous caller callerIp--; limit = 20; while (!(inst.call && inst.branch)) { DbgDisasmFastAt(callerIp, &inst); callerIp--; if (limit-- <= 0) { callerIp = 0; break; } } if (callerIp > 0) { callerIp++; DBGPRINT("Caller of this API at %p", callerIp); return callerIp; } DBGPRINT("Cant find caller ip"); return 0; } BOOL UtlInternetReadA(LPCSTR url, BYTE **content, ULONG *contentLength) { BOOL result; LPWSTR urlW = HlpAnsiToWideString(url); if (!urlW) return FALSE; result = UtlInternetReadW(urlW, content, contentLength); FREESTRING(urlW); return result; } BOOL UtlInternetReadW(LPCWSTR url, BYTE **content, ULONG *contentLength) { HINTERNET session=NULL, connection=NULL, reqHandle=NULL; INTERNET_PORT port; BOOL result; DWORD reqFlag = WINHTTP_FLAG_REFRESH; DWORD availData = 0, readData = 0, totalReadSize = 0; PDMA dma; BYTE *readBuffer = NULL; DWORD readbufSize = 0x1000; URL_COMPONENTS urlComp; WCHAR hostName[128], objectName[64]; port = HlpBeginsWithW(url, L"https", TRUE, 5) ? 443 : 80; if (port == 443) reqFlag |= WINHTTP_FLAG_SECURE; session = WinHttpOpen( L"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0", WINHTTP_ACCESS_TYPE_NO_PROXY, NULL, NULL, 0 ); if (!session) return FALSE; // Specify an HTTP server. memset(&urlComp, 0, sizeof(urlComp)); urlComp.dwHostNameLength = (DWORD)-1; urlComp.lpszHostName = hostName; urlComp.dwUrlPathLength = (DWORD)-1; urlComp.lpszUrlPath = objectName; urlComp.dwStructSize = sizeof(urlComp); WinHttpCrackUrl(url, wcslen(url), 0, &urlComp); connection = WinHttpConnect(session, hostName, port, 0); if (!connection) goto exit; // Create an HTTP request handle. reqHandle = WinHttpOpenRequest(connection, L"GET", objectName, NULL, WINHTTP_NO_REFERER, WINHTTP_DEFAULT_ACCEPT_TYPES, reqFlag); if (!reqHandle) goto exit; result = WinHttpSendRequest(reqHandle, WINHTTP_NO_ADDITIONAL_HEADERS, 0, WINHTTP_NO_REQUEST_DATA, 0, 0, 0); if (!result) goto exit; result = WinHttpReceiveResponse(reqHandle, NULL); if (!result) goto exit; if (!DmaCreateAdapter(sizeof(BYTE), 0x1000, &dma)) goto exit; readBuffer = (BYTE *)AbMemoryAlloc(readbufSize); while(1) { if (!WinHttpQueryDataAvailable(reqHandle, &availData)) break; if (!availData) break; if (availData > readbufSize) { readBuffer = (BYTE *)AbMemoryRealloc(readBuffer, readbufSize + 0x1000); readbufSize += 0x1000; } if (WinHttpReadData(reqHandle, readBuffer, availData, &readData)) { DmaWrite(dma, DMA_AUTO_OFFSET, readData, readBuffer); *readBuffer = 0; totalReadSize += readData; } } AbMemoryFree(readBuffer); exit: if (reqHandle) WinHttpCloseHandle(reqHandle); if (connection) WinHttpCloseHandle(connection); if (session) WinHttpCloseHandle(session); if (totalReadSize > 0) { DmaTakeMemoryOwnership(dma, (void **)content); *contentLength = totalReadSize; } DmaDestroyAdapter(dma); return totalReadSize > 0; } ================================================ FILE: x64dbgApiBreak/x64dbgApiBreak.vcxproj ================================================  Debug Win32 Release Win32 Debug x64 Release x64 {3E482A12-6BE2-4B4A-AE41-A5D652C92E4F} Win32Proj x64dbgApiBreak 8.1 DynamicLibrary true v120_xp Unicode DynamicLibrary false v120_xp true Unicode DynamicLibrary true v120_xp Unicode DynamicLibrary false v120_xp true Unicode true $(ProjectDir)src\incl;$(ProjectDir);$(IncludePath) $(ProjectDir)src\incl;$(LibraryPath) $(SourcePath) .dp32 true $(ProjectDir)src\incl;$(ProjectDir);$(IncludePath) $(ProjectDir)src\incl;$(LibraryPath) $(SourcePath) .dp64 false $(ProjectDir)src\incl;$(ProjectDir);$(IncludePath) $(ProjectDir)src\incl;$(LibraryPath) $(SourcePath) .dp32 false $(ProjectDir)src\incl;$(ProjectDir);$(IncludePath) $(ProjectDir)src\incl;$(LibraryPath) $(ProjectDir)\src\incl;$(SourcePath) .dp64 Level3 Disabled WIN32;_DEBUG;_WINDOWS;_USRDLL;X64DBGAPIBREAK_EXPORTS;%(PreprocessorDefinitions) Windows true Level3 Disabled _DEBUG;_WINDOWS;_USRDLL;X64DBGAPIBREAK_EXPORTS;%(PreprocessorDefinitions) Windows true Level3 MaxSpeed true true WIN32;NDEBUG;_WINDOWS;_USRDLL;X64DBGAPIBREAK_EXPORTS;%(PreprocessorDefinitions) Windows true true false Level3 MaxSpeed true true NDEBUG;_WINDOWS;_USRDLL;X64DBGAPIBREAK_EXPORTS;%(PreprocessorDefinitions) Windows true true false $(ProjectDir)src\incl;%(AdditionalIncludeDirectories) $(ProjectDir)src\incl;%(AdditionalIncludeDirectories) ================================================ FILE: x64dbgApiBreak/x64dbgApiBreak.vcxproj.filters ================================================  {4FC737F1-C7A5-4376-A066-2A32D752A2FF} cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx {93995380-89BD-4b04-88EB-625FBE52EBFB} h;hh;hpp;hxx;hm;inl;inc;xsd {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Resource Files ================================================ FILE: x64dbgApiBreak.sln ================================================  Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio 14 VisualStudioVersion = 14.0.25420.1 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "x64dbgApiBreak", "x64dbgApiBreak\x64dbgApiBreak.vcxproj", "{3E482A12-6BE2-4B4A-AE41-A5D652C92E4F}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 Debug|x86 = Debug|x86 Release|x64 = Release|x64 Release|x86 = Release|x86 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {3E482A12-6BE2-4B4A-AE41-A5D652C92E4F}.Debug|x64.ActiveCfg = Debug|x64 {3E482A12-6BE2-4B4A-AE41-A5D652C92E4F}.Debug|x64.Build.0 = Debug|x64 {3E482A12-6BE2-4B4A-AE41-A5D652C92E4F}.Debug|x86.ActiveCfg = Debug|Win32 {3E482A12-6BE2-4B4A-AE41-A5D652C92E4F}.Debug|x86.Build.0 = Debug|Win32 {3E482A12-6BE2-4B4A-AE41-A5D652C92E4F}.Release|x64.ActiveCfg = Release|x64 {3E482A12-6BE2-4B4A-AE41-A5D652C92E4F}.Release|x64.Build.0 = Release|x64 {3E482A12-6BE2-4B4A-AE41-A5D652C92E4F}.Release|x86.ActiveCfg = Release|Win32 {3E482A12-6BE2-4B4A-AE41-A5D652C92E4F}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection EndGlobal