tahaconfiant/GcBlockFactory_monitor.js

## GcBlockFactory_monitor.js
// by taha@confiant.com
// trace jscript!GcBlockFactory::PblkAlloc for GcBlock allocations
// tested with Jscript.dll 32 bits
//jscript!GcAlloc::PvarAlloc+0x89:
//    6ac0bdfc 8b460c         mov     eax, dword ptr [esi+0Ch]
//    6ac0bdff 894710         mov     dword ptr [edi+10h], eax
//    6ac0be02 ebae           jmp     jscript!GcAlloc::PvarAlloc+0x32 (6ac0bdb2)
//    6ac0be04 e878d9ffff     call    jscript!GcBlockFactory::PblkAlloc (6ac09781)
// -> 6ac0be09 8bc8           mov     ecx, eax   // eax contains address of the new allocate GCBlock


// jscript!GcBlockFactory::FreeBlk+0x43:
//6ac09768 68dc59c86a      push    offset jscript!g_gbf+0x1c (6ac859dc)

//6ac09765 8b4d08         mov     ecx, dword ptr [ebp+8] ss:002b:05c3b22c=23fb1228
//6ac09768 68dc59c86a     push    offset jscript!g_gbf+0x1c (6ac859dc)
//6ac0976d e8bdfdffff     call    jscript!GcBlock::Link (6ac0952f)  <-- link  (ecx = @ GCBlock)

//jscript!GcBlockFactory::FreeBlk+0x1e:
//6ac09743 e834970200      call    jscript!operator delete (6ac32e7c)  <-- free (ecx =  @ GCBlock)


"use strict";
    const hex = p => p.toString(16);

    function initializeScript()
    {
        return [new host.apiVersionSupport(1, 3)];
    }

    let logln = function (e) {
        host.diagnostics.debugLog(e + '\n');
    }

    function read_u32(addr) {
        return host.parseInt64(host.memory.readMemoryValues(addr, 1, 4));
    }

    function handle_bp() {
        let Regs = host.currentThread.Registers.User;
        let eax = hex(Regs.eax)
        logln('jscript!GcBlockFactory::PblkAlloc: address: ' + eax );
    }
     function handle_bp2() {
        let Regs = host.currentThread.Registers.User;
        let ecx = hex(Regs.ecx)
        logln('jscript!GcBlockFactory::FreeBlk: [deallocated] address: ' + ecx );
    }

     function handle_bp3() {
        let Regs = host.currentThread.Registers.User;
        let ecx = hex(Regs.ecx)
        logln('jscript!GcBlockFactory::FreeBlk: [link GCBlock] address: ' + ecx );
    }

    function invokeScript() {
        let Control = host.namespace.Debugger.Utility.Control;
        let Regs = host.currentThread.Registers.User;
        let CurrentProcess = host.currentProcess;
        let BreakpointAlreadySet = CurrentProcess.Debug.Breakpoints.Any(
            c => c.OffsetExpression == 'jscript!GcAlloc::PvarAlloc+0x89'
        );

        let BreakpointAlreadySet2 = CurrentProcess.Debug.Breakpoints.Any(
            c => c.OffsetExpression == 'jscript!GcBlockFactory::FreeBlk+0x1e'
        );

        let BreakpointAlreadySet3 = CurrentProcess.Debug.Breakpoints.Any(
            c => c.OffsetExpression == 'jscript!GcBlockFactory::FreeBlk+0x43'
        );

        if(BreakpointAlreadySet == false) {
            let Bp = Control.SetBreakpointAtOffset('GcAlloc::PvarAlloc', 0x89, 'jscript');
            Bp.Command = 'dx @$scriptContents.handle_bp(); gc';
        } else {
            logln('Breakpoint already set.');
        }
        if(BreakpointAlreadySet2 == false) {
            let Bp = Control.SetBreakpointAtOffset('GcBlockFactory::FreeBlk', 0x1e, 'jscript');
            Bp.Command = 'dx @$scriptContents.handle_bp2(); gc';
        } else {
            logln('Breakpoint already set.');
        }

    if(BreakpointAlreadySet3 == false) {
            let Bp = Control.SetBreakpointAtOffset('GcBlockFactory::FreeBlk', 0x43, 'jscript');
            Bp.Command = 'dx @$scriptContents.handle_bp3(); gc';
        } else {
            logln('Breakpoint already set.');
        }
        logln('Press "g" to run the target.');
    }

//Press "g" to run the target.
//0:001> g
//jscript!GcBlockFactory::PblkAlloc: address: 5de94a0
//@$scriptContents.handle_bp()
//jscript!GcBlockFactory::PblkAlloc: address: 5de9af0
//@$scriptContents.handle_bp()
//jscript!GcBlockFactory::PblkAlloc: address: 5dea140
//@$scriptContents.handle_bp()
//jscript!GcBlockFactory::PblkAlloc: address: 5df5fd0
//
//0:001> dd 5de94a0 L648h/4
//05de94a0  05e01ff8 05de9af0 00000081 00000000
//05de94b0  23e3c6c8 05de94b8 00000081 00000000
//05de94c0  23e3c5a8 05de94c8 00000081 00000000
//05de94d0  23e3c440 05de94d8 00000081 00000000
	// by taha@confiant.com
	// trace jscript!GcBlockFactory::PblkAlloc for GcBlock allocations
	// tested with Jscript.dll 32 bits
	//jscript!GcAlloc::PvarAlloc+0x89:
	// 6ac0bdfc 8b460c mov eax, dword ptr [esi+0Ch]
	// 6ac0bdff 894710 mov dword ptr [edi+10h], eax
	// 6ac0be02 ebae jmp jscript!GcAlloc::PvarAlloc+0x32 (6ac0bdb2)
	// 6ac0be04 e878d9ffff call jscript!GcBlockFactory::PblkAlloc (6ac09781)
	// -> 6ac0be09 8bc8 mov ecx, eax // eax contains address of the new allocate GCBlock



	// jscript!GcBlockFactory::FreeBlk+0x43:
	//6ac09768 68dc59c86a push offset jscript!g_gbf+0x1c (6ac859dc)

	//6ac09765 8b4d08 mov ecx, dword ptr [ebp+8] ss:002b:05c3b22c=23fb1228
	//6ac09768 68dc59c86a push offset jscript!g_gbf+0x1c (6ac859dc)
	//6ac0976d e8bdfdffff call jscript!GcBlock::Link (6ac0952f) <-- link (ecx = @ GCBlock)

	//jscript!GcBlockFactory::FreeBlk+0x1e:
	//6ac09743 e834970200 call jscript!operator delete (6ac32e7c) <-- free (ecx = @ GCBlock)


	"use strict";
	const hex = p => p.toString(16);

	function initializeScript()
	{
	return [new host.apiVersionSupport(1, 3)];
	}

	let logln = function (e) {
	host.diagnostics.debugLog(e + '\n');
	}

	function read_u32(addr) {
	return host.parseInt64(host.memory.readMemoryValues(addr, 1, 4));
	}

	function handle_bp() {
	let Regs = host.currentThread.Registers.User;
	let eax = hex(Regs.eax)
	logln('jscript!GcBlockFactory::PblkAlloc: address: ' + eax );
	}
	function handle_bp2() {
	let Regs = host.currentThread.Registers.User;
	let ecx = hex(Regs.ecx)
	logln('jscript!GcBlockFactory::FreeBlk: [deallocated] address: ' + ecx );
	}

	function handle_bp3() {
	let Regs = host.currentThread.Registers.User;
	let ecx = hex(Regs.ecx)
	logln('jscript!GcBlockFactory::FreeBlk: [link GCBlock] address: ' + ecx );
	}

	function invokeScript() {
	let Control = host.namespace.Debugger.Utility.Control;
	let Regs = host.currentThread.Registers.User;
	let CurrentProcess = host.currentProcess;
	let BreakpointAlreadySet = CurrentProcess.Debug.Breakpoints.Any(
	c => c.OffsetExpression == 'jscript!GcAlloc::PvarAlloc+0x89'
	);

	let BreakpointAlreadySet2 = CurrentProcess.Debug.Breakpoints.Any(
	c => c.OffsetExpression == 'jscript!GcBlockFactory::FreeBlk+0x1e'
	);

	let BreakpointAlreadySet3 = CurrentProcess.Debug.Breakpoints.Any(
	c => c.OffsetExpression == 'jscript!GcBlockFactory::FreeBlk+0x43'
	);

	if(BreakpointAlreadySet == false) {
	let Bp = Control.SetBreakpointAtOffset('GcAlloc::PvarAlloc', 0x89, 'jscript');
	Bp.Command = 'dx @$scriptContents.handle_bp(); gc';
	} else {
	logln('Breakpoint already set.');
	}
	if(BreakpointAlreadySet2 == false) {
	let Bp = Control.SetBreakpointAtOffset('GcBlockFactory::FreeBlk', 0x1e, 'jscript');
	Bp.Command = 'dx @$scriptContents.handle_bp2(); gc';
	} else {
	logln('Breakpoint already set.');
	}

	if(BreakpointAlreadySet3 == false) {
	let Bp = Control.SetBreakpointAtOffset('GcBlockFactory::FreeBlk', 0x43, 'jscript');
	Bp.Command = 'dx @$scriptContents.handle_bp3(); gc';
	} else {
	logln('Breakpoint already set.');
	}
	logln('Press "g" to run the target.');
	}

	//Press "g" to run the target.
	//0:001> g
	//jscript!GcBlockFactory::PblkAlloc: address: 5de94a0
	//@$scriptContents.handle_bp()
	//jscript!GcBlockFactory::PblkAlloc: address: 5de9af0
	//@$scriptContents.handle_bp()
	//jscript!GcBlockFactory::PblkAlloc: address: 5dea140
	//@$scriptContents.handle_bp()
	//jscript!GcBlockFactory::PblkAlloc: address: 5df5fd0
	//
	//0:001> dd 5de94a0 L648h/4
	//05de94a0 05e01ff8 05de9af0 00000081 00000000
	//05de94b0 23e3c6c8 05de94b8 00000081 00000000
	//05de94c0 23e3c5a8 05de94c8 00000081 00000000
	//05de94d0 23e3c440 05de94d8 00000081 00000000