EspressoCake/ExampleOutput.txt Secret

## ExampleOutput.txt
0:000> dx Debugger.State.Scripts.NaiveGrabZwNtCalls.Contents.TargetedInvocation("KERNELBASE!CreateRemoteThreadEx")


Library:	KERNELBASE	(1 of 1)
Symbol:		CreateRemoteThreadEx
Function(s):
			NtClose
			NtCreateThreadEx
			NtDuplicateObject
			NtQueryInformationProcess
			NtResumeThread
			NtTerminateThread


JSON Representation (All Queries in this Session):
--------------------------------------------------
{
	"KERNELBASE!CreateFileW": {
		"KERNELBASE!CreateFileInternal": [
			"NtClose",
			"NtCreateFile",
			"NtQueryEaFile",
			"NtQueryInformationFile",
			"NtSetInformationFile"
		],
		"InlineCalls": []
	},
	"KERNELBASE!CreateRemoteThreadEx": {
		"InlineCalls": [
			"NtClose",
			"NtCreateThreadEx",
			"NtDuplicateObject",
			"NtQueryInformationProcess",
			"NtResumeThread",
			"NtTerminateThread"
		]
	}
}

## NaiveGrabZwNtCalls.js
/**************************************/
/*  Author:  Justin Lucas             */
/*  Email:   ropchainz@protonmail.com */
/*  Date:    April 20, 2021           */
/*  Revised: December 14, 2021        */
/**************************************/

/********************************************************/
/*  Note:                                               */
/*      This is designed to work in WinDBG Preview      */
/*      to take advantage of it's JScript capabilities. */
/*      Install that however you wish.                  */
/********************************************************/

/****************************************************************************************************************************/
/*  .scriptload FULL_PATH_TO_THIS_FILE                                                                                      */
/*                                                                                                                          */
/*  Two Options:                                                                                                            */
/*          1) Iterate all symbols (slow)                                                                                   */
/*              dx Debugger.State.Scripts.NaiveGrabZwNtCalls.Contents.GeneralInvocation()                                   */
/*                                                                                                                          */
/*          2) Look for a specific (known) symbol                                                                           */
/*              dx Debugger.State.Scripts.NaiveGrabZwNtCalls.Contents.TargetedInvocation('KERNELBASE!CreateFileW')          */
/****************************************************************************************************************************/
"use strict";


var GlobalKeyValuePair = new Object();


function ReturnKernelBaseFunctions() {
    var ctl = host.namespace.Debugger.Utility.Control;
    ctl.ExecuteCommand('ld *');
    var output = ctl.ExecuteCommand('x /f KERNELBASE!*');
    var trueOutput = [];

    for (var line of output) {
        var splitOutput = line.split(' ')[1];
        var filterExtensionAPI = new RegExp("^(.*!ext_.*|.*!api_.*|.*!_.*|.*!<.*)|.*::.*");

        if (!filterExtensionAPI.test(splitOutput)) {
            if (trueOutput.indexOf(splitOutput) == -1) {
                trueOutput.push(splitOutput);
            }
        }

    }

    trueOutput.sort();

    return trueOutput;
}


function RecursionAvoidance(providedSymbol, relIndex, tSize, caller)
{
    // Default values of parameters if not passed
    relIndex = (typeof(relIndex) !== 'undefined') ? relIndex : 1;
    tSize = (typeof(tSize) !== 'undefined') ? tSize: 1;
    caller = (typeof(tSize) != 'undefined') ? caller : null;

    // Standard context information
    var ctl = host.namespace.Debugger.Utility.Control;

    // Interpolate the "symbol" and unassemble as a function, where possible
    var output = ctl.ExecuteCommand(`uf ${providedSymbol}`);
    var functionSymbolArray = [];

    for (var line of output)
    {
        var reg = new RegExp("^(.*_imp_.*)$");
        if (reg.test(line)) {
            var data = line.split('!')[1].split(' ')[0].replace('_imp_', '');
            var ntFuncs = new RegExp("^(Zw.*|Nt.*)$");
            if (ntFuncs.test(data)) {
                var relativeSymbolReference = data.indexOf('+');
                if (relativeSymbolReference != -1) {
                    data = data.substring(0, data.indexOf("+"));
                }

                if (functionSymbolArray.indexOf(data) == -1) {
                    functionSymbolArray.push(data);
                }
            }
        }
    }

    functionSymbolArray.sort();
    GlobalKeyValuePair[caller][`${providedSymbol}`] = functionSymbolArray;
}


function GetBlockDisassembly(providedSymbol, relIndex, tSize, caller)
{
    // Default values of parameters if not passed
    relIndex = (typeof(relIndex) !== 'undefined') ? relIndex : 1;
    tSize = (typeof(tSize) !== 'undefined') ? tSize: 1;
    caller = (typeof(tSize) != 'undefined') ? caller : null;

    // Standard context information
    var ctl = host.namespace.Debugger.Utility.Control;

    GlobalKeyValuePair[providedSymbol] = {};

    // Interpolate the "symbol" and unassemble as a function, where possible
    var output = ctl.ExecuteCommand(`uf ${providedSymbol}`);
    var functionSymbolArray = [];

    for (var line of output)
    {
        var internalImplementationUgh = line.match(/KERNELBASE!.*Internal/);
        if (internalImplementationUgh != null) {
            if (internalImplementationUgh.toString() != null) {
                if (!(internalImplementationUgh.toString() in GlobalKeyValuePair[providedSymbol])) {
                    GlobalKeyValuePair[providedSymbol][`${internalImplementationUgh.toString()}`] = [];
                    RecursionAvoidance(internalImplementationUgh.toString(), 1, 1, providedSymbol)
                }
            }
        }

        var reg = new RegExp("^(.*_imp_.*)$");
        if (reg.test(line)) {
            var data = line.split('!')[1].split(' ')[0].replace('_imp_', '');
            var ntFuncs = new RegExp("^(Zw.*|Nt.*)$");
            if (ntFuncs.test(data)) {
                var relativeSymbolReference = data.indexOf('+');
                if (relativeSymbolReference != -1) {
                    data = data.substring(0, data.indexOf("+"));
                }

                if (functionSymbolArray.indexOf(data) == -1) {
                    functionSymbolArray.push(data);
                }
            }
        }
    }

    functionSymbolArray.sort();

    if (functionSymbolArray.length >= 1) {
        host.diagnostics.debugLog("\n\n", `Library:\t${providedSymbol.split('!')[0]}\t(${relIndex} of ${tSize})\n`, `Symbol:\t\t${providedSymbol.split('!')[1]}`, "\nFunction(s):\n");
        for (var nativeFunc of functionSymbolArray) {
            host.diagnostics.debugLog("\t\t\t", `${nativeFunc}`, "\n");
        }
    }

    GlobalKeyValuePair[providedSymbol]["InlineCalls"] = functionSymbolArray;


    host.diagnostics.debugLog("\n\nJSON Representation (All Queries in this Session):\n--------------------------------------------------\n" + JSON.stringify(GlobalKeyValuePair,null,'\t') + "\n");
}


function GeneralInvocation() {
    var currentArray = ReturnKernelBaseFunctions();

    for (var item of currentArray) {
        try {
            GetBlockDisassembly(item, currentArray.indexOf(item) + 1, currentArray.length);
        }
        catch (err) {}
    }
}


function TargetedInvocation(fullSymbol) {
    try {
        var ctl = host.namespace.Debugger.Utility.Control;
        ctl.ExecuteCommand('ld *');

        GetBlockDisassembly(fullSymbol);
    }
    catch (err) {}
}
	0:000> dx Debugger.State.Scripts.NaiveGrabZwNtCalls.Contents.TargetedInvocation("KERNELBASE!CreateRemoteThreadEx")


	Library: KERNELBASE (1 of 1)
	Symbol: CreateRemoteThreadEx
	Function(s):
	NtClose
	NtCreateThreadEx
	NtDuplicateObject
	NtQueryInformationProcess
	NtResumeThread
	NtTerminateThread


	JSON Representation (All Queries in this Session):
	--------------------------------------------------
	{
	"KERNELBASE!CreateFileW": {
	"KERNELBASE!CreateFileInternal": [
	"NtClose",
	"NtCreateFile",
	"NtQueryEaFile",
	"NtQueryInformationFile",
	"NtSetInformationFile"
	],
	"InlineCalls": []
	},
	"KERNELBASE!CreateRemoteThreadEx": {
	"InlineCalls": [
	"NtClose",
	"NtCreateThreadEx",
	"NtDuplicateObject",
	"NtQueryInformationProcess",
	"NtResumeThread",
	"NtTerminateThread"
	]
	}
	}
	/**************************************/
	/* Author: Justin Lucas */
	/* Email: ropchainz@protonmail.com */
	/* Date: April 20, 2021 */
	/* Revised: December 14, 2021 */
	/**************************************/

	/********************************************************/
	/* Note: */
	/* This is designed to work in WinDBG Preview */
	/* to take advantage of it's JScript capabilities. */
	/* Install that however you wish. */
	/********************************************************/

	/****************************************************************************************************************************/
	/* .scriptload FULL_PATH_TO_THIS_FILE */
	/* */
	/* Two Options: */
	/* 1) Iterate all symbols (slow) */
	/* dx Debugger.State.Scripts.NaiveGrabZwNtCalls.Contents.GeneralInvocation() */
	/* */
	/* 2) Look for a specific (known) symbol */
	/* dx Debugger.State.Scripts.NaiveGrabZwNtCalls.Contents.TargetedInvocation('KERNELBASE!CreateFileW') */
	/****************************************************************************************************************************/
	"use strict";


	var GlobalKeyValuePair = new Object();


	function ReturnKernelBaseFunctions() {
	var ctl = host.namespace.Debugger.Utility.Control;
	ctl.ExecuteCommand('ld *');
	var output = ctl.ExecuteCommand('x /f KERNELBASE!*');
	var trueOutput = [];

	for (var line of output) {
	var splitOutput = line.split(' ')[1];
	var filterExtensionAPI = new RegExp("^(.!ext_.\|.!api_.\|.!_.\|.!<.)\|.::.");

	if (!filterExtensionAPI.test(splitOutput)) {
	if (trueOutput.indexOf(splitOutput) == -1) {
	trueOutput.push(splitOutput);
	}
	}

	}

	trueOutput.sort();

	return trueOutput;
	}


	function RecursionAvoidance(providedSymbol, relIndex, tSize, caller)
	{
	// Default values of parameters if not passed
	relIndex = (typeof(relIndex) !== 'undefined') ? relIndex : 1;
	tSize = (typeof(tSize) !== 'undefined') ? tSize: 1;
	caller = (typeof(tSize) != 'undefined') ? caller : null;

	// Standard context information
	var ctl = host.namespace.Debugger.Utility.Control;

	// Interpolate the "symbol" and unassemble as a function, where possible
	var output = ctl.ExecuteCommand(`uf ${providedSymbol}`);
	var functionSymbolArray = [];

	for (var line of output)
	{
	var reg = new RegExp("^(._imp_.)$");
	if (reg.test(line)) {
	var data = line.split('!')[1].split(' ')[0].replace('_imp_', '');
	var ntFuncs = new RegExp("^(Zw.\|Nt.)$");
	if (ntFuncs.test(data)) {
	var relativeSymbolReference = data.indexOf('+');
	if (relativeSymbolReference != -1) {
	data = data.substring(0, data.indexOf("+"));
	}

	if (functionSymbolArray.indexOf(data) == -1) {
	functionSymbolArray.push(data);
	}
	}
	}
	}

	functionSymbolArray.sort();
	GlobalKeyValuePair[caller][`${providedSymbol}`] = functionSymbolArray;
	}


	function GetBlockDisassembly(providedSymbol, relIndex, tSize, caller)
	{
	// Default values of parameters if not passed
	relIndex = (typeof(relIndex) !== 'undefined') ? relIndex : 1;
	tSize = (typeof(tSize) !== 'undefined') ? tSize: 1;
	caller = (typeof(tSize) != 'undefined') ? caller : null;

	// Standard context information
	var ctl = host.namespace.Debugger.Utility.Control;

	GlobalKeyValuePair[providedSymbol] = {};

	// Interpolate the "symbol" and unassemble as a function, where possible
	var output = ctl.ExecuteCommand(`uf ${providedSymbol}`);
	var functionSymbolArray = [];

	for (var line of output)
	{
	var internalImplementationUgh = line.match(/KERNELBASE!.*Internal/);
	if (internalImplementationUgh != null) {
	if (internalImplementationUgh.toString() != null) {
	if (!(internalImplementationUgh.toString() in GlobalKeyValuePair[providedSymbol])) {
	GlobalKeyValuePair[providedSymbol][`${internalImplementationUgh.toString()}`] = [];
	RecursionAvoidance(internalImplementationUgh.toString(), 1, 1, providedSymbol)
	}
	}
	}

	var reg = new RegExp("^(._imp_.)$");
	if (reg.test(line)) {
	var data = line.split('!')[1].split(' ')[0].replace('_imp_', '');
	var ntFuncs = new RegExp("^(Zw.\|Nt.)$");
	if (ntFuncs.test(data)) {
	var relativeSymbolReference = data.indexOf('+');
	if (relativeSymbolReference != -1) {
	data = data.substring(0, data.indexOf("+"));
	}

	if (functionSymbolArray.indexOf(data) == -1) {
	functionSymbolArray.push(data);
	}
	}
	}
	}

	functionSymbolArray.sort();

	if (functionSymbolArray.length >= 1) {
	host.diagnostics.debugLog("\n\n", `Library:\t${providedSymbol.split('!')[0]}\t(${relIndex} of ${tSize})\n`, `Symbol:\t\t${providedSymbol.split('!')[1]}`, "\nFunction(s):\n");
	for (var nativeFunc of functionSymbolArray) {
	host.diagnostics.debugLog("\t\t\t", `${nativeFunc}`, "\n");
	}
	}

	GlobalKeyValuePair[providedSymbol]["InlineCalls"] = functionSymbolArray;


	host.diagnostics.debugLog("\n\nJSON Representation (All Queries in this Session):\n--------------------------------------------------\n" + JSON.stringify(GlobalKeyValuePair,null,'\t') + "\n");
	}


	function GeneralInvocation() {
	var currentArray = ReturnKernelBaseFunctions();

	for (var item of currentArray) {
	try {
	GetBlockDisassembly(item, currentArray.indexOf(item) + 1, currentArray.length);
	}
	catch (err) {}
	}
	}


	function TargetedInvocation(fullSymbol) {
	try {
	var ctl = host.namespace.Debugger.Utility.Control;
	ctl.ExecuteCommand('ld *');

	GetBlockDisassembly(fullSymbol);
	}
	catch (err) {}
	}