_____________________________________________________________
salam            khobi 123     456
----------------------------------
salam
----------------------------------
khobi
----------------------------------
123
----------------------------------
456
_____________________________________________________________
!monitor 123 1234 script { tesTo                     salam 

khoobi?
 }
----------------------------------
!monitor
----------------------------------
123
----------------------------------
1234
----------------------------------
script
----------------------------------
 tesTo                     salam 

khoobi?
 
_____________________________________________________________
 !monitor rwx 123 1234 script { @rax= @rbx;                      

printf("ho");
 }
----------------------------------
!monitor
----------------------------------
rwx
----------------------------------
123
----------------------------------
1234
----------------------------------
script
----------------------------------
 @rax= @rbx;                      

printf("ho");
 
_____________________________________________________________





!monitor 123 1234 script { tesTo                     salam 

khoobi?
 }
----------------------------------
!monitor
----------------------------------
123
----------------------------------
1234
----------------------------------
script
----------------------------------
 tesTo                     salam 

khoobi?
 
_____________________________________________________________
 help    settings
----------------------------------
help
----------------------------------
settings
_____________________________________________________________
help    settings
----------------------------------
help
----------------------------------
settings
_____________________________________________________________
 !monitor 456 789 script {salam}
----------------------------------
!monitor
----------------------------------
456
----------------------------------
789
----------------------------------
script
----------------------------------
salam
_____________________________________________________________
 !monitor 123 987 script { salam}
----------------------------------
!monitor
----------------------------------
123
----------------------------------
987
----------------------------------
script
----------------------------------
 salam
_____________________________________________________________
 !monitor 123 1234 script {salam }
----------------------------------
!monitor
----------------------------------
123
----------------------------------
1234
----------------------------------
script
----------------------------------
salam 
_____________________________________________________________
 !monitor 123 1234 script {-} script {salam } 
----------------------------------
!monitor
----------------------------------
123
----------------------------------
1234
----------------------------------
script
----------------------------------
-
----------------------------------
script
----------------------------------
salam 
_____________________________________________________________
 !monitor 123 1234 script {-
 
 
 
 
 } script {salam } 
----------------------------------
!monitor
----------------------------------
123
----------------------------------
1234
----------------------------------
script
----------------------------------
-
 
 
 
 
 
----------------------------------
script
----------------------------------
salam 
_____________________________________________________________
!command -flag1 -flag2 input {   value1   value2   }
----------------------------------
!command
----------------------------------
-flag1
----------------------------------
-flag2
----------------------------------
input
----------------------------------
   value1   value2   
_____________________________________________________________
combine    {first   part}  { second part } {third part}
----------------------------------
combine
----------------------------------
first   part
----------------------------------
 second part 
----------------------------------
third part
_____________________________________________________________
mix { spaces   inside }  and {no space}
----------------------------------
mix
----------------------------------
 spaces   inside 
----------------------------------
and
----------------------------------
no space
_____________________________________________________________
testcase1 testcase2 {  enclosed with spaces  }
----------------------------------
testcase1
----------------------------------
testcase2
----------------------------------
  enclosed with spaces  
_____________________________________________________________
!action -key1=value1 -key2=value2 {payload   data} 
----------------------------------
!action
----------------------------------
-key1=value1
----------------------------------
-key2=value2
----------------------------------
payload   data
_____________________________________________________________
cmd {first block} subsequent {second block} ending
----------------------------------
cmd
----------------------------------
first block
----------------------------------
subsequent
----------------------------------
second block
----------------------------------
ending
_____________________________________________________________
!start -fast {quick action} -secure {safe mode}
----------------------------------
!start
----------------------------------
-fast
----------------------------------
quick action
----------------------------------
-secure
----------------------------------
safe mode
_____________________________________________________________
simple   command    with {  embedded data   }
----------------------------------
simple
----------------------------------
command
----------------------------------
with
----------------------------------
  embedded data   
_____________________________________________________________
cmd1 cmd2 cmd3 {sequential commands}
----------------------------------
cmd1
----------------------------------
cmd2
----------------------------------
cmd3
----------------------------------
sequential commands
_____________________________________________________________
!launch -now -force {immediate start} && {verify} 
----------------------------------
!launch
----------------------------------
-now
----------------------------------
-force
----------------------------------
immediate start
----------------------------------
&&
----------------------------------
verify
_____________________________________________________________
   
!script    launch { @init(); } followed by {execute main;}
----------------------------------
!script
----------------------------------
launch
----------------------------------
 @init(); 
----------------------------------
followed
----------------------------------
by
----------------------------------
execute main;
_____________________________________________________________
cmd {simple} {sequence} -option
----------------------------------
cmd
----------------------------------
simple
----------------------------------
sequence
----------------------------------
-option
_____________________________________________________________
run -flag1 {data1} -flag2 {data2} -flag3 {data3}
----------------------------------
run
----------------------------------
-flag1
----------------------------------
data1
----------------------------------
-flag2
----------------------------------
data2
----------------------------------
-flag3
----------------------------------
data3
_____________________________________________________________
test -x -y -z {set1} and {set2} followed by {set3}
----------------------------------
test
----------------------------------
-x
----------------------------------
-y
----------------------------------
-z
----------------------------------
set1
----------------------------------
and
----------------------------------
set2
----------------------------------
followed
----------------------------------
by
----------------------------------
set3
_____________________________________________________________
init {first} then {second} && finally {third} 
----------------------------------
init
----------------------------------
first
----------------------------------
then
----------------------------------
second
----------------------------------
&&
----------------------------------
finally
----------------------------------
third
_____________________________________________________________
long command with {multiple parts in} {separate blocks} 
----------------------------------
long
----------------------------------
command
----------------------------------
with
----------------------------------
multiple parts in
----------------------------------
separate blocks
_____________________________________________________________
simple {standalone block}
----------------------------------
simple
----------------------------------
standalone block
_____________________________________________________________
trigger {script  } && -flag {option}   final
----------------------------------
trigger
----------------------------------
script  
----------------------------------
&&
----------------------------------
-flag
----------------------------------
option
----------------------------------
final
_____________________________________________________________
initiate --parameters { --data="complex value"; return 0;} and end
----------------------------------
initiate
----------------------------------
--parameters
----------------------------------
 --data="complex value"; return 0;
----------------------------------
and
----------------------------------
end
_____________________________________________________________
multi-step {process} && {handle} then {finalize}
----------------------------------
multi-step
----------------------------------
process
----------------------------------
&&
----------------------------------
handle
----------------------------------
then
----------------------------------
finalize
_____________________________________________________________
cmd -flag1 -flag2 {parameter} {another} part
----------------------------------
cmd
----------------------------------
-flag1
----------------------------------
-flag2
----------------------------------
parameter
----------------------------------
another
----------------------------------
part
_____________________________________________________________
test {unmatched brackets and inputs
----------------------------------
test
----------------------------------
unmatched brackets and inputs
_____________________________________________________________
{no command} just {brackets   here} 
----------------------------------
no command
----------------------------------
just
----------------------------------
brackets   here
_____________________________________________________________

     !monitor 321 654 script { salam { } }


----------------------------------
!monitor
----------------------------------
321
----------------------------------
654
----------------------------------
script
----------------------------------
 salam { } 
_____________________________________________________________
 !monitor 123 1234 script {salam { }}
----------------------------------
!monitor
----------------------------------
123
----------------------------------
1234
----------------------------------
script
----------------------------------
salam { }
_____________________________________________________________
 !monitor 123 1234 script {{}} script {salam } 
----------------------------------
!monitor
----------------------------------
123
----------------------------------
1234
----------------------------------
script
----------------------------------
{}
----------------------------------
script
----------------------------------
salam 
_____________________________________________________________
!run   multiple   {commands here; print("hello") }   now
----------------------------------
!run
----------------------------------
multiple
----------------------------------
commands here; print("hello") 
----------------------------------
now
_____________________________________________________________
execute    --option=value   --flag {do this}  &&  {do that}
----------------------------------
execute
----------------------------------
--option=value
----------------------------------
--flag
----------------------------------
do this
----------------------------------
&&
----------------------------------
do that
_____________________________________________________________
test   input     multiple { nested   {token1 token2}  token3  }
----------------------------------
test
----------------------------------
input
----------------------------------
multiple
----------------------------------
 nested   {token1 token2}  token3  
_____________________________________________________________
!example   with-symbols  { $var1   =   @func(); }  @end
----------------------------------
!example
----------------------------------
with-symbols
----------------------------------
 $var1   =   @func(); 
----------------------------------
@end
_____________________________________________________________
check  {brackets}without   spaces   {another}one
----------------------------------
check
----------------------------------
brackets
----------------------------------
without
----------------------------------
spaces
----------------------------------
another
----------------------------------
one
_____________________________________________________________
trigger    --conditionA  --conditionB  sequence {if(A) {exec B;}}
----------------------------------
trigger
----------------------------------
--conditionA
----------------------------------
--conditionB
----------------------------------
sequence
----------------------------------
if(A) {exec B;}
_____________________________________________________________
check -flag { first {nested} block } and another
----------------------------------
check
----------------------------------
-flag
----------------------------------
 first {nested} block 
----------------------------------
and
----------------------------------
another
_____________________________________________________________

cmd -opt1 --opt2 {multi-level { nesting  }  example }
----------------------------------
cmd
----------------------------------
-opt1
----------------------------------
--opt2
----------------------------------
multi-level { nesting  }  example 
_____________________________________________________________

prefix {command with {extra} spaces} suffix
----------------------------------
prefix
----------------------------------
command with {extra} spaces
----------------------------------
suffix
_____________________________________________________________
{edge case} with {close} but {mismatched }
----------------------------------
edge case
----------------------------------
with
----------------------------------
close
----------------------------------
but
----------------------------------
mismatched 
_____________________________________________________________

cmd1 {with spaces  }between  {tokens}
----------------------------------
cmd1
----------------------------------
with spaces  
----------------------------------
between
----------------------------------
tokens
_____________________________________________________________

execute     command --with-options {enclose {inner block} complete} 
----------------------------------
execute
----------------------------------
command
----------------------------------
--with-options
----------------------------------
enclose {inner block} complete
_____________________________________________________________
combine  --flags { group {of {nested} data} here }
----------------------------------
combine
----------------------------------
--flags
----------------------------------
 group {of {nested} data} here 
_____________________________________________________________

launch   operation {perform   task   with  details*&^%$#@! }
----------------------------------
launch
----------------------------------
operation
----------------------------------
perform   task   with  details*&^%$#@! 
_____________________________________________________________
{beginning}{middle}{end} as a story
----------------------------------
beginning
----------------------------------
middle
----------------------------------
end
----------------------------------
as
----------------------------------
a
----------------------------------
story
_____________________________________________________________
process   data {with   embedded {brackets} and symbols!@# }
----------------------------------
process
----------------------------------
data
----------------------------------
with   embedded {brackets} and symbols!@# 
_____________________________________________________________
{part1} {part2} {part3} followed by {part4}
----------------------------------
part1
----------------------------------
part2
----------------------------------
part3
----------------------------------
followed
----------------------------------
by
----------------------------------
part4
_____________________________________________________________
trigger   function {execute this {with nested} commands}
----------------------------------
trigger
----------------------------------
function
----------------------------------
execute this {with nested} commands
_____________________________________________________________
{first}{second}{third}{fourth} in order
----------------------------------
first
----------------------------------
second
----------------------------------
third
----------------------------------
fourth
----------------------------------
in
----------------------------------
order
_____________________________________________________________
invoke action {with parameters and special *&^%$#@! characters}
----------------------------------
invoke
----------------------------------
action
----------------------------------
with parameters and special *&^%$#@! characters
_____________________________________________________________
{alpha}{beta}{gamma} proceed
----------------------------------
alpha
----------------------------------
beta
----------------------------------
gamma
----------------------------------
proceed
_____________________________________________________________
launch command {multiple levels {of nested} structures}
----------------------------------
launch
----------------------------------
command
----------------------------------
multiple levels {of nested} structures
_____________________________________________________________
{start}{continue}{finish} the process
----------------------------------
start
----------------------------------
continue
----------------------------------
finish
----------------------------------
the
----------------------------------
process
_____________________________________________________________
execute   command {execute {inner} logic } finalize
----------------------------------
execute
----------------------------------
command
----------------------------------
execute {inner} logic 
----------------------------------
finalize
_____________________________________________________________

run    long command {with   spaces and symbols!@#$%^&*() }  
----------------------------------
run
----------------------------------
long
----------------------------------
command
----------------------------------
with   spaces and symbols!@#$%^&*() 
_____________________________________________________________

!inject  kernel!IoCreateFile script {

memcpy(" {                             buffer content @0x%x\n", @rdx);


}
----------------------------------
!inject
----------------------------------
kernel!IoCreateFile
----------------------------------
script
----------------------------------


memcpy(" {                             buffer content @0x%x\n", @rdx);



_____________________________________________________________
!hook  routine!KeWaitForSingleObject script { 

if (condition) {                              {   wait @timeout\n"," @rcx);}}

}
----------------------------------
!hook
----------------------------------
routine!KeWaitForSingleObject
----------------------------------
script
----------------------------------
 

if (condition) {                              {   wait @timeout\n"," @rcx);}}


_____________________________________________________________
!trace nt!ZwQuerySystemInformation script {

DbgPrint(" {                           {   system info: %p\n", @r8);   

}
----------------------------------
!trace
----------------------------------
nt!ZwQuerySystemInformation
----------------------------------
script
----------------------------------


DbgPrint(" {                           {   system info: %p\n", @r8);   


_____________________________________________________________
!monitor function!NtOpenProcess script {

log(" {                                   {   process opened: %d\n", @r9);


}
----------------------------------
!monitor
----------------------------------
function!NtOpenProcess
----------------------------------
script
----------------------------------


log(" {                                   {   process opened: %d\n", @r9);



_____________________________________________________________
!filter   nt!MmMapLockedPagesSpecifyCache script {

trace(" {                             {   mapping pages @%p\n", @r10);

}
----------------------------------
!filter
----------------------------------
nt!MmMapLockedPagesSpecifyCache
----------------------------------
script
----------------------------------


trace(" {                             {   mapping pages @%p\n", @r10);


_____________________________________________________________
!watch kernel!ObReferenceObjectByHandle script {

check(" {                             {   object handle: 0x%x\n","xxx" @r11);

}
----------------------------------
!watch
----------------------------------
kernel!ObReferenceObjectByHandle
----------------------------------
script
----------------------------------


check(" {                             {   object handle: 0x%x\n","xxx" @r11);


_____________________________________________________________
!watch kernel!ObReferenceObjectByHandle script { }{

check(" {                             {   object handle: 0x%x\n", @r11);

}
----------------------------------
!watch
----------------------------------
kernel!ObReferenceObjectByHandle
----------------------------------
script
----------------------------------
 
----------------------------------


check(" {                             {   object handle: 0x%x\n", @r11);


_____________________________________________________________
!watch kernel!ObReferenceObjectByHandle script { }{

check(" }  object handle: 0x%x\n", @r11);  

}
----------------------------------
!watch
----------------------------------
kernel!ObReferenceObjectByHandle
----------------------------------
script
----------------------------------
 
----------------------------------


check(" }  object handle: 0x%x\n", @r11);  


_____________________________________________________________
{block1}{block2}{block3} in sequence
----------------------------------
block1
----------------------------------
block2
----------------------------------
block3
----------------------------------
in
----------------------------------
sequence
_____________________________________________________________

!epthook nt!ExAllocatePoolWithTag script { 

printf(" {                                    {   hi2 ! :%llx\n", @rax);

}
----------------------------------
!epthook
----------------------------------
nt!ExAllocatePoolWithTag
----------------------------------
script
----------------------------------
 

printf(" {                                    {   hi2 ! :%llx\n", @rax);


_____________________________________________________________

!epthook nt!ExAllocatePoolWithTag script { 

printf(" {                                    {   hi ! :%llx\n", @rax);

}
----------------------------------
!epthook
----------------------------------
nt!ExAllocatePoolWithTag
----------------------------------
script
----------------------------------
 

printf(" {                                    {   hi ! :%llx\n", @rax);


_____________________________________________________________
command1 /* pre-command comment */  param1 param2 // inline comment
----------------------------------
command1
----------------------------------
param1
----------------------------------
param2
_____________________________________________________________
/* comment at start */command2 123 /* middle comment */ 456 
----------------------------------
command2
----------------------------------
123
----------------------------------
456
_____________________________________________________________
command3 789 { inner /* comment */ block } /* outer comment */ final
----------------------------------
command3
----------------------------------
789
----------------------------------
 inner /* comment */ block 
----------------------------------
final
_____________________________________________________________
!execute /*start*/ command /*ignored*/ {this part stays // comment inside } next
----------------------------------
!execute
----------------------------------
command
----------------------------------
this part stays // comment inside 
----------------------------------
next
_____________________________________________________________
// entire line comment
finalCommand 999 /* another comment */ {untouched /* inner */ block}
----------------------------------
finalCommand
----------------------------------
999
----------------------------------
untouched /* inner */ block
_____________________________________________________________
/* tricky */!run 1234 script /* inner */ {brackets should {remain}} end // finish
----------------------------------
!run
----------------------------------
1234
----------------------------------
script
----------------------------------
brackets should {remain}
----------------------------------
end
_____________________________________________________________
// comment at the start
/*!example 5678 script */ /*{preserve this block}*/ result
----------------------------------
result
_____________________________________________________________
/**/command4 { content /* inside */ untouched } // comment
----------------------------------
command4
----------------------------------
 content /* inside */ untouched 
_____________________________________________________________
/* remove this */ {block /* with comment*/} /* another comment */
----------------------------------
block /* with comment*/
_____________________________________________________________
simpleCommand  /* comment in the middle */ {final //comment inside} // end
----------------------------------
simpleCommand
----------------------------------
final //comment inside
_____________________________________________________________
/* complex */ command {nested {brackets /* and comments */ inside}  } end
----------------------------------
command
----------------------------------
nested {brackets /* and comments */ inside}  
----------------------------------
end
_____________________________________________________________
// mixed comments
!action 1 2 3 /*{should be removed}*/ result /*final*/
----------------------------------
!action
----------------------------------
1
----------------------------------
2
----------------------------------
3
----------------------------------
result
_____________________________________________________________
command5 /* multiple lines 
comment */ final // inline comment
----------------------------------
command5
----------------------------------
final
_____________________________________________________________
/* multiple lines 
comment */ command6  { /* inner block */ content } next // final comment
----------------------------------
command6
----------------------------------
 /* inner block */ content 
----------------------------------
next
_____________________________________________________________
/// full line comment
/*!ignore this*/ command7  {keep /* this comment */ block} // end
----------------------------------
command7
----------------------------------
keep /* this comment */ block
_____________________________________________________________
/* nested comments */ command8{content /* with nested */ parts} // final
----------------------------------
command8
----------------------------------
content /* with nested */ parts
_____________________________________________________________
_____________________________________________________________
/* nested comments */ command8{content /* with nested */ parts}com // final
----------------------------------
command8
----------------------------------
content /* with nested */ parts
----------------------------------
com
_____________________________________________________________
!operation /*start*/ { inner content } /* middle */final// finish
----------------------------------
!operation
----------------------------------
 inner content 
----------------------------------
final
_____________________________________________________________
// ignore everything
/*!skip this*/ /*{and this block}*/result //final
----------------------------------
result
_____________________________________________________________
/**/ complexCommand {keep /* special */ part}// ending comment/**/
----------------------------------
complexCommand
----------------------------------
keep /* special */ part
_____________________________________________________________
// full line comment
cmd1 param1 /*inline comment*/ param2
----------------------------------
cmd1
----------------------------------
param1
----------------------------------
param2
_____________________________________________________________
commandA // with a comment
----------------------------------
commandA
_____________________________________________________________
/*block comment*/cmd2                      { }arg1 arg2   
----------------------------------
cmd2
----------------------------------
 
----------------------------------
arg1
----------------------------------
arg2
_____________________________________________________________
cmd3 {block with // inline comment} next
----------------------------------
cmd3
----------------------------------
block with // inline comment
----------------------------------
next
_____________________________________________________________
// start comment
cmd4 123 /* another comment */ {block} end
----------------------------------
cmd4
----------------------------------
123
----------------------------------
block
----------------------------------
end
_____________________________________________________________
/*!skip this*/ cmd5 {content remains /* inside comment */} final
----------------------------------
cmd5
----------------------------------
content remains /* inside comment */
----------------------------------
final
_____________________________________________________________
cmd6 param /* ignore this */ {keep this block}
----------------------------------
cmd6
----------------------------------
param
----------------------------------
keep this block
_____________________________________________________________
// skip comment
cmd7 /* block */ next
----------------------------------
cmd7
----------------------------------
next
_____________________________________________________________
/* first comment */cmd8 {preserve this} last
----------------------------------
cmd8
----------------------------------
preserve this
----------------------------------
last
_____________________________________________________________

commandB param /*{don't remove this 


block}*/ param2
----------------------------------
commandB
----------------------------------
param
----------------------------------
param2
_____________________________________________________________
/*!skip*/ cmd9 param {block with // /*


*/ {} {} {} comment} final
----------------------------------
cmd9
----------------------------------
param
----------------------------------
block with // /*


*/ {} {} {} comment
----------------------------------
final
_____________________________________________________________
cmd10 param /* 


/*



middle */ param2
----------------------------------
cmd10
----------------------------------
param
----------------------------------
param2
_____________________________________________________________
cmd11 {keep /*
 special */ block} final
----------------------------------
cmd11
----------------------------------
keep /*
 special */ block
----------------------------------
final
_____________________________________________________________
// skip line
commandC {block} / * comment */ param
----------------------------------
commandC
----------------------------------
block
----------------------------------
/
----------------------------------
*
----------------------------------
comment
----------------------------------
*/
----------------------------------
param
_____________________________________________________________
cmd12 {start block} /* comment */ next / /
----------------------------------
cmd12
----------------------------------
start block
----------------------------------
next
----------------------------------
/
----------------------------------
/
_____________________________________________________________
cmd13 /* comment before */ {b




lock}/*>*?*/last
----------------------------------
cmd13
----------------------------------
b




lock
----------------------------------
last
_____________________________________________________________
commandD param1 /*comment*/ param2
----------------------------------
commandD
----------------------------------
param1
----------------------------------
param2
_____________________________________________________________
cmd14 {complex /* block */content} final
----------------------------------
cmd14
----------------------------------
complex /* block */content
----------------------------------
final
_____________________________________________________________
// full comment
commandE /* remove this */ param1
----------------------------------
commandE
----------------------------------
param1
_____________________________________________________________
cmd15 {nested /* comment */ block} result
----------------------------------
cmd15
----------------------------------
nested /* comment */ block
----------------------------------
result
_____________________________________________________________
/*!ignore*/ cmd16 param1 {keep /* nested   */ content}
----------------------------------
cmd16
----------------------------------
param1
----------------------------------
keep /* nested   */ content
_____________________________________________________________
cmd17 param/**/{block with comment // inside}
----------------------------------
cmd17
----------------------------------
param
----------------------------------
block with comment // inside
_____________________________________________________________


salam         //   test 123     456
----------------------------------
salam
_____________________________________________________________
!monitor 123 1234 script /*{ tesTo                     salam 

khoobi?
 }*/
----------------------------------
!monitor
----------------------------------
123
----------------------------------
1234
----------------------------------
script
_____________________________________________________________
!monitor 123 1234 script /*{ tesTo                     salam 

khoobi?
 }*/
----------------------------------
!monitor
----------------------------------
123
----------------------------------
1234
----------------------------------
script
_____________________________________________________________
!monitor 123 1234 script /*    { tesTo                     salam 

khoobi?
 }*/ test
----------------------------------
!monitor
----------------------------------
123
----------------------------------
1234
----------------------------------
script
----------------------------------
test
_____________________________________________________________
/**/!monitor 123 1234 script /*    { tesTo                     salam 

khoobi?
 }*/ test
----------------------------------
!monitor
----------------------------------
123
----------------------------------
1234
----------------------------------
script
----------------------------------
test
_____________________________________________________________
/*!monitor 123 1234 script /*    { tesTo                     salam 

khoobi?
 }*/ test
----------------------------------
test
_____________________________________________________________
/**//*!monitor 123 1234 script /*    { tesTo                     salam 

khoobi?
 }*/ test2
----------------------------------
test2
_____________________________________________________________
/**//*!monitor 123 1234 script /*    { tesTo                     salam 

khoobi?
 }*/ test3
----------------------------------
test3
_____________________________________________________________
///**//*!monitor 123 1234 script /*    { tesTo                     salam 

khoobi?
 }*/ test3
----------------------------------
khoobi?
----------------------------------
}*/
----------------------------------
test3
_____________________________________________________________
///**//*!monitor 123 1234 script /*    { tesTo                     salam 

khoobi?
 //}*/ test3
----------------------------------
khoobi?
_____________________________________________________________
///**//*!monitor 123 1234 script /*    { tesTo                     salam 

khoobi?//testttt
 //}*/ test4
----------------------------------
khoobi?
_____________________________________________________________
///**//*!monitor 123 1234 script /*    { tesTo                     salam 

khoobi?//testttt
 //}*/ test3
----------------------------------
khoobi?
_____________________________________________________________
///**//*!monitor 123 1234 script /*    { tesTo                     salam 

khoobi?/*//testttt*/
 //}*/ test3
----------------------------------
khoobi?
_____________________________________________________________
///**//*!monitor 123 1234 script /*    { tesTo                     salam 

khoobi?/**///testttt/**/
 //}*/ test3
----------------------------------
khoobi?
_____________________________________________________________


cmd18 /**/{block} next


----------------------------------
cmd18
----------------------------------
block
----------------------------------
next
_____________________________________________________________
/*!skip*/ commandF {content /* with */ inside} final??/****/
----------------------------------
commandF
----------------------------------
content /* with */ inside
----------------------------------
final??
_____________________________________________________________
cmd19 param {complex block /* with   comments */ inside//}/*****/
----------------------------------
cmd19
----------------------------------
param
----------------------------------
complex block /* with   comments */ inside//
_____________________________________________________________
cmd20 /* block comment */ {preserve this} last//
----------------------------------
cmd20
----------------------------------
preserve this
----------------------------------
last
_____________________________________________________________
commandG /* remove this */ param1////
----------------------------------
commandG
----------------------------------
param1
_____________________________________________________________
/*!skip this*/ cmd21 param {block /* with */ comment} final\\//
----------------------------------
cmd21
----------------------------------
param
----------------------------------
block /* with */ comment
----------------------------------
final\\
_____________________________________________________________
cmd22 param /* comment inside */ {block} last
----------------------------------
cmd22
----------------------------------
param
----------------------------------
block
----------------------------------
last
_____________________________________________________________
/*cmd43*/cmd23{complex block /* with */ content} final
----------------------------------
cmd23
----------------------------------
complex block /* with */ content
----------------------------------
final
_____________________________________________________________
/*/*//*/*//*/*//*/*//*/*/cmd24 param1 /* comment inside */ param2
----------------------------------
cmd24
----------------------------------
param1
----------------------------------
param2
_____________________________________________________________
cmd25 {keep /* special */ block//} final
----------------------------------
cmd25
----------------------------------
keep /* special */ block//
----------------------------------
final
_____________________________________________________________
// full line comment
commandH {preserve this}/* comment */final
----------------------------------
commandH
----------------------------------
preserve this
----------------------------------
final
_____________________________________________________________
cmd26 param {block with /* inside */ comment}
----------------------------------
cmd26
----------------------------------
param
----------------------------------
block with /* inside */ comment
_____________________________________________________________
/*!ignore*/ cmd27 {nested /* block */ comment}{nested /* block */ comment} final
----------------------------------
cmd27
----------------------------------
nested /* block */ comment
----------------------------------
nested /* block */ comment
----------------------------------
final
_____________________________________________________________




cmd28 

/* comment before */ 


{block} next

----------------------------------
cmd28
----------------------------------
block
----------------------------------
next
_____________________________________________________________
/*/*//*/*


*/


commandI /* remove this */ param
----------------------------------
commandI
----------------------------------
param
_____________________________________________________________

cmd29 param {block /* with */ comment} final{

}
----------------------------------
cmd29
----------------------------------
param
----------------------------------
block /* with */ comment
----------------------------------
final
----------------------------------



_____________________________________________________________
/*!skip*/ cmd30 param {content /* inside */ block} last
----------------------------------
cmd30
----------------------------------
param
----------------------------------
content /* inside */ block
----------------------------------
last
_____________________________________________________________
cmd31 {{}} /* comment */ {keep this block} next
----------------------------------
cmd31
----------------------------------
{}
----------------------------------
keep this block
----------------------------------
next
_____________________________________________________________
cmd32 param /////////////////* comment inside */ {block} final
----------------------------------
cmd32
----------------------------------
param
----------------------------------
_____________________________________________________________
cmd33 {complex block /* with */ comment}//////////////// result
----------------------------------
cmd33
----------------------------------
complex block /* with */ comment
_____________________________________________________________

// full comment
commandJ param1 //* comment inside //*/ param2
----------------------------------
commandJ
----------------------------------
param1
_____________________________________________________________
/*!skip





*/ cmd34 {nested /* block */ comment}final//
----------------------------------
cmd34
----------------------------------
nested /* block */ comment
----------------------------------
final
_____________________________________________________________
cmd35 param {block {{}} comment} last
----------------------------------
cmd35
----------------------------------
param
----------------------------------
block {{}} comment
----------------------------------
last
_____________________________________________________________
cmd36 {keep /* nested */{{

}} block} result
----------------------------------
cmd36
----------------------------------
keep /* nested */{{

}} block
----------------------------------
result
_____________________________________________________________
cmd37 param1 /* comment inside */ param2//
----------------------------------
cmd37
----------------------------------
param1
----------------------------------
param2
_____________________________________________________________
cmd38 "test /**/" {complex block /* with */ content} final
----------------------------------
cmd38
----------------------------------
test /**/
----------------------------------
complex block /* with */ content
----------------------------------
final
_____________________________________________________________
/*!ignore*/ commandK {preserve this} final"test"
----------------------------------
commandK
----------------------------------
preserve this
----------------------------------
final
----------------------------------
test
_____________________________________________________________
cmd39 param "{block /* with */ comment}" last
----------------------------------
cmd39
----------------------------------
param
----------------------------------
{block /* with */ comment}
----------------------------------
last
_____________________________________________________________
cmd40 /* comment */ {nested block} final "

test

"
----------------------------------
cmd40
----------------------------------
nested block
----------------------------------
final
----------------------------------


test


_____________________________________________________________
// full line comment " test "
commandL param1 /* comment */ param2
----------------------------------
commandL
----------------------------------
param1
----------------------------------
param2
_____________________________________________________________
""/*!skip*/ cmd41 {keep /* special */ block} final
----------------------------------

----------------------------------
cmd41
----------------------------------
keep /* special */ block
----------------------------------
final
_____________________________________________________________
cmd42 param {nested block /* with */ comment//"}"} last
----------------------------------
cmd42
----------------------------------
param
----------------------------------
nested block /* with */ comment//"}"
----------------------------------
last
_____________________________________________________________
cmd43 /* comment before */ {blo""ck} next
----------------------------------
cmd43
----------------------------------
blo""ck
----------------------------------
next
_____________________________________________________________
commandM "/*" remove /* this */ param1
----------------------------------
commandM
----------------------------------
/*
----------------------------------
remove
----------------------------------
param1
_____________________________________________________________
/*!skip this*/" test me " cmd44 param {block /* with */ comment} final
----------------------------------
 test me 
----------------------------------
cmd44
----------------------------------
param
----------------------------------
block /* with */ comment
----------------------------------
final
_____________________________________________________________
cmd45 param {complex block /* with */ comment} "re   sul" t
----------------------------------
cmd45
----------------------------------
param
----------------------------------
complex block /* with */ comment
----------------------------------
re   sul
----------------------------------
t
_____________________________________________________________
cmd46 /* comment inside */ {nested block} final
----------------------------------
cmd46
----------------------------------
nested block
----------------------------------
final
_____________________________________________________________
// full comment
commandN/**/"tos  t" param1 /* comment inside */ param2
----------------------------------
commandN
----------------------------------
tos  t
----------------------------------
param1
----------------------------------
param2
_____________________________________________________________
"t   est"/*!ignore*/ cmd47 {block /* with nested */ comment} final
----------------------------------
t   est
----------------------------------
cmd47
----------------------------------
block /* with nested */ comment
----------------------------------
final
_____________________________________________________________
cmd48 param {block 

/* inside */ comment}"tt tt" next
----------------------------------
cmd48
----------------------------------
param
----------------------------------
block 

/* inside */ comment
----------------------------------
tt tt
----------------------------------
next
_____________________________________________________________
cmd49 {keep /* special */ block}"" result
----------------------------------
cmd49
----------------------------------
keep /* special */ block
----------------------------------

----------------------------------
result
_____________________________________________________________


"  "//

cmd50 param1 /* comment inside */ param2
----------------------------------
  
----------------------------------
cmd50
----------------------------------
param1
----------------------------------
param2
_____________________________________________________________

cmdZ /*block before*/ paramA {block/*inside*/} "fi nal" 
----------------------------------
cmdZ
----------------------------------
paramA
----------------------------------
block/*inside*/
----------------------------------
fi nal
_____________________________________________________________
cmdCurlyBraces "me here" {{shouldStay}} {alsoStay}
----------------------------------
cmdCurlyBraces
----------------------------------
me here
----------------------------------
{shouldStay}
----------------------------------
alsoStay
_____________________________________________________________
cmdQuotes "preserve this //comment" {insideQuotes}
----------------------------------
cmdQuotes
----------------------------------
preserve this //comment
----------------------------------
insideQuotes
_____________________________________________________________
cmdMixed /* mix this */ param /* with that */ {and preserve /* these */}"plus thuis"
----------------------------------
cmdMixed
----------------------------------
param
----------------------------------
and preserve /* these */
----------------------------------
plus thuis
_____________________________________________________________
cmdNest!!ed2 /*{keep this} but //remove*/ param
----------------------------------
cmdNest!!ed2
----------------------------------
param
_____________________________________________________________
cmdComplex /* outer /* inner  outer */ final
----------------------------------
cmdComplex
----------------------------------
final
_____________________________________________________________
cmdSymbols !@#$%^&*()_+\{\}:<>?[];',./ `~ | {test these}
----------------------------------
cmdSymbols
----------------------------------
!@#$%^&*()_+{}:<>?[];',./
----------------------------------
`~
----------------------------------
|
----------------------------------
test these
_____________________________________________________________
cmdSpaces    excessive    spaces   here    {and within }
----------------------------------
cmdSpaces
----------------------------------
excessive
----------------------------------
spaces
----------------------------------
here
----------------------------------
and within 
_____________________________________________________________
cmdSlashSlash //double slash in cmd {preserve 
f//this part}
----------------------------------
cmdSlashSlash
----------------------------------
f
_____________________________________________________________
cmdSlashAsterisk /*comment here*/ nextCmd /*and here*/
----------------------------------
cmdSlashAsterisk
----------------------------------
nextCmd
_____________________________________________________________
cmdSlashCombo // start /* middle */ end
----------------------------------
cmdSlashCombo
_____________________________________________________________
cmdEscaped "escaped // slash and quote\""
----------------------------------
cmdEscaped
----------------------------------
escaped // slash and quote"
_____________________________________________________________
cmdEmbedded/*before*/param/*inline {with special}*/ end
----------------------------------
cmdEmbeddedparam
----------------------------------
end
_____________________________________________________________

cmdBracketsInside { /*keep {inner} and outer*/ } final
----------------------------------
cmdBracketsInside
----------------------------------
 /*keep {inner} and outer*/ 
----------------------------------
final
_____________________________________________________________
cmdHTMLLike <html>/*ignore this*/ </html> {content}
----------------------------------
cmdHTMLLike
----------------------------------
<html>
----------------------------------
</html>
----------------------------------
content
_____________________________________________________________
cmdMathSymbols "\"\"" {symbolsInside}
----------------------------------
cmdMathSymbols
----------------------------------
""
----------------------------------
symbolsInside
_____________________________________________________________
cmdExclamation !!multiple !exclamations {preserve!}
----------------------------------
cmdExclamation
----------------------------------
!!multiple
----------------------------------
!exclamations
----------------------------------
preserve!
_____________________________________________________________
cmdParentheses (param1 param2) {inside ()}
----------------------------------
cmdParentheses
----------------------------------
(param1
----------------------------------
param2)
----------------------------------
inside ()
_____________________________________________________________
cmdBrackets [] {preserve [brackets]}
----------------------------------
cmdBrackets
----------------------------------
[]
----------------------------------
preserve [brackets]
_____________________________________________________________
cmdSpecialSequence /*remove*/ /**/ param //comment
----------------------------------
cmdSpecialSequence
----------------------------------
param
_____________________________________________________________
cmdPercentSign %keep this intact {"100% sure"}
----------------------------------
cmdPercentSign
----------------------------------
%keep
----------------------------------
this
----------------------------------
intact
----------------------------------
"100% sure"
_____________________________________________________________
cmdEscapedQuotes "preserve // comment\"" {\"inside\"}
----------------------------------
cmdEscapedQuotes
----------------------------------
preserve // comment"
----------------------------------
\"inside\"
_____________________________________________________________
cmdCurlyCombo {keep this} and {also 












this} // remove
----------------------------------
cmdCurlyCombo
----------------------------------
keep this
----------------------------------
and
----------------------------------
also 












this
_____________________________________________________________
cmdQuotesCurly "\"inside quotes\""{keep this}"tse s"
----------------------------------
cmdQuotesCurly
----------------------------------
"inside quotes"
----------------------------------
keep this
----------------------------------
tse s
_____________________________________________________________

cmdPipeSymbol | pipe this | {keep inside}
----------------------------------
cmdPipeSymbol
----------------------------------
|
----------------------------------
pipe
----------------------------------
this
----------------------------------
|
----------------------------------
keep inside
_____________________________________________________________
cmdAngleBrackets <param> /* comment */ next {  void  printTime() {
    printf("process pid %d \n",$pid);
    timePtr = $time;
    printf("TIME PTR %x\n", timePtr);
    
    yearPtr = timePtr - 10;
    year = (db(yearPtr+1) << 8) | db(yearPtr);
    
    monthPtr = timePtr - E;
    month = (db(monthPtr+1) << 8) | db(monthPtr);
    
    dayPtr = timePtr - C;
    day = (db(dayPtr+1) << 8) | db(dayPtr);
    hourPtr = timePtr - A;
    hour = (db(hourPtr+1) << 8) | db(hourPtr);
    minPtr = timePtr - 8;
    min = (db(minPtr+1) << 8) | db(minPtr);
    secPtr = timePtr - 6;
    sec = (db(secPtr+1) << 8) | db(secPtr);
    msecPtr = timePtr - 4;
    msec = (db(msecPtr+1) << 8) | db(msecPtr);  
    printf("FULL TIME : %d %d %d %d %d %d %d\n", year, month, day, hour, min, sec, msec);
  }
  printTime();
}
----------------------------------
cmdAngleBrackets
----------------------------------
<param>
----------------------------------
next
----------------------------------
  void  printTime() {
    printf("process pid %d \n",$pid);
    timePtr = $time;
    printf("TIME PTR %x\n", timePtr);
    
    yearPtr = timePtr - 10;
    year = (db(yearPtr+1) << 8) | db(yearPtr);
    
    monthPtr = timePtr - E;
    month = (db(monthPtr+1) << 8) | db(monthPtr);
    
    dayPtr = timePtr - C;
    day = (db(dayPtr+1) << 8) | db(dayPtr);
    hourPtr = timePtr - A;
    hour = (db(hourPtr+1) << 8) | db(hourPtr);
    minPtr = timePtr - 8;
    min = (db(minPtr+1) << 8) | db(minPtr);
    secPtr = timePtr - 6;
    sec = (db(secPtr+1) << 8) | db(secPtr);
    msecPtr = timePtr - 4;
    msec = (db(msecPtr+1) << 8) | db(msecPtr);  
    printf("FULL TIME : %d %d %d %d %d %d %d\n", year, month, day, hour, min, sec, msec);
  }
  printTime();

_____________________________________________________________

cmdSlashStart "// whole line comment /*and block*/ last"
----------------------------------
cmdSlashStart
----------------------------------
// whole line comment /*and block*/ last
_____________________________________________________________
cmdStarSlash /*entire line*/ {keep /*and this*/ intact}

{
  void  printTime() {
    printf("process pid %d \n",$pid);
    timePtr = $time;
    printf("TIME PTR %x\n", timePtr);
    
    yearPtr = timePtr - 10;
    year = (db(yearPtr+1) << 8) | db(yearPtr);
    
    monthPtr = timePtr - E;
    month = (db(monthPtr+1) << 8) | db(monthPtr);
    
    dayPtr = timePtr - C;
    day = (db(dayPtr+1) << 8) | db(dayPtr);
    hourPtr = timePtr - A;
    hour = (db(hourPtr+1) << 8) | db(hourPtr);
    minPtr = timePtr - 8;
    min = (db(minPtr+1) << 8) | db(minPtr);
    secPtr = timePtr - 6;
    sec = (db(secPtr+1) << 8) | db(secPtr);
    msecPtr = timePtr - 4;
    msec = (db(msecPtr+1) << 8) | db(msecPtr);  
    printf("FULL TIME : %d %d %d %d %d %d %d\n", year, month, day, hour, min, sec, msec);
  }
  printTime();
}
----------------------------------
cmdStarSlash
----------------------------------
keep /*and this*/ intact
----------------------------------

  void  printTime() {
    printf("process pid %d \n",$pid);
    timePtr = $time;
    printf("TIME PTR %x\n", timePtr);
    
    yearPtr = timePtr - 10;
    year = (db(yearPtr+1) << 8) | db(yearPtr);
    
    monthPtr = timePtr - E;
    month = (db(monthPtr+1) << 8) | db(monthPtr);
    
    dayPtr = timePtr - C;
    day = (db(dayPtr+1) << 8) | db(dayPtr);
    hourPtr = timePtr - A;
    hour = (db(hourPtr+1) << 8) | db(hourPtr);
    minPtr = timePtr - 8;
    min = (db(minPtr+1) << 8) | db(minPtr);
    secPtr = timePtr - 6;
    sec = (db(secPtr+1) << 8) | db(secPtr);
    msecPtr = timePtr - 4;
    msec = (db(msecPtr+1) << 8) | db(msecPtr);  
    printf("FULL TIME : %d %d %d %d %d %d %d\n", year, month, day, hour, min, sec, msec);
  }
  printTime();

_____________________________________________________________
cmdMixedQuotesCurly "\"with curly {inside}\" "{preserve this}
----------------------------------
cmdMixedQuotesCurly
----------------------------------
"with curly {inside}" 
----------------------------------
preserve this
_____________________________________________________________
cmdWeirdCharacters{
  void  printTime() {
    printf("process pid %d \n",$pid);
    timePtr = $time;
    printf("TIME PTR %x\n", timePtr);
    
    yearPtr = timePtr - 10;
    year = (db(yearPtr+1) << 8) | db(yearPtr);
    
    monthPtr = timePtr - E;
    month = (db(monthPtr+1) << 8) | db(monthPtr);
    
    dayPtr = timePtr - C;
    day = (db(dayPtr+1) << 8) | db(dayPtr);
    hourPtr = timePtr - A;
    hour = (db(hourPtr+1) << 8) | db(hourPtr);
    minPtr = timePtr - 8;
    min = (db(minPtr+1) << 8) | db(minPtr);
    secPtr = timePtr - 6;
    sec = (db(secPtr+1) << 8) | db(secPtr);
    msecPtr = timePtr - 4;
    msec = (db(msecPtr+1) << 8) | db(msecPtr);  
    printf("FULL TIME : %d %d %d %d %d %d %d\n", year, month, day, hour, min, sec, msec);
  }
  printTime();
}test{symbolsInside}
----------------------------------
cmdWeirdCharacters
----------------------------------

  void  printTime() {
    printf("process pid %d \n",$pid);
    timePtr = $time;
    printf("TIME PTR %x\n", timePtr);
    
    yearPtr = timePtr - 10;
    year = (db(yearPtr+1) << 8) | db(yearPtr);
    
    monthPtr = timePtr - E;
    month = (db(monthPtr+1) << 8) | db(monthPtr);
    
    dayPtr = timePtr - C;
    day = (db(dayPtr+1) << 8) | db(dayPtr);
    hourPtr = timePtr - A;
    hour = (db(hourPtr+1) << 8) | db(hourPtr);
    minPtr = timePtr - 8;
    min = (db(minPtr+1) << 8) | db(minPtr);
    secPtr = timePtr - 6;
    sec = (db(secPtr+1) << 8) | db(secPtr);
    msecPtr = timePtr - 4;
    msec = (db(msecPtr+1) << 8) | db(msecPtr);  
    printf("FULL TIME : %d %d %d %d %d %d %d\n", year, month, day, hour, min, sec, msec);
  }
  printTime();

----------------------------------
test
----------------------------------
symbolsInside
_____________________________________________________________

cmdNestedQuotes "inside \"quotes" and {outside}
----------------------------------
cmdNestedQuotes
----------------------------------
inside "quotes
----------------------------------
and
----------------------------------
outside
_____________________________________________________________
{
void Sleep(int milliseconds) {
	.count = 0;
	.delay = milliseconds * 1000; // Convert milliseconds to microseconds

	while (.delay != 0) {
	.delay--;
		.count = 1000; // This constant can be adjusted based on the clock speed
		while (.count != 0) {
	.count--;
			// Do nothing, just busy-wait
		}
	}
}
	
Sleep(10);
}
----------------------------------

void Sleep(int milliseconds) {
	.count = 0;
	.delay = milliseconds * 1000; // Convert milliseconds to microseconds

	while (.delay != 0) {
	.delay--;
		.count = 1000; // This constant can be adjusted based on the clock speed
		while (.count != 0) {
	.count--;
			// Do nothing, just busy-wait
		}
	}
}
	
Sleep(10);

_____________________________________________________________
cmdStringInside /*comment*/ inside {string {with} braces}
----------------------------------
cmdStringInside
----------------------------------
inside
----------------------------------
string {with} braces
_____________________________________________________________
cmdHashSymbols #hashtag comment {#preserve this}
----------------------------------
cmdHashSymbols
----------------------------------
#hashtag
----------------------------------
comment
----------------------------------
#preserve this
_____________________________________________________________
cmdPercentage %preserve {? {
void Sleep(int milliseconds) {
	.count = 0;
	.delay = milliseconds * 1000; // Convert milliseconds to microseconds

	while (.delay != 0) {
	.delay--;
		.count = 1000; // This constant can be adjusted based on the clock speed
		while (.count != 0) {
	.count--;
			// Do nothing, just busy-wait
		}
	}
}
	
Sleep(10);
}} next
----------------------------------
cmdPercentage
----------------------------------
%preserve
----------------------------------
? {
void Sleep(int milliseconds) {
	.count = 0;
	.delay = milliseconds * 1000; // Convert milliseconds to microseconds

	while (.delay != 0) {
	.delay--;
		.count = 1000; // This constant can be adjusted based on the clock speed
		while (.count != 0) {
	.count--;
			// Do nothing, just busy-wait
		}
	}
}
	
Sleep(10);
}
----------------------------------
next
_____________________________________________________________


cmdFunctionLike funcName(param) /*comment*/ {block inside}
----------------------------------
cmdFunctionLike
----------------------------------
funcName(param)
----------------------------------
block inside
_____________________________________________________________
; j ; semicolon /*comment*/ {preserve;}
----------------------------------
;
----------------------------------
j
----------------------------------
;
----------------------------------
semicolon
----------------------------------
preserve;
_____________________________________________________________
cmdEllipsis ...preserve {these...} and next
----------------------------------
cmdEllipsis
----------------------------------
...preserve
----------------------------------
these...
----------------------------------
and
----------------------------------
next
_____________________________________________________________
cmdGreaterLess > greater < less {inside > < here}
----------------------------------
cmdGreaterLess
----------------------------------
>
----------------------------------
greater
----------------------------------
<
----------------------------------
less
----------------------------------
inside > < here
_____________________________________________________________
cmdAsteriskCombo *keep *these* *intact*
----------------------------------
cmdAsteriskCombo
----------------------------------
*keep
----------------------------------
*these*
----------------------------------
*intact*
_____________________________________________________________
cmdUnderScores _preserve _these {underscores_}
----------------------------------
cmdUnderScores
----------------------------------
_preserve
----------------------------------
_these
----------------------------------
underscores_
_____________________________________________________________
cmdHyphenDash{## @file user-mode-memory-allocations.ds
# @author Sina Karvandi (sina@hyperdbg.org)
# @brief Gathers memory allocations made by a process
# @version 0.7
# @date 2023-11-24
# @copyright This script is released under the MIT License.
# 
# @details In order to run this script, you should use '.script'
# command. 
# @param ProcessPath: Please specify the target Process path to start
#
# Run it like:
#     .script c:\users\sina\desktop\user-mode-memory-allocations.ds "C:\Windows\notepad.exe"
#
# It gathers different memory allocations (e.g., mallocs) like this:
#
#     [SYSCALL] NtAllocateVirtualMemory called from, pid: 3a8, name: Notepad.exe | requested size: 11c0
#     [SYSRET] NtAllocateVirtualMemory called from, pid: 3a8, name: Notepad.exe | located at: 195a8880000, size: 2000
#

start path $arg1

? .thread_intercept_thread = 0;
? .target_pid = $pid;
? .target_tid = 0;
? .target_allocation_address = 0;
? .target_allocation_size = 0;

!sysret script {
	if ($pid == .target_pid && .thread_intercept_thread == 1 && $tid == .target_tid) {
		spinlock_unlock(&.thread_intercept_thread);
		.target_tid = 0;
		printf("[SYSRET] NtAllocateVirtualMemory called from, pid: %x, name: %s | located at: %llx, actual allocated size: %llx\n", $pid, $pname, dq(.target_allocation_address), dq(.target_allocation_size));
	}
}

!syscall 18 script {
	
	if ($pid == .target_pid) {
		spinlock_lock(&.thread_intercept_thread);
		.target_tid = $tid;
		.target_allocation_address = @rdx;
		.target_allocation_size = @r9;
		
		if (dq(rdx) == 0) {
			printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s | requested size: %llx\n", $pid, $pname, dq(r9));
		}
		else {
			printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s | requested size: %llx, user-specific addr: %llx\n", $pid, $pname, dq(r9), dq(rdx));
		}
	}
}}
----------------------------------
cmdHyphenDash
----------------------------------
## @file user-mode-memory-allocations.ds
# @author Sina Karvandi (sina@hyperdbg.org)
# @brief Gathers memory allocations made by a process
# @version 0.7
# @date 2023-11-24
# @copyright This script is released under the MIT License.
# 
# @details In order to run this script, you should use '.script'
# command. 
# @param ProcessPath: Please specify the target Process path to start
#
# Run it like:
#     .script c:\users\sina\desktop\user-mode-memory-allocations.ds "C:\Windows\notepad.exe"
#
# It gathers different memory allocations (e.g., mallocs) like this:
#
#     [SYSCALL] NtAllocateVirtualMemory called from, pid: 3a8, name: Notepad.exe | requested size: 11c0
#     [SYSRET] NtAllocateVirtualMemory called from, pid: 3a8, name: Notepad.exe | located at: 195a8880000, size: 2000
#

start path $arg1

? .thread_intercept_thread = 0;
? .target_pid = $pid;
? .target_tid = 0;
? .target_allocation_address = 0;
? .target_allocation_size = 0;

!sysret script {
	if ($pid == .target_pid && .thread_intercept_thread == 1 && $tid == .target_tid) {
		spinlock_unlock(&.thread_intercept_thread);
		.target_tid = 0;
		printf("[SYSRET] NtAllocateVirtualMemory called from, pid: %x, name: %s | located at: %llx, actual allocated size: %llx\n", $pid, $pname, dq(.target_allocation_address), dq(.target_allocation_size));
	}
}

!syscall 18 script {
	
	if ($pid == .target_pid) {
		spinlock_lock(&.thread_intercept_thread);
		.target_tid = $tid;
		.target_allocation_address = @rdx;
		.target_allocation_size = @r9;
		
		if (dq(rdx) == 0) {
			printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s | requested size: %llx\n", $pid, $pname, dq(r9));
		}
		else {
			printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s | requested size: %llx, user-specific addr: %llx\n", $pid, $pname, dq(r9), dq(rdx));
		}
	}
}
_____________________________________________________________
cmdDigits123 123numbers 456inside {!syscall script {

  //
  // IOCTL Codes:
  // 		AFD_Connect: 0x12007
  //
  /*
  	
  	typedef struct  _AFD_CONNECT_INFO {
  		BOOLEAN		      UseSAN;
  		ULONG		      Root;
  		ULONG		      Unknown;
  		SOCKADDR		  RemoteAddress;
  	} AFD_CONNECT_INFO , *PAFD_CONNECT_INFO ;
  	
  	typedef struct sockaddr_in {
  	short          sin_family;
  	USHORT         sin_port;
  	IN_ADDR        sin_addr;
  	CHAR           sin_zero[8];
  	} SOCKADDR_IN, *PSOCKADDR_IN;

  */

  if (@rax == 0x7) {
  
    // printf("IoControlCode: %x\n", dd(@rsp + 30));

    if (dd(@rsp + 30) == 0x12007) {
      //
      // Details derived from: https://www.cyberus-technology.de/posts/network-analysis-with-tycho/
      //

      //
      // Get the port address
      //
      port_num_high_bit = db(poi(@rsp + 38) + 1a);
      port_num_low_bit = db(poi(@rsp + 38) + 1b);

      port_num = 0;
      port_num = port_num_high_bit << 8 | port_num_low_bit;

      //
      // Get the IP address
      //
      part0 = db(poi(@rsp + 38) + 1c);
      part1 = db(poi(@rsp + 38) + 1d);
      part2 = db(poi(@rsp + 38) + 1e);
      part3 = db(poi(@rsp + 38) + 1f);

      part0 = part0 << 0n24;
      part1 = part1 << 0n16;
      part2 = part2 << 0n8;
      part3 = part3 << 0n0;

      ip_addr = part0 | part1 | part2 | part3;

      // printf("Process Id: %x, name: %s connects to ====> IP address (hex): %x\n", $pid, $pname, ip_addr);

      printf("Process Id: %x, name: %s connects to ====> Address: %d.%d.%d.%d:%d\n",
		$pid,
		$pname,
        (ip_addr & 0xFF000000) >> 0n24,
        (ip_addr & 0x00FF0000) >> 0n16,
        (ip_addr & 0x0000FF00) >> 0n8,
        ip_addr & 0x000000FF,
		port_num);
    }
  }
}}
----------------------------------
cmdDigits123
----------------------------------
123numbers
----------------------------------
456inside
----------------------------------
!syscall script {

  //
  // IOCTL Codes:
  // 		AFD_Connect: 0x12007
  //
  /*
  	
  	typedef struct  _AFD_CONNECT_INFO {
  		BOOLEAN		      UseSAN;
  		ULONG		      Root;
  		ULONG		      Unknown;
  		SOCKADDR		  RemoteAddress;
  	} AFD_CONNECT_INFO , *PAFD_CONNECT_INFO ;
  	
  	typedef struct sockaddr_in {
  	short          sin_family;
  	USHORT         sin_port;
  	IN_ADDR        sin_addr;
  	CHAR           sin_zero[8];
  	} SOCKADDR_IN, *PSOCKADDR_IN;

  */

  if (@rax == 0x7) {
  
    // printf("IoControlCode: %x\n", dd(@rsp + 30));

    if (dd(@rsp + 30) == 0x12007) {
      //
      // Details derived from: https://www.cyberus-technology.de/posts/network-analysis-with-tycho/
      //

      //
      // Get the port address
      //
      port_num_high_bit = db(poi(@rsp + 38) + 1a);
      port_num_low_bit = db(poi(@rsp + 38) + 1b);

      port_num = 0;
      port_num = port_num_high_bit << 8 | port_num_low_bit;

      //
      // Get the IP address
      //
      part0 = db(poi(@rsp + 38) + 1c);
      part1 = db(poi(@rsp + 38) + 1d);
      part2 = db(poi(@rsp + 38) + 1e);
      part3 = db(poi(@rsp + 38) + 1f);

      part0 = part0 << 0n24;
      part1 = part1 << 0n16;
      part2 = part2 << 0n8;
      part3 = part3 << 0n0;

      ip_addr = part0 | part1 | part2 | part3;

      // printf("Process Id: %x, name: %s connects to ====> IP address (hex): %x\n", $pid, $pname, ip_addr);

      printf("Process Id: %x, name: %s connects to ====> Address: %d.%d.%d.%d:%d\n",
		$pid,
		$pname,
        (ip_addr & 0xFF000000) >> 0n24,
        (ip_addr & 0x00FF0000) >> 0n16,
        (ip_addr & 0x0000FF00) >> 0n8,
        ip_addr & 0x000000FF,
		port_num);
    }
  }
}
_____________________________________________________________
cmdDoubleQuotes ""empty quotes"" {preserve""}
----------------------------------
cmdDoubleQuotes
----------------------------------

----------------------------------
empty
----------------------------------
quotes
----------------------------------

----------------------------------
preserve""
_____________________________________________________________
///////*
cmdRandomSymbols @$#*keep #this {preserved$}
----------------------------------
cmdRandomSymbols
----------------------------------
@$#*keep
----------------------------------
#this
----------------------------------
preserved$
_____________________________________________________________
cmdColon :preserve :this {!syscall pid $arg1 script {

  //
  // IOCTL Codes:
  // 		AFD_Connect: 0x12007
  //
  /*
  	
  	typedef struct  _AFD_CONNECT_INFO {
  		BOOLEAN		      UseSAN;
  		ULONG		      Root;
  		ULONG		      Unknown;
  		SOCKADDR		  RemoteAddress;
  	} AFD_CONNECT_INFO , *PAFD_CONNECT_INFO ;
  	
  	typedef struct sockaddr_in {
  	short          sin_family;
  	USHORT         sin_port;
  	IN_ADDR        sin_addr;
  	CHAR           sin_zero[8];
  	} SOCKADDR_IN, *PSOCKADDR_IN;

  */

  if (@rax == 0x7) {
  
    // printf("IoControlCode: %x\n", dd(@rsp + 30));

    if (dd(@rsp + 30) == 0x12007) {
      //
      // Details derived from: https://www.cyberus-technology.de/posts/network-analysis-with-tycho/
      //

      //
      // Get the port address
      //
      port_num_high_bit = db(poi(@rsp + 38) + 1a);
      port_num_low_bit = db(poi(@rsp + 38) + 1b);

      port_num = 0;
      port_num = port_num_high_bit << 8 | port_num_low_bit;

      //
      // Get the IP address
      //
      part0 = db(poi(@rsp + 38) + 1c);
      part1 = db(poi(@rsp + 38) + 1d);
      part2 = db(poi(@rsp + 38) + 1e);
      part3 = db(poi(@rsp + 38) + 1f);

      part0 = part0 << 0n24;
      part1 = part1 << 0n16;
      part2 = part2 << 0n8;
      part3 = part3 << 0n0;

      ip_addr = part0 | part1 | part2 | part3;

      // printf("Process Id: %x, name: %s connects to ====> IP address (hex): %x\n", $pid, $pname, ip_addr);

      printf("Process Id: %x, name: %s connects to ====> Address: %d.%d.%d.%d:%d\n",
		$pid,
		$pname,
        (ip_addr & 0xFF000000) >> 0n24,
        (ip_addr & 0x00FF0000) >> 0n16,
        (ip_addr & 0x0000FF00) >> 0n8,
        ip_addr & 0x000000FF,
		port_num);
    }
  }
}}{!syscall pid $arg1 script {

  //
  // IOCTL Codes:
  // 		AFD_Connect: 0x12007
  //
  /*
  	
  	typedef struct  _AFD_CONNECT_INFO {
  		BOOLEAN		      UseSAN;
  		ULONG		      Root;
  		ULONG		      Unknown;
  		SOCKADDR		  RemoteAddress;
  	} AFD_CONNECT_INFO , *PAFD_CONNECT_INFO ;
  	
  	typedef struct sockaddr_in {
  	short          sin_family;
  	USHORT         sin_port;
  	IN_ADDR        sin_addr;
  	CHAR           sin_zero[8];
  	} SOCKADDR_IN, *PSOCKADDR_IN;

  */

  if (@rax == 0x7) {
  
    // printf("IoControlCode: %x\n", dd(@rsp + 30));

    if (dd(@rsp + 30) == 0x12007) {
      //
      // Details derived from: https://www.cyberus-technology.de/posts/network-analysis-with-tycho/
      //

      //
      // Get the port address
      //
      port_num_high_bit = db(poi(@rsp + 38) + 1a);
      port_num_low_bit = db(poi(@rsp + 38) + 1b);

      port_num = 0;
      port_num = port_num_high_bit << 8 | port_num_low_bit;

      //
      // Get the IP address
      //
      part0 = db(poi(@rsp + 38) + 1c);
      part1 = db(poi(@rsp + 38) + 1d);
      part2 = db(poi(@rsp + 38) + 1e);
      part3 = db(poi(@rsp + 38) + 1f);

      part0 = part0 << 0n24;
      part1 = part1 << 0n16;
      part2 = part2 << 0n8;
      part3 = part3 << 0n0;

      ip_addr = part0 | part1 | part2 | part3;

      // printf("Process Id: %x, name: %s connects to ====> IP address (hex): %x\n", $pid, $pname, ip_addr);

      printf("Process Id: %x, name: %s connects to ====> Address: %d.%d.%d.%d:%d\n",
		$pid,
		$pname,
        (ip_addr & 0xFF000000) >> 0n24,
        (ip_addr & 0x00FF0000) >> 0n16,
        (ip_addr & 0x0000FF00) >> 0n8,
        ip_addr & 0x000000FF,
		port_num);
    }
  }
}}
----------------------------------
cmdColon
----------------------------------
:preserve
----------------------------------
:this
----------------------------------
!syscall pid $arg1 script {

  //
  // IOCTL Codes:
  // 		AFD_Connect: 0x12007
  //
  /*
  	
  	typedef struct  _AFD_CONNECT_INFO {
  		BOOLEAN		      UseSAN;
  		ULONG		      Root;
  		ULONG		      Unknown;
  		SOCKADDR		  RemoteAddress;
  	} AFD_CONNECT_INFO , *PAFD_CONNECT_INFO ;
  	
  	typedef struct sockaddr_in {
  	short          sin_family;
  	USHORT         sin_port;
  	IN_ADDR        sin_addr;
  	CHAR           sin_zero[8];
  	} SOCKADDR_IN, *PSOCKADDR_IN;

  */

  if (@rax == 0x7) {
  
    // printf("IoControlCode: %x\n", dd(@rsp + 30));

    if (dd(@rsp + 30) == 0x12007) {
      //
      // Details derived from: https://www.cyberus-technology.de/posts/network-analysis-with-tycho/
      //

      //
      // Get the port address
      //
      port_num_high_bit = db(poi(@rsp + 38) + 1a);
      port_num_low_bit = db(poi(@rsp + 38) + 1b);

      port_num = 0;
      port_num = port_num_high_bit << 8 | port_num_low_bit;

      //
      // Get the IP address
      //
      part0 = db(poi(@rsp + 38) + 1c);
      part1 = db(poi(@rsp + 38) + 1d);
      part2 = db(poi(@rsp + 38) + 1e);
      part3 = db(poi(@rsp + 38) + 1f);

      part0 = part0 << 0n24;
      part1 = part1 << 0n16;
      part2 = part2 << 0n8;
      part3 = part3 << 0n0;

      ip_addr = part0 | part1 | part2 | part3;

      // printf("Process Id: %x, name: %s connects to ====> IP address (hex): %x\n", $pid, $pname, ip_addr);

      printf("Process Id: %x, name: %s connects to ====> Address: %d.%d.%d.%d:%d\n",
		$pid,
		$pname,
        (ip_addr & 0xFF000000) >> 0n24,
        (ip_addr & 0x00FF0000) >> 0n16,
        (ip_addr & 0x0000FF00) >> 0n8,
        ip_addr & 0x000000FF,
		port_num);
    }
  }
}
----------------------------------
!syscall pid $arg1 script {

  //
  // IOCTL Codes:
  // 		AFD_Connect: 0x12007
  //
  /*
  	
  	typedef struct  _AFD_CONNECT_INFO {
  		BOOLEAN		      UseSAN;
  		ULONG		      Root;
  		ULONG		      Unknown;
  		SOCKADDR		  RemoteAddress;
  	} AFD_CONNECT_INFO , *PAFD_CONNECT_INFO ;
  	
  	typedef struct sockaddr_in {
  	short          sin_family;
  	USHORT         sin_port;
  	IN_ADDR        sin_addr;
  	CHAR           sin_zero[8];
  	} SOCKADDR_IN, *PSOCKADDR_IN;

  */

  if (@rax == 0x7) {
  
    // printf("IoControlCode: %x\n", dd(@rsp + 30));

    if (dd(@rsp + 30) == 0x12007) {
      //
      // Details derived from: https://www.cyberus-technology.de/posts/network-analysis-with-tycho/
      //

      //
      // Get the port address
      //
      port_num_high_bit = db(poi(@rsp + 38) + 1a);
      port_num_low_bit = db(poi(@rsp + 38) + 1b);

      port_num = 0;
      port_num = port_num_high_bit << 8 | port_num_low_bit;

      //
      // Get the IP address
      //
      part0 = db(poi(@rsp + 38) + 1c);
      part1 = db(poi(@rsp + 38) + 1d);
      part2 = db(poi(@rsp + 38) + 1e);
      part3 = db(poi(@rsp + 38) + 1f);

      part0 = part0 << 0n24;
      part1 = part1 << 0n16;
      part2 = part2 << 0n8;
      part3 = part3 << 0n0;

      ip_addr = part0 | part1 | part2 | part3;

      // printf("Process Id: %x, name: %s connects to ====> IP address (hex): %x\n", $pid, $pname, ip_addr);

      printf("Process Id: %x, name: %s connects to ====> Address: %d.%d.%d.%d:%d\n",
		$pid,
		$pname,
        (ip_addr & 0xFF000000) >> 0n24,
        (ip_addr & 0x00FF0000) >> 0n16,
        (ip_addr & 0x0000FF00) >> 0n8,
        ip_addr & 0x000000FF,
		port_num);
    }
  }
}
_____________________________________________________________
cmdDollarSign $preserve $this {## @file process-behavior-logger.ds
# @author HyperDbg Development Team
# @brief Dataset maker script
# @version 0.1
# @date 2021-10-01
# @copyright This script is released under the MIT License.
# 
# @details In order to run this script, you should use '.script'
# command. 
# @param ProcessId The first parameter is the target Process Id
#
# First, you need to specify the Process ID as the first argument.
# For example, if your target process's ID is 0x1240, then you 
# run the the scrip like this:
# 
# After that, use the script like: 
#     .script c:\users\sina\desktop\process-behavior-logger.ds 0x1240
#
# It gathers different parameters in order to create a dataset
# from the behavior of a special process.
# Some of the commands are commented, you can uncomment them if you
# need its results.
#

#
# Configure the symbols, make sure that "ntoskrnl.exe"'s PDB is located 
# at local symbol path
#
.sympath SRV*c:\Symbols*https://msdl.microsoft.com/download/symbols
.sym reload

#
# The first parameter to investigate is system-call,
# generally, the system-calls are with Windows x86_64 FASTCALL calling convention.
# So, the parameters are passed in RCX, RDX, R8, R9, Stack
# However, RCX is modified by Intel through kernel-to-user transition as 
# RCX will contain address of next instruction (RIP), but in Windows, it 
# remains its convention and saves the RCX temporarily on R10, so the R10
# register represents RCX in this case.
#
!syscall pid $arg1 script { 
          printf("method:syscall, pname: %s, pid: %x, tid: %x, syscall: %llx, rcx: %llx, rdx: %llx, r8: %llx, r9: %llx\n", 
          $pname, $pid, $tid, @rax, @r10, @rdx, @r8, @r9); 
          }

#
# And we'll get SYSRET(s), it is because we want to get the result of SYSCALLs
# from the kernel, note that sysrets are related to the SYSCALLs by Thread ID
# It means that we can find the actual sysret for the specific syscall by
# looking for the Thread ID.
# Note that the return result is in the RAX register.
#
!sysret pid $arg1 script { 
          printf("method:sysret, pname: %s, pid: %x, tid: %x, rax: %llx\n", $pname, $pid, $tid, @rax); 
          }

#
# The next parameter is kernel memory allocations
# For this purpose, we hook nt!ExAllocatePoolWithTag
# This is the prototype of this function from MSDN, and it's FASTCALL:
# Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-exallocatepoolwithtag 
#
#	PVOID ExAllocatePoolWithTag(
#	  __drv_strictTypeMatch(__drv_typeExpr)POOL_TYPE PoolType,
#	  SIZE_T                                         NumberOfBytes,
#	  ULONG                                          Tag
#	);
# 
#
!epthook nt!ExAllocatePoolWithTag pid $arg1 script {
          printf("method:kmem, pname: %s, pid: %x, tid: %x, ret: %llx, PoolType: %llx, PoolSize: %llx, PoolTag: %llx\n",
          $pname, $pid, $tid, poi(@rsp), @rcx, @rdx, @r8); 
          }

#
# Next, we'll interested in any execution of CPUID instruction
#
!cpuid pid $arg1 script { 
          printf("method:cpuid, pname: %s, pid: %x, tid: %x, rip: %llx, context: %x, eax: %x, ebx: %x, ecx: %x, edx: %x\n",
          $pname, $pid, $tid, @rip, $context, @eax, @ebx, @ecx, @edx);
          }

#
# Create a log from accesses to hardware debug registers
# THIS COMMAND IS COMMENTED
#
# !dr pid $arg1 script { 
#         printf("method:debugregs, pname: %s, pid: %x, tid: %x, rip: %llx\n", $pname, $pid, $tid, @rip); 
#         }

#
# The other parameter is to get any call to first 32-entries of
# Interrupt Descriptor Table (IDT)
# THIS COMMAND IS COMMENTED
#
# !exception pid $arg1 script { 
#         printf("method:exception, pname: %s, pid: %x, tid: %x, rip: %llx, context: %x\n", 
#         $pname, $pid, $tid, @rip, $context); 
#         }

#
# getting the execution of RDTSC/RDTSCP
# THIS COMMAND IS COMMENTED
#
# !tsc pid $arg1 script { 
#         printf("method:tsc, pname: %s, pid: %x, tid: %x, rip: %llx\n", $pname, $pid, $tid, @rip); 
#         }

#
# getting the execution of RDMSR/WRMSR
# THESE COMMANDS ARE COMMENTED
#
# !msrread pid $arg1 script { 
#         printf("method:rdmsr, pname: %s, pid: %x, tid: %x, rip: %llx, context: %llx\n",
#         $pname, $pid, $tid, @rip, $context); 
#         }

# !msrwrite pid $arg1 script {
#         printf("method:wrmsr, pname: %s, pid: %x, tid: %x, rip: %llx, context: %llx\n",
#         $pname, $pid, $tid, @rip, $context); 
#         }

#
# getting the execution of I/O instructions (IN & OUT)
# THESE COMMANDS ARE COMMENTED
#
# !ioin pid $arg1 script {
#         printf("method:in, pname: %s, pid: %x, tid: %x, rip: %llx, context: %llx\n",
#         $pname, $pid, $tid, @rip, $context); 
#         }

# !ioout pid $arg1 script { 
#         printf("method:out, pname: %s, pid: %x, tid: %x, rip: %llx, context: %llx\n",
#         $pname, $pid, $tid, @rip, $context);
#         }}
----------------------------------
cmdDollarSign
----------------------------------
$preserve
----------------------------------
$this
----------------------------------
## @file process-behavior-logger.ds
# @author HyperDbg Development Team
# @brief Dataset maker script
# @version 0.1
# @date 2021-10-01
# @copyright This script is released under the MIT License.
# 
# @details In order to run this script, you should use '.script'
# command. 
# @param ProcessId The first parameter is the target Process Id
#
# First, you need to specify the Process ID as the first argument.
# For example, if your target process's ID is 0x1240, then you 
# run the the scrip like this:
# 
# After that, use the script like: 
#     .script c:\users\sina\desktop\process-behavior-logger.ds 0x1240
#
# It gathers different parameters in order to create a dataset
# from the behavior of a special process.
# Some of the commands are commented, you can uncomment them if you
# need its results.
#

#
# Configure the symbols, make sure that "ntoskrnl.exe"'s PDB is located 
# at local symbol path
#
.sympath SRV*c:\Symbols*https://msdl.microsoft.com/download/symbols
.sym reload

#
# The first parameter to investigate is system-call,
# generally, the system-calls are with Windows x86_64 FASTCALL calling convention.
# So, the parameters are passed in RCX, RDX, R8, R9, Stack
# However, RCX is modified by Intel through kernel-to-user transition as 
# RCX will contain address of next instruction (RIP), but in Windows, it 
# remains its convention and saves the RCX temporarily on R10, so the R10
# register represents RCX in this case.
#
!syscall pid $arg1 script { 
          printf("method:syscall, pname: %s, pid: %x, tid: %x, syscall: %llx, rcx: %llx, rdx: %llx, r8: %llx, r9: %llx\n", 
          $pname, $pid, $tid, @rax, @r10, @rdx, @r8, @r9); 
          }

#
# And we'll get SYSRET(s), it is because we want to get the result of SYSCALLs
# from the kernel, note that sysrets are related to the SYSCALLs by Thread ID
# It means that we can find the actual sysret for the specific syscall by
# looking for the Thread ID.
# Note that the return result is in the RAX register.
#
!sysret pid $arg1 script { 
          printf("method:sysret, pname: %s, pid: %x, tid: %x, rax: %llx\n", $pname, $pid, $tid, @rax); 
          }

#
# The next parameter is kernel memory allocations
# For this purpose, we hook nt!ExAllocatePoolWithTag
# This is the prototype of this function from MSDN, and it's FASTCALL:
# Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-exallocatepoolwithtag 
#
#	PVOID ExAllocatePoolWithTag(
#	  __drv_strictTypeMatch(__drv_typeExpr)POOL_TYPE PoolType,
#	  SIZE_T                                         NumberOfBytes,
#	  ULONG                                          Tag
#	);
# 
#
!epthook nt!ExAllocatePoolWithTag pid $arg1 script {
          printf("method:kmem, pname: %s, pid: %x, tid: %x, ret: %llx, PoolType: %llx, PoolSize: %llx, PoolTag: %llx\n",
          $pname, $pid, $tid, poi(@rsp), @rcx, @rdx, @r8); 
          }

#
# Next, we'll interested in any execution of CPUID instruction
#
!cpuid pid $arg1 script { 
          printf("method:cpuid, pname: %s, pid: %x, tid: %x, rip: %llx, context: %x, eax: %x, ebx: %x, ecx: %x, edx: %x\n",
          $pname, $pid, $tid, @rip, $context, @eax, @ebx, @ecx, @edx);
          }

#
# Create a log from accesses to hardware debug registers
# THIS COMMAND IS COMMENTED
#
# !dr pid $arg1 script { 
#         printf("method:debugregs, pname: %s, pid: %x, tid: %x, rip: %llx\n", $pname, $pid, $tid, @rip); 
#         }

#
# The other parameter is to get any call to first 32-entries of
# Interrupt Descriptor Table (IDT)
# THIS COMMAND IS COMMENTED
#
# !exception pid $arg1 script { 
#         printf("method:exception, pname: %s, pid: %x, tid: %x, rip: %llx, context: %x\n", 
#         $pname, $pid, $tid, @rip, $context); 
#         }

#
# getting the execution of RDTSC/RDTSCP
# THIS COMMAND IS COMMENTED
#
# !tsc pid $arg1 script { 
#         printf("method:tsc, pname: %s, pid: %x, tid: %x, rip: %llx\n", $pname, $pid, $tid, @rip); 
#         }

#
# getting the execution of RDMSR/WRMSR
# THESE COMMANDS ARE COMMENTED
#
# !msrread pid $arg1 script { 
#         printf("method:rdmsr, pname: %s, pid: %x, tid: %x, rip: %llx, context: %llx\n",
#         $pname, $pid, $tid, @rip, $context); 
#         }

# !msrwrite pid $arg1 script {
#         printf("method:wrmsr, pname: %s, pid: %x, tid: %x, rip: %llx, context: %llx\n",
#         $pname, $pid, $tid, @rip, $context); 
#         }

#
# getting the execution of I/O instructions (IN & OUT)
# THESE COMMANDS ARE COMMENTED
#
# !ioin pid $arg1 script {
#         printf("method:in, pname: %s, pid: %x, tid: %x, rip: %llx, context: %llx\n",
#         $pname, $pid, $tid, @rip, $context); 
#         }

# !ioout pid $arg1 script { 
#         printf("method:out, pname: %s, pid: %x, tid: %x, rip: %llx, context: %llx\n",
#         $pname, $pid, $tid, @rip, $context);
#         }
_____________________________________________________________
cmdAtSymbol @keep @this {
start path $arg1

? .thread_intercept_thread = 0;
? .target_pid = $pid;
? .target_tid = 0;
? .target_allocation_address = 0;
? .target_allocation_size = 0;

!sysret script {
	if ($pid == .target_pid && .thread_intercept_thread == 1 && $tid == .target_tid) {
		spinlock_unlock(&.thread_intercept_thread);
		.target_tid = 0;
		printf("[SYSRET] NtAllocateVirtualMemory called from, pid: %x, name: %s | located at: %llx, actual allocated size: %llx\n", $pid, $pname, dq(.target_allocation_address), dq(.target_allocation_size));
	}
}

!syscall 18 script {
	
	if ($pid == .target_pid) {
		spinlock_lock(&.thread_intercept_thread);
		.target_tid = $tid;
		.target_allocation_address = @rdx;
		.target_allocation_size = @r9;
		
		if (dq(rdx) == 0) {
			printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s | requested size: %llx\n", $pid, $pname, dq(r9));
		}
		else {
			printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s | requested size: %llx, user-specific addr: %llx\n", $pid, $pname, dq(r9), dq(rdx));
		}
	}
}
}
----------------------------------
cmdAtSymbol
----------------------------------
@keep
----------------------------------
@this
----------------------------------

start path $arg1

? .thread_intercept_thread = 0;
? .target_pid = $pid;
? .target_tid = 0;
? .target_allocation_address = 0;
? .target_allocation_size = 0;

!sysret script {
	if ($pid == .target_pid && .thread_intercept_thread == 1 && $tid == .target_tid) {
		spinlock_unlock(&.thread_intercept_thread);
		.target_tid = 0;
		printf("[SYSRET] NtAllocateVirtualMemory called from, pid: %x, name: %s | located at: %llx, actual allocated size: %llx\n", $pid, $pname, dq(.target_allocation_address), dq(.target_allocation_size));
	}
}

!syscall 18 script {
	
	if ($pid == .target_pid) {
		spinlock_lock(&.thread_intercept_thread);
		.target_tid = $tid;
		.target_allocation_address = @rdx;
		.target_allocation_size = @r9;
		
		if (dq(rdx) == 0) {
			printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s | requested size: %llx\n", $pid, $pname, dq(r9));
		}
		else {
			printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s | requested size: %llx, user-specific addr: %llx\n", $pid, $pname, dq(r9), dq(rdx));
		}
	}
}

_____________________________________________________________
cmdAlphanumeric a1b2c3 {preserve a4b5c6} next
----------------------------------
cmdAlphanumeric
----------------------------------
a1b2c3
----------------------------------
preserve a4b5c6
----------------------------------
next
_____________________________________________________________
cmdMixedComments /*comment1*/ param //comment2\n {keep}
----------------------------------
cmdMixedComments
----------------------------------
param
----------------------------------
keep
_____________________________________________________________
cmdMixedComments /*comment1*/ param //comment2 {keep}
----------------------------------
cmdMixedComments
----------------------------------
param
_____________________________________________________________
cmdAngleAndQuotes <param> /* start path $arg1

? .thread_intercept_thread = 0;
? .target_pid = $pid;
? .target_tid = 0;
? .target_allocation_address = 0;
? .target_allocation_size = 0;

!sysret script {
	if ($pid == .target_pid && .thread_intercept_thread == 1 && $tid == .target_tid) {
		spinlock_unlock(&.thread_intercept_thread);
		.target_tid = 0;
		printf("[SYSRET] NtAllocateVirtualMemory called from, pid: %x, name: %s | located at: %llx, actual allocated size: %llx\n", $pid, $pname, dq(.target_allocation_address), dq(.target_allocation_size));
	}
}

!syscall 18 script {
	
	if ($pid == .target_pid) {
		spinlock_lock(&.thread_intercept_thread);
		.target_tid = $tid;
		.target_allocation_address = @rdx;
		.target_allocation_size = @r9;
		
		if (dq(rdx) == 0) {
			printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s | requested size: %llx\n", $pid, $pname, dq(r9));
		}
		else {
			printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s | requested size: %llx, user-specific addr: %llx\n", $pid, $pname, dq(r9), dq(rdx));
		}
	}
}*/
----------------------------------
cmdAngleAndQuotes
----------------------------------
<param>
_____________________________________________________________
/* start path $arg1

? .thread_intercept_thread = 0;
? .target_pid = $pid;
? .target_tid = 0;
? .target_allocation_address = 0;
? .target_allocation_size = 0;

!sysret script {
	if ($pid == .target_pid && .thread_intercept_thread == 1 && $tid == .target_tid) {
		spinlock_unlock(&.thread_intercept_thread);
		.target_tid = 0;
		printf("[SYSRET] NtAllocateVirtualMemory called from, pid: %x, name: %s | located at: %llx, actual allocated size: %llx\n", $pid, $pname, dq(.target_allocation_address), dq(.target_allocation_size));
	}
}

!syscall 18 script {
	
	if ($pid == .target_pid) {
		spinlock_lock(&.thread_intercept_thread);
		.target_tid = $tid;
		.target_allocation_address = @rdx;
		.target_allocation_size = @r9;
		
		if (dq(rdx) == 0) {
			printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s | requested size: %llx\n", $pid, $pname, dq(r9));
		}
		else {
			printf("[SYSCALL] NtAllocateVirtualMemory called from, pid: %x, name: %s | requested size: %llx, user-specific addr: %llx\n", $pid, $pname, dq(r9), dq(rdx));
		}
	}
}*/cmdSpecialBraces {keep this} /*comment*/ {another preserve}
----------------------------------
cmdSpecialBraces
----------------------------------
keep this
----------------------------------
another preserve
_____________________________________________________________
cmdComplexSyntax !@#preserve%&*()_+\{\}:<>?[];',./ `~ | {and this}
----------------------------------
cmdComplexSyntax
----------------------------------
!@#preserve%&*()_+{}:<>?[];',./
----------------------------------
`~
----------------------------------
|
----------------------------------
and this
_____________________________________________________________

//
? printf("Result : %s", @rcx);
----------------------------------
?
----------------------------------
printf(
----------------------------------
Result : %s
----------------------------------
,
----------------------------------
@rcx);
_____________________________________________________________
? printf("Process name: %s", $pname);

----------------------------------
?
----------------------------------
printf(
----------------------------------
Process name: %s
----------------------------------
,
----------------------------------
$pname);
_____________________________________________________________
? print(dq(@rcx));

----------------------------------
?
----------------------------------
print(dq(@rcx));
_____________________________________________________________
? print($proc+@rdx);

----------------------------------
?
----------------------------------
print($proc+@rdx);
_____________________________________________________________
? print(poi(@rax+a0));

----------------------------------
?
----------------------------------
print(poi(@rax+a0));
_____________________________________________________________
? printf("Result : %ws\"", poi($proc+ 10));

----------------------------------
?
----------------------------------
printf(
----------------------------------
Result : %ws"
----------------------------------
,
----------------------------------
poi($proc+
----------------------------------
10));
_____________________________________________________________
? printf("Result : %s", poi($proc+10));

----------------------------------
?
----------------------------------
printf(
----------------------------------
Result : %s
----------------------------------
,
----------------------------------
poi($proc+10));
_____________________________________________________________
? print(dw(NtCreateFile+10));

----------------------------------
?
----------------------------------
print(dw(NtCreateFile+10));
_____________________________________________________________
? print(dw(NtCreateFile+@rcx+($proc|3+poi(poi(@rax)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))){ })))));

----------------------------------
?
----------------------------------
print(dw(NtCreateFile+@rcx+($proc|3+poi(poi(@rax))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
----------------------------------
 
----------------------------------
)))));
_____________________________________________________________
__kernel_entry NTSYSCALLAPI NTSTATUS NtOpenFile(
  PHANDLE            FileHandle,
  ACCESS_MASK        DesiredAccess,
  POBJECT_ATTRIBUTES ObjectAttributes,
  PIO_STATUS_BLOCK   IoStatusBlock,
  ULONG              ShareAccess,
  ULONG              OpenOptions
);
----------------------------------
__kernel_entry
----------------------------------
NTSYSCALLAPI
----------------------------------
NTSTATUS
----------------------------------
NtOpenFile(
----------------------------------
PHANDLE
----------------------------------
FileHandle,
----------------------------------
ACCESS_MASK
----------------------------------
DesiredAccess,
----------------------------------
POBJECT_ATTRIBUTES
----------------------------------
ObjectAttributes,
----------------------------------
PIO_STATUS_BLOCK
----------------------------------
IoStatusBlock,
----------------------------------
ULONG
----------------------------------
ShareAccess,
----------------------------------
ULONG
----------------------------------
OpenOptions
);
_____________________________________________________________
From the relative-address point of view, this function is stored in the memory like this:
----------------------------------
From
----------------------------------
the
----------------------------------
relative-address
----------------------------------
point
----------------------------------
of
----------------------------------
view,
----------------------------------
this
----------------------------------
function
----------------------------------
is
----------------------------------
stored
----------------------------------
in
----------------------------------
the
----------------------------------
memory
----------------------------------
like
----------------------------------
this:
_____________________________________________________________
   +0x000 Length           : Uint2B
   +0x002 MaximumLength    : Uint2B
   +0x008 Buffer           : Ptr64 Wchar

----------------------------------
+0x000
----------------------------------
Length
----------------------------------
:
----------------------------------
Uint2B
----------------------------------
+0x002
----------------------------------
MaximumLength
----------------------------------
:
----------------------------------
Uint2B
----------------------------------
+0x008
----------------------------------
Buffer
----------------------------------
:
----------------------------------
Ptr64
----------------------------------
Wchar
_____________________________________________________________
!epthook nt!NtOpenFile script {
	printf("%ws\n", dq(poi(r8 + 10) + 0x8));
}
----------------------------------
!epthook
----------------------------------
nt!NtOpenFile
----------------------------------
script
----------------------------------

	printf("%ws\n", dq(poi(r8 + 10) + 0x8));

_____________________________________________________________
				  		fffff801`639b1030   			 48 F               	       mov qword ptr ss:[rsp+0x08], rbx
fffff801`639b1035    24 10                      mov qword ptr ss:[rsp+0x10], rbp
----------------------------------
fffff801`639b1030
----------------------------------
48
----------------------------------
F
----------------------------------
mov
----------------------------------
qword
----------------------------------
ptr
----------------------------------
ss:[rsp+0x08],
----------------------------------
rbx
fffff801`639b1035
----------------------------------
24
----------------------------------
10
----------------------------------
mov
----------------------------------
qword
----------------------------------
ptr
----------------------------------
ss:[rsp+0x10],
----------------------------------
rbp
_____________________________________________________________
!epthook nt!ExAllocatePoolWithTag script {

	if (poi(@rsp") == nt!CmpAllocatePoolWithTag+0x9") {
		pause();
	}
}
----------------------------------
!epthook
----------------------------------
nt!ExAllocatePoolWithTag
----------------------------------
script
----------------------------------


	if (poi(@rsp") == nt!CmpAllocatePoolWithTag+0x9") {
		pause();
	}

_____________________________________________________________
? .my_lock = 0;
? .my_counter = 0;

----------------------------------
?
----------------------------------
.my_lock
----------------------------------
=
----------------------------------
0;
?
----------------------------------
.my_counter
----------------------------------
=
----------------------------------
0;
_____________________________________________________________
{spinlock_lock(&.my_lock); 

.my_counter = .my_counter + 1;
printf("NtCreateFile syscall (0x0055) is called %llx times\n", .my_counter);
	
spinlock_unlock(&.my_lock);{}}

----------------------------------
spinlock_lock(&.my_lock); 

.my_counter = .my_counter + 1;
printf("NtCreateFile syscall (0x0055) is called %llx times\n", .my_counter);
	
spinlock_unlock(&.my_lock);{}
_____________________________________________________________
? .my_lock = 0;
? .my_counter = 0;

!syscall script {

if ($context == 0x55) {

	spinlock_lock(&.my_lock); 
	
	.my_counter = .my_counter + 1;
	printf("NtCreateFile syscall (0x0055) is called %llx times\n", .my_counter);
	
	spinlock_unlock(&.my_lock);

	}
}
----------------------------------
?
----------------------------------
.my_lock
----------------------------------
=
----------------------------------
0;
?
----------------------------------
.my_counter
----------------------------------
=
----------------------------------
0;

!syscall
----------------------------------
script
----------------------------------


if ($context == 0x55) {

	spinlock_lock(&.my_lock); 
	
	.my_counter = .my_counter + 1;
	printf("NtCreateFile syscall (0x0055) is called %llx times\n", .my_counter);
	
	spinlock_unlock(&.my_lock);

	}

_____________________________________________________________
? @ebx = @rdx | 0xfffff550 + @edx;

----------------------------------
?
----------------------------------
@ebx
----------------------------------
=
----------------------------------
@rdx
----------------------------------
|
----------------------------------
0xfffff550
----------------------------------
+
----------------------------------
@edx;
_____________________________________________________________
? @rip =  0xfffff8003ad6f010;" @rsp = fffff800`5b660000;


\"


"

----------------------------------
?
----------------------------------
@rip
----------------------------------
=
----------------------------------
0xfffff8003ad6f010;
----------------------------------
 @rsp = fffff800`5b660000;


"



_____________________________________________________________
if (check_address(@r11) == 1) 
{
    printf("address is valid.\n");
}
else 
{
    printf("address is invalid.\n");
}
----------------------------------
if
----------------------------------
(check_address(@r11)
----------------------------------
==
----------------------------------
1)
----------------------------------

    printf("address is valid.\n");

----------------------------------
else
----------------------------------

    printf("address is invalid.\n");

_____________________________________________________________
!epthook nt!NtCreateFile script {
	if(wcscmp(L"\\??\\C:\\folder\\test.txt",poi(poi(@r8+10)+8)) == 0){
		pause();
	}
}
----------------------------------
!epthook
----------------------------------
nt!NtCreateFile
----------------------------------
script
----------------------------------

	if(wcscmp(L"\\??\\C:\\folder\\test.txt",poi(poi(@r8+10)+8)) == 0){
		pause();
	}

_____________________________________________________________
!epthook 004C5A1C pid 225c script {
	@zf = 0;
}
----------------------------------
!epthook
----------------------------------
004C5A1C
----------------------------------
pid
----------------------------------
225c
----------------------------------
script
----------------------------------

	@zf = 0;

_____________________________________________________________
!exception 0xe pid 4 script "{
	
	.Result = interlocked_increment(&.my_counter);
}"
----------------------------------
!exception
----------------------------------
0xe
----------------------------------
pid
----------------------------------
4
----------------------------------
script
----------------------------------
{
	
	.Result = interlocked_increment(&.my_counter);
}
_____________________________________________________________
!sysret script {

	if (.thread_id == $tid) {
		
		printf("[%llx] result of syscall: %llx\n", $tid, @rax);
		
		//
		// Reset the thread id holder
		//
		.thread_id = 0;
	}
}
----------------------------------
!sysret
----------------------------------
script
----------------------------------


	if (.thread_id == $tid) {
		
		printf("[%llx] result of syscall: %llx\n", $tid, @rax);
		
		//
		// Reset the thread id holder
		//
		.thread_id = 0;
	}

_____________________________________________________________
!syscall script { 
	
	if ($pid == $arg1 && @rax == $arg2) {
		
		spinlock_lock(&.thread_id_lock);
		
		if (.thread_id == 0) {
			
			//
			// Save the thread id for the SYSRET event
			//
			.thread_id = $tid;
			
			//
			// Show the parameters
			//
			printf("[%llx] syscall num: %llx, arg1: %llx, arg2: %llx, arg3: %llx, arg4: %llx\n", $tid, @rax, @rcx, @rdx, @r8, @r9);
			
		}
		
		spinlock_unlock(&.thread_id_lock);
	}
}
----------------------------------
!syscall
----------------------------------
script
----------------------------------
 
	
	if ($pid == $arg1 && @rax == $arg2) {
		
		spinlock_lock(&.thread_id_lock);
		
		if (.thread_id == 0) {
			
			//
			// Save the thread id for the SYSRET event
			//
			.thread_id = $tid;
			
			//
			// Show the parameters
			//
			printf("[%llx] syscall num: %llx, arg1: %llx, arg2: %llx, arg3: %llx, arg4: %llx\n", $tid, @rax, @rcx, @rdx, @r8, @r9);
			
		}
		
		spinlock_unlock(&.thread_id_lock);
	}

_____________________________________________________________
!sysret script {

	if (.thread_id == $tid) {
		
		printf("[%llx] result of syscall: %llx\n", $tid, @rax);
		
		//
		// Reset the thread id holder
		//
		.thread_id = 0;
	}
}

!syscall script { 
	
	if ($pid == $arg1 && @rax == $arg2) {
		
		spinlock_lock(&.thread_id_lock);
		
		if (.thread_id == 0) {
			
			//
			// Save the thread id for the SYSRET event
			//
			.thread_id = $tid;
			
			//
			// Show the parameters
			//
			printf("[%llx] syscall num: %llx, arg1: %llx, arg2: %llx, arg3: %llx, arg4: %llx\n", $tid, @rax, @rcx, @rdx, @r8, @r9);
			
		}
		
		spinlock_unlock(&.thread_id_lock);
	}
}

----------------------------------
!sysret
----------------------------------
script
----------------------------------


	if (.thread_id == $tid) {
		
		printf("[%llx] result of syscall: %llx\n", $tid, @rax);
		
		//
		// Reset the thread id holder
		//
		.thread_id = 0;
	}

----------------------------------
!syscall
----------------------------------
script
----------------------------------
 
	
	if ($pid == $arg1 && @rax == $arg2) {
		
		spinlock_lock(&.thread_id_lock);
		
		if (.thread_id == 0) {
			
			//
			// Save the thread id for the SYSRET event
			//
			.thread_id = $tid;
			
			//
			// Show the parameters
			//
			printf("[%llx] syscall num: %llx, arg1: %llx, arg2: %llx, arg3: %llx, arg4: %llx\n", $tid, @rax, @rcx, @rdx, @r8, @r9);
			
		}
		
		spinlock_unlock(&.thread_id_lock);
	}

_____________________________________________________________
? .script c:\users\sina\desktop\script.ds 1240 55

----------------------------------
?
----------------------------------
.script
----------------------------------
c:\users\sina\desktop\script.ds
----------------------------------
1240
----------------------------------
55
_____________________________________________________________
HyperDbg> !epthook fffff805`5cdb2030 script { print(@r8); }

----------------------------------
HyperDbg>
----------------------------------
!epthook
----------------------------------
fffff805`5cdb2030
----------------------------------
script
----------------------------------
 print(@r8); 
_____________________________________________________________
!syscall pid 1c38 script {

	printf("Syscall number : %llx\n", @rax);
	
	if ($context == 0x55) {
		pause();
	}

}

----------------------------------
!syscall
----------------------------------
pid
----------------------------------
1c38
----------------------------------
script
----------------------------------


	printf("Syscall number : %llx\n", @rax);
	
	if ($context == 0x55) {
		pause();
	}


_____________________________________________________________
.thread_intercept_thread = 0;

!sysret script {
	if ($tid == 60c && .thread_intercept_thread == 1) {
		.thread_intercept_thread = 0;
		printf("[%llx] result of syscall: %llx\n", $tid, @rax);
		
		@rax = 0xC0000005;
		printf("[%llx] result of syscall changed to : %llx\n", $tid, @rax);

	}
}

!syscall script { 
	if ($tid == 60c && @rax == 0x55) {		
		.thread_intercept_thread = 1;
		printf("[%llx] syscall num: %llx, arg1: %llx, arg2: %llx, arg3: %llx, arg4: %llx\n",
		         $tid, @rax, @rcx, @rdx, @r8, @r9);	
	}
}


----------------------------------
.thread_intercept_thread
----------------------------------
=
----------------------------------
0;

!sysret
----------------------------------
script
----------------------------------

	if ($tid == 60c && .thread_intercept_thread == 1) {
		.thread_intercept_thread = 0;
		printf("[%llx] result of syscall: %llx\n", $tid, @rax);
		
		@rax = 0xC0000005;
		printf("[%llx] result of syscall changed to : %llx\n", $tid, @rax);

	}

----------------------------------
!syscall
----------------------------------
script
----------------------------------
 
	if ($tid == 60c && @rax == 0x55) {		
		.thread_intercept_thread = 1;
		printf("[%llx] syscall num: %llx, arg1: %llx, arg2: %llx, arg3: %llx, arg4: %llx\n",
		         $tid, @rax, @rcx, @rdx, @r8, @r9);	
	}

_____________________________________________________________
# Address of test variable: 7ff7f6ba8210 | pid: 2a0c


!monitor w 7ff7f6ba8210 7ff7f6ba8210+4 stage all pid 2a0c script {

	if ($stage == 1) {
		
		//
		// Called after the memory modification 
		//
		final_val = dq($context);
		
		printf(" final value is: %d\n", final_val);
	
	}
	else {
	
		//
		// Called before the memory modification 
		//
		prev_val = dq($context);
		printf(" previous value is: %d", prev_val);
	}
}



!monitor w 7ff7f6ba8210 7ff7f6ba8210+4 stage all pid 2a0c script {

	if ($stage == 1) {
		
		//
		// Called after the memory modification 
		//
		final_val = dq($context);
		
		printf(" final value is: %d\n", final_val);
		
		if (final_val != 0 && final_val % 0n10 == 0) {
			
			//
			// Reset the value
			//
			eq($context, 0x0);
			
			printf("reset\n");
		
		}
	
	}
	else {
	
		//
		// Called before the memory modification 
		//
		prev_val = dq($context);
		printf(" previous value is: %d", prev_val);
	}
}

----------------------------------
#
----------------------------------
Address
----------------------------------
of
----------------------------------
test
----------------------------------
variable:
----------------------------------
7ff7f6ba8210
----------------------------------
|
----------------------------------
pid:
----------------------------------
2a0c


!monitor
----------------------------------
w
----------------------------------
7ff7f6ba8210
----------------------------------
7ff7f6ba8210+4
----------------------------------
stage
----------------------------------
all
----------------------------------
pid
----------------------------------
2a0c
----------------------------------
script
----------------------------------


	if ($stage == 1) {
		
		//
		// Called after the memory modification 
		//
		final_val = dq($context);
		
		printf(" final value is: %d\n", final_val);
	
	}
	else {
	
		//
		// Called before the memory modification 
		//
		prev_val = dq($context);
		printf(" previous value is: %d", prev_val);
	}

----------------------------------
!monitor
----------------------------------
w
----------------------------------
7ff7f6ba8210
----------------------------------
7ff7f6ba8210+4
----------------------------------
stage
----------------------------------
all
----------------------------------
pid
----------------------------------
2a0c
----------------------------------
script
----------------------------------


	if ($stage == 1) {
		
		//
		// Called after the memory modification 
		//
		final_val = dq($context);
		
		printf(" final value is: %d\n", final_val);
		
		if (final_val != 0 && final_val % 0n10 == 0) {
			
			//
			// Reset the value
			//
			eq($context, 0x0);
			
			printf("reset\n");
		
		}
	
	}
	else {
	
		//
		// Called before the memory modification 
		//
		prev_val = dq($context);
		printf(" previous value is: %d", prev_val);
	}

_____________________________________________________________
!cpuid 1 script {

	//
	// Invalid supporting details
	//
	
	@eax = 0;
	
	@ebx = 0;
	@ecx = 0;
	@edx = 0;
	
	event_sc(1);
}

!cpuid 2 script {

	//
	// Invalid supporting details
	//
	
	@eax = 0;
	
	@ebx = 0;
	@ecx = 0;
	@edx = 0;
	
	event_sc(2);
}


----------------------------------
!cpuid
----------------------------------
1
----------------------------------
script
----------------------------------


	//
	// Invalid supporting details
	//
	
	@eax = 0;
	
	@ebx = 0;
	@ecx = 0;
	@edx = 0;
	
	event_sc(1);

----------------------------------
!cpuid
----------------------------------
2
----------------------------------
script
----------------------------------


	//
	// Invalid supporting details
	//
	
	@eax = 0;
	
	@ebx = 0;
	@ecx = 0;
	@edx = 0;
	
	event_sc(2);

_____________________________________________________________
!exception 0xe script { 
	   printf("page-fault in process : %s, pid: %x, addr: %llx\n", $pname, $pid, @cr2);
}

!interrupt d1 script {
	printf("core: %x, rip: %llx, %x\n", $core, @rip, $pid );
}

----------------------------------
!exception
----------------------------------
0xe
----------------------------------
script
----------------------------------
 
	   printf("page-fault in process : %s, pid: %x, addr: %llx\n", $pname, $pid, @cr2);

----------------------------------
!interrupt
----------------------------------
d1
----------------------------------
script
----------------------------------

	printf("core: %x, rip: %llx, %x\n", $core, @rip, $pid );

_____________________________________________________________
{

	if (@rip & 0xff000000`00000000) {
		printf("clk interrupt received at the kernel: %llx\n", @rip);
	}
	else{
		pause();
	}
}!interrupt d1 pid 0x2748 script script {

	if (@rip & 0xff000000`00000000) {
		printf("clk interrupt received at the kernel: %llx\n", @rip);
	}
	else{
		pause();
	}
}


----------------------------------


	if (@rip & 0xff000000`00000000) {
		printf("clk interrupt received at the kernel: %llx\n", @rip);
	}
	else{
		pause();
	}

----------------------------------
!interrupt
----------------------------------
d1
----------------------------------
pid
----------------------------------
0x2748
----------------------------------
script
----------------------------------
script
----------------------------------


	if (@rip & 0xff000000`00000000) {
		printf("clk interrupt received at the kernel: %llx\n", @rip);
	}
	else{
		pause();
	}

_____________________________________________________________
!syscall pid 0x16fc script {{}{}{}{{{}}}

	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x12007) {
		
			pause();
		}

	}
}


----------------------------------
!syscall
----------------------------------
pid
----------------------------------
0x16fc
----------------------------------
script
----------------------------------
{}{}{}{{{}}}

	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x12007) {
		
			pause();
		}

	}

_____________________________________________________________
!syscall pid 0x16fc script {

	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x12007) {
		
			port_num_value_high = db(poi(rsp+38)+1a);
			port_num_value_low = db(poi(rsp+38)+1b);
			
			port_num = 0;
			port_num = port_num_value_high << 0n8 | port_num_value_low;
			
			printf("Port address is : %d \n", port_num);
			
			part0 = db(poi(@rsp+38) + 1c);
			part1 = db(poi(@rsp+38) + 1d);
			part2 = db(poi(@rsp+38) + 1e);
			part3 = db(poi(@rsp+38) + 1f);
			
			part0 = part0 << 0n24;
			part1 = part1 << 0n16;
			part2 = part2 << 0n8;
			part3 = part3 << 0n0;
			
			ip_addr = part0 | part1 | part2 | part3;
			
			printf("Ip address is : %x\n", ip_addr);
			
			
			
		}

	}
}

----------------------------------
!syscall
----------------------------------
pid
----------------------------------
0x16fc
----------------------------------
script
----------------------------------


	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x12007) {
		
			port_num_value_high = db(poi(rsp+38)+1a);
			port_num_value_low = db(poi(rsp+38)+1b);
			
			port_num = 0;
			port_num = port_num_value_high << 0n8 | port_num_value_low;
			
			printf("Port address is : %d \n", port_num);
			
			part0 = db(poi(@rsp+38) + 1c);
			part1 = db(poi(@rsp+38) + 1d);
			part2 = db(poi(@rsp+38) + 1e);
			part3 = db(poi(@rsp+38) + 1f);
			
			part0 = part0 << 0n24;
			part1 = part1 << 0n16;
			part2 = part2 << 0n8;
			part3 = part3 << 0n0;
			
			ip_addr = part0 | part1 | part2 | part3;
			
			printf("Ip address is : %x\n", ip_addr);
			
			
			
		}

	}

_____________________________________________________________
? {

	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x12007) {
		
			port_num_value_high = db(poi(rsp+38)+1a);
			port_num_value_low = db(poi(rsp+38)+1b);
			
			port_num = 0;
			port_num = port_num_value_high << 0n8 | port_num_value_low;
			
			
			printf("Port address is : %d \n", port_num);
			
		}

	}

}

----------------------------------
?
----------------------------------


	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x12007) {
		
			port_num_value_high = db(poi(rsp+38)+1a);
			port_num_value_low = db(poi(rsp+38)+1b);
			
			port_num = 0;
			port_num = port_num_value_high << 0n8 | port_num_value_low;
			
			
			printf("Port address is : %d \n", port_num);
			
		}

	}


_____________________________________________________________
? {
	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x12007) {
		
			port_num_value_high = db(poi(rsp+38)+1a);
			port_num_value_low = db(poi(rsp+38)+1b);
			
			port_num = 0;
			port_num = port_num_value_high << 0n8 | port_num_value_low;
			
			printf("Port address is : %d \n", port_num);
			
			part0 = db(poi(@rsp+38) + 1c);
			part1 = db(poi(@rsp+38) + 1d);
			part2 = db(poi(@rsp+38) + 1e);
			part3 = db(poi(@rsp+38) + 1f);
			
			part0 = part0 << 0n24;
			part1 = part1 << 0n16;
			part2 = part2 << 0n8;
			part3 = part3 << 0n0;
			
			ip_addr = part0 | part1 | part2 | part3;
			
			printf("Ip address is : %x\n", ip_addr);
			
			printf("Ip address is : %d.%d.%d.%d\n", (ip_addr & 0xff000000) >> 0n24, (ip_addr & 0x00ff0000) >> 0n16, (ip_addr & 0x0000ff00) >> 0n8, (ip_addr & 0x000000ff));
			
			
		}

	}
}

----------------------------------
?
----------------------------------

	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x12007) {
		
			port_num_value_high = db(poi(rsp+38)+1a);
			port_num_value_low = db(poi(rsp+38)+1b);
			
			port_num = 0;
			port_num = port_num_value_high << 0n8 | port_num_value_low;
			
			printf("Port address is : %d \n", port_num);
			
			part0 = db(poi(@rsp+38) + 1c);
			part1 = db(poi(@rsp+38) + 1d);
			part2 = db(poi(@rsp+38) + 1e);
			part3 = db(poi(@rsp+38) + 1f);
			
			part0 = part0 << 0n24;
			part1 = part1 << 0n16;
			part2 = part2 << 0n8;
			part3 = part3 << 0n0;
			
			ip_addr = part0 | part1 | part2 | part3;
			
			printf("Ip address is : %x\n", ip_addr);
			
			printf("Ip address is : %d.%d.%d.%d\n", (ip_addr & 0xff000000) >> 0n24, (ip_addr & 0x00ff0000) >> 0n16, (ip_addr & 0x0000ff00) >> 0n8, (ip_addr & 0x000000ff));
			
			
		}

	}

_____________________________________________________________
!syscall pid 0x16fc script {

	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x12007) {
		
			port_num_value_high = db(poi(rsp+38)+1a);
			port_num_value_low = db(poi(rsp+38)+1b);
			
			port_num = 0;
			port_num = port_num_value_high << 0n8 | port_num_value_low;
			
			//printf("Port address is : %d \n", port_num);
			
			part0 = db(poi(@rsp+38) + 1c);
			part1 = db(poi(@rsp+38) + 1d);
			part2 = db(poi(@rsp+38) + 1e);
			part3 = db(poi(@rsp+38) + 1f);
			
			part0 = part0 << 0n24;
			part1 = part1 << 0n16;
			part2 = part2 << 0n8;
			part3 = part3 << 0n0;
			
			ip_addr = part0 | part1 | part2 | part3;
			
			// printf("Ip address is : %x\n", ip_addr);
			
			printf("Ip address is : %d.%d.%d.%d:%d\n", (ip_addr & 0xff000000) >> 0n24, (ip_addr & 0x00ff0000) >> 0n16, (ip_addr & 0x0000ff00) >> 0n8, (ip_addr & 0x000000ff),port_num );
			
			
		}

	}

}

----------------------------------
!syscall
----------------------------------
pid
----------------------------------
0x16fc
----------------------------------
script
----------------------------------


	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x12007) {
		
			port_num_value_high = db(poi(rsp+38)+1a);
			port_num_value_low = db(poi(rsp+38)+1b);
			
			port_num = 0;
			port_num = port_num_value_high << 0n8 | port_num_value_low;
			
			//printf("Port address is : %d \n", port_num);
			
			part0 = db(poi(@rsp+38) + 1c);
			part1 = db(poi(@rsp+38) + 1d);
			part2 = db(poi(@rsp+38) + 1e);
			part3 = db(poi(@rsp+38) + 1f);
			
			part0 = part0 << 0n24;
			part1 = part1 << 0n16;
			part2 = part2 << 0n8;
			part3 = part3 << 0n0;
			
			ip_addr = part0 | part1 | part2 | part3;
			
			// printf("Ip address is : %x\n", ip_addr);
			
			printf("Ip address is : %d.%d.%d.%d:%d\n", (ip_addr & 0xff000000) >> 0n24, (ip_addr & 0x00ff0000) >> 0n16, (ip_addr & 0x0000ff00) >> 0n8, (ip_addr & 0x000000ff),port_num );
			
			
		}

	}


_____________________________________________________________
!syscall script {

	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x12007) {
		
			port_num_value_high = db(poi(rsp+38)+1a);
			port_num_value_low = db(poi(rsp+38)+1b);
			
			port_num = 0;
			port_num = port_num_value_high << 0n8 | port_num_value_low;
			
			//printf("Port address is : %d \n", port_num);
			
			part0 = db(poi(@rsp+38) + 1c);
			part1 = db(poi(@rsp+38) + 1d);
			part2 = db(poi(@rsp+38) + 1e);
			part3 = db(poi(@rsp+38) + 1f);
			
			part0 = part0 << 0n24;
			part1 = part1 << 0n16;
			part2 = part2 << 0n8;
			part3 = part3 << 0n0;
			
			ip_addr = part0 | part1 | part2 | part3;
			
			// printf("Ip address is : %x\n", ip_addr);
			
			printf("Process Id: %x, Process name: %s ====> Connects to Ip address: %d.%d.%d.%d:%d\n", $pid, $pname, (ip_addr & 0xff000000) >> 0n24, (ip_addr & 0x00ff0000) >> 0n16, (ip_addr & 0x0000ff00) >> 0n8, (ip_addr & 0x000000ff), port_num);
			
		}
	}
}

----------------------------------
!syscall
----------------------------------
script
----------------------------------


	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x12007) {
		
			port_num_value_high = db(poi(rsp+38)+1a);
			port_num_value_low = db(poi(rsp+38)+1b);
			
			port_num = 0;
			port_num = port_num_value_high << 0n8 | port_num_value_low;
			
			//printf("Port address is : %d \n", port_num);
			
			part0 = db(poi(@rsp+38) + 1c);
			part1 = db(poi(@rsp+38) + 1d);
			part2 = db(poi(@rsp+38) + 1e);
			part3 = db(poi(@rsp+38) + 1f);
			
			part0 = part0 << 0n24;
			part1 = part1 << 0n16;
			part2 = part2 << 0n8;
			part3 = part3 << 0n0;
			
			ip_addr = part0 | part1 | part2 | part3;
			
			// printf("Ip address is : %x\n", ip_addr);
			
			printf("Process Id: %x, Process name: %s ====> Connects to Ip address: %d.%d.%d.%d:%d\n", $pid, $pname, (ip_addr & 0xff000000) >> 0n24, (ip_addr & 0x00ff0000) >> 0n16, (ip_addr & 0x0000ff00) >> 0n8, (ip_addr & 0x000000ff), port_num);
			
		}
	}

_____________________________________________________________
!syscall pid 0x16fc script {

	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x1201F) {
		
			pause();

		}
	}
}


----------------------------------
!syscall
----------------------------------
pid
----------------------------------
0x16fc
----------------------------------
script
----------------------------------


	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x1201F) {
		
			pause();

		}
	}

_____________________________________________________________
!syscall pid 0x16fc script {

	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x1201F) {
		
			buffer_len = dq(poi(poi(@rsp+38)));
			printf("Packet buffer is: %s\n", dq(poi(poi(@rsp+38))+8));
			
			for (i = 0; i< buffer_len;i++) {
				printf(" %x", db(poi(poi(@rsp+38))+8)+i));
			}

		}
	}
}

----------------------------------
!syscall
----------------------------------
pid
----------------------------------
0x16fc
----------------------------------
script
----------------------------------


	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x1201F) {
		
			buffer_len = dq(poi(poi(@rsp+38)));
			printf("Packet buffer is: %s\n", dq(poi(poi(@rsp+38))+8));
			
			for (i = 0; i< buffer_len;i++) {
				printf(" %x", db(poi(poi(@rsp+38))+8)+i));
			}

		}
	}

_____________________________________________________________
!syscall pid 0x16fc script {
	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x1201F) {
		
			buffer_len = dq(poi(poi(@rsp+38)));
			
			
			printf("\n\n=============={}{}{}{P}{{{{{{\}}}}=============================================================\n");
			printf("Packet buffer is: %s\n", dq(poi(poi(@rsp+38))+8));
			
			for (i = 0; i < buffer_len;i++) {
				printf(" %x", db(poi(poi(poi(@rsp+38))+8)+i));
			}

		}
	}
}

----------------------------------
!syscall
----------------------------------
pid
----------------------------------
0x16fc
----------------------------------
script
----------------------------------

	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x1201F) {
		
			buffer_len = dq(poi(poi(@rsp+38)));
			
			
			printf("\n\n=============={}{}{}{P}{{{{{{\}}}}=============================================================\n");
			printf("Packet buffer is: %s\n", dq(poi(poi(@rsp+38))+8));
			
			for (i = 0; i < buffer_len;i++) {
				printf(" %x", db(poi(poi(poi(@rsp+38))+8)+i));
			}

		}
	}

_____________________________________________________________
!syscall script {
	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x1201F) {
		
			buffer_len = dq(poi(poi(@rsp+38)));
			
			
			printf("\n\n===========================================================================\n");
			printf("Packet buffer is: %s\n", dq(poi(poi(@rsp+38))+8));
			
			for (i = 0; i < buffer_len;i++) {
				printf(" %x", db(poi(poi(poi(@rsp+38))+8)+i));
			}

		}
	}
}

----------------------------------
!syscall
----------------------------------
script
----------------------------------

	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x1201F) {
		
			buffer_len = dq(poi(poi(@rsp+38)));
			
			
			printf("\n\n===========================================================================\n");
			printf("Packet buffer is: %s\n", dq(poi(poi(@rsp+38))+8));
			
			for (i = 0; i < buffer_len;i++) {
				printf(" %x", db(poi(poi(poi(@rsp+38))+8)+i));
			}

		}
	}

_____________________________________________________________
syscall pid @arg1 script {

	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x12007) {
		
			port_num_value_high = db(poi(rsp+38)+1a);
			port_num_value_low = db(poi(rsp+38)+1b);
			
			port_num = 0;
			port_num = port_num_value_high << 0n8 | port_num_value_low;
			
			//printf("Port address is : %d \n", port_num);
			
			part0 = db(poi(@rsp+38) + 1c);
			part1 = db(poi(@rsp+38) + 1d);
			part2 = db(poi(@rsp+38) + 1e);
			part3 = db(poi(@rsp+38) + 1f);
			
			part0 = part0 << 0n24;
			part1 = part1 << 0n16;
			part2 = part2 << 0n8;
			part3 = part3 << 0n0;
			
			ip_addr = part0 | part1 | part2 | part3;
			
			// printf("Ip address is : %x\n", ip_addr);
			
			printf("Process Id: %x, Process name: %s ====> Connects to Ip address: %d.%d.%d.%d:%d\n", $pid, $pname, (ip_addr & 0xff000000) >> 0n24, (ip_addr & 0x00ff0000) >> 0n16, (ip_addr & 0x0000ff00) >> 0n8, (ip_addr & 0x000000ff), port_num);
			
		}
	}
}

----------------------------------
syscall
----------------------------------
pid
----------------------------------
@arg1
----------------------------------
script
----------------------------------


	if (@rax == 0x7) {
	
		if (dd(@rsp + 30) == 0x12007) {
		
			port_num_value_high = db(poi(rsp+38)+1a);
			port_num_value_low = db(poi(rsp+38)+1b);
			
			port_num = 0;
			port_num = port_num_value_high << 0n8 | port_num_value_low;
			
			//printf("Port address is : %d \n", port_num);
			
			part0 = db(poi(@rsp+38) + 1c);
			part1 = db(poi(@rsp+38) + 1d);
			part2 = db(poi(@rsp+38) + 1e);
			part3 = db(poi(@rsp+38) + 1f);
			
			part0 = part0 << 0n24;
			part1 = part1 << 0n16;
			part2 = part2 << 0n8;
			part3 = part3 << 0n0;
			
			ip_addr = part0 | part1 | part2 | part3;
			
			// printf("Ip address is : %x\n", ip_addr);
			
			printf("Process Id: %x, Process name: %s ====> Connects to Ip address: %d.%d.%d.%d:%d\n", $pid, $pname, (ip_addr & 0xff000000) >> 0n24, (ip_addr & 0x00ff0000) >> 0n16, (ip_addr & 0x0000ff00) >> 0n8, (ip_addr & 0x000000ff), port_num);
			
		}
	}

_____________________________________________________________
!msrread c0000082 script {

	//
	// Fill the EDX:EAX
	//
	@rdx = f0f0f0f0;
	@rax = 10203040;
	
	event_sc(1);
	
	printf("%llx is read!\n", @rcx);

}


----------------------------------
!msrread
----------------------------------
c0000082
----------------------------------
script
----------------------------------


	//
	// Fill the EDX:EAX
	//
	@rdx = f0f0f0f0;
	@rax = 10203040;
	
	event_sc(1);
	
	printf("%llx is read!\n", @rcx);


_____________________________________________________________
!epthook nt!DbgBreakPointWithStatus script {

	@rip = poi(@rsp); // pop the return address from stack
	@rsp = @rsp + 8; // adjust the stack {{{}}}{}{}{}{}
	
	printf("nt!DbgBreakPointWithStatus is ignored.\n");

}


----------------------------------
!epthook
----------------------------------
nt!DbgBreakPointWithStatus
----------------------------------
script
----------------------------------


	@rip = poi(@rsp); // pop the return address from stack
	@rsp = @rsp + 8; // adjust the stack {{{}}}{}{}{}{}
	
	printf("nt!DbgBreakPointWithStatus is ignored.\n");


_____________________________________________________________
!monitor rw ffffc105`a506b0a8 ffffc105`a506b0a8+7 script {
	if (@rip != nt!SwapContext+0x25b && @rip != nt!KiStackAttachProcess+0x1b5 && @rip != nt!KiDetachProcess+0x184) {
		pause();
	}
}

----------------------------------
!monitor
----------------------------------
rw
----------------------------------
ffffc105`a506b0a8
----------------------------------
ffffc105`a506b0a8+7
----------------------------------
script
----------------------------------

	if (@rip != nt!SwapContext+0x25b && @rip != nt!KiStackAttachProcess+0x1b5 && @rip != nt!KiDetachProcess+0x184) {
		pause();
	}

_____________________________________________________________
!epthook kdnet!KdSendPacket script {


	printf("\n------------------------------------------------------------------------\n");
	printf("PacketType: %llx, FirstBuffer: %llx, SecondBuffer: %llx, KdContext: %llx\n", @rcx, @rdx, @r8, @r9);
	
	byte_len = 100;
	
	for (i = 0; i <= byte_len;i++) {
		
		if (dq(@rdx + i) == ffffc105a50f0080) {
			pause();
		}
	}
		
	for (i = 0; i <= byte_len;i++) {
		
		if (dq(@r8 + i) == ffffc105a50f0080) {
			pause();
		}
	}
}

----------------------------------
!epthook
----------------------------------
kdnet!KdSendPacket
----------------------------------
script
----------------------------------



	printf("\n------------------------------------------------------------------------\n");
	printf("PacketType: %llx, FirstBuffer: %llx, SecondBuffer: %llx, KdContext: %llx\n", @rcx, @rdx, @r8, @r9);
	
	byte_len = 100;
	
	for (i = 0; i <= byte_len;i++) {
		
		if (dq(@rdx + i) == ffffc105a50f0080) {
			pause();
		}
	}
		
	for (i = 0; i <= byte_len;i++) {
		
		if (dq(@r8 + i) == ffffc105a50f0080) {
			pause();
		}
	}

_____________________________________________________________
!epthook nt!MmDbgCopyMemory script {
	if (db(@rcx) == 0x4f && db(@rcx + 1) == 0x00 &&  db(@rcx + 2) == 0x6E ) {
		printf("nt!MmDbgCopyMemory is called form RIP: %llx, Address: %llx, And the string is : %ws\n", @rip, @rcx, @rcx);
	}
}

!epthook nt!MiDbgCopyMemory script {
	if (db(@rcx) == 0x4f && db(@rcx + 1) == 0x00 &&  db(@rcx + 2) == 0x6E ) {
		printf("nt!MmDbgCopyMemory is called form RIP: %llx, Address: %llx, And the string is : %ws\n", @rip, @rcx, @rcx);
	}
}
!epthook nt!MiCopyFromUntrustedMemory script {
	if (db(@rcx) == 0x4f && db(@rcx + 1) == 0x00 &&  db(@rcx + 2) == 0x6E ) {
		printf("nt!MmDbgCopyMemory is called form RIP: %llx, Address: %llx, And the string is : %ws\n", @rip, @rcx, @rcx);
	}
}

----------------------------------
!epthook
----------------------------------
nt!MmDbgCopyMemory
----------------------------------
script
----------------------------------

	if (db(@rcx) == 0x4f && db(@rcx + 1) == 0x00 &&  db(@rcx + 2) == 0x6E ) {
		printf("nt!MmDbgCopyMemory is called form RIP: %llx, Address: %llx, And the string is : %ws\n", @rip, @rcx, @rcx);
	}

----------------------------------
!epthook
----------------------------------
nt!MiDbgCopyMemory
----------------------------------
script
----------------------------------

	if (db(@rcx) == 0x4f && db(@rcx + 1) == 0x00 &&  db(@rcx + 2) == 0x6E ) {
		printf("nt!MmDbgCopyMemory is called form RIP: %llx, Address: %llx, And the string is : %ws\n", @rip, @rcx, @rcx);
	}

----------------------------------
!epthook
----------------------------------
nt!MiCopyFromUntrustedMemory
----------------------------------
script
----------------------------------

	if (db(@rcx) == 0x4f && db(@rcx + 1) == 0x00 &&  db(@rcx + 2) == 0x6E ) {
		printf("nt!MmDbgCopyMemory is called form RIP: %llx, Address: %llx, And the string is : %ws\n", @rip, @rcx, @rcx);
	}

_____________________________________________________________
cmdBacktick "backtick preserve" {inside ticks}
----------------------------------
cmdBacktick
----------------------------------
backtick preserve
----------------------------------
inside ticks
_____________________________________________________________
!monitor rw $proc $proc+0xb80 script {
  printf("{ \"rip\": 0x%llx, \"context\": 0x%llx, \"buffer1\": \"%llx\", \"buffer2\": \"%llx\", \"inst_len\": 0x%x }\n", @rip, $context, dq(@rip), dq(@rip+8), disassemble_len(@rip));
}
----------------------------------
!monitor
----------------------------------
rw
----------------------------------
$proc
----------------------------------
$proc+0xb80
----------------------------------
script
----------------------------------

  printf("{ \"rip\": 0x%llx, \"context\": 0x%llx, \"buffer1\": \"%llx\", \"buffer2\": \"%llx\", \"inst_len\": 0x%x }\n", @rip, $context, dq(@rip), dq(@rip+8), disassemble_len(@rip));

_____________________________________________________________

.sympath "SRV*c:\Symbols*https://msdl.microsoft.com/download/symbols"
----------------------------------
.sympath
----------------------------------
SRV*c:\Symbols*https://msdl.microsoft.com/download/symbols
_____________________________________________________________
