For more information on a specific command, type `help COMMAND`. All the commands are case-sensitive. -------------------------------------------------------------------------------- exit - Quits the Controller, end all connected clients. ---------- Quits the Controller, end all connected clients. exit -------------------------------------------------------------------------------- listen - Starts to listen for clients. ---------- Starts to listen for clients and displays addresses listening on. listen [--ipv6] [PORT] --ipv6 Listens on IPv6 interfaces, instead of IPv4 ones. PORT The listening port. Default to 31415. This command may successfully execute only once; any subsequent call will fail. -------------------------------------------------------------------------------- target - Gets or sets the target client. ---------- Gets or sets the target client. target [ID] target --doll target --monitor ID The new target client's ID. If omitted, displays a list of connected clients. --doll Set target to last targeted Doll client. --monitor Set target to last targeted Monitor client. -------------------------------------------------------------------------------- load - Executes commands from a script. ---------- Executes commands from a script. load SCRIPT [ARGUMENTS ...] SCRIPT The script file to execute. If embraced with double-quotes, SCRIPT is treated as a path; otherwise, SCRIPT is the name (w/ or w/o extension) of a script in "Scripts" folder (preferred) or "Scripts\API" folder. ARGUMENTS Arguments passed to the script. The arguments will be inserted into any command in the script, given the command ends with a single `*`. -------------------------------------------------------------------------------- help - Provides help information for commands. ---------- Provides help information for commands. help [COMMAND] COMMAND Display help information for command COMMAND. If omitted, display a list of available commands. -------------------------------------------------------------------------------- rem - Records comments (remarks) in a script file. ---------- Records comments (remarks) in a script file. rem [...] #[...] -------------------------------------------------------------------------------- end - (M/D) Ends the client, stopping its process. ---------- Ends the client, stopping its process. end -------------------------------------------------------------------------------- doll - (M) Creates a new Doll client. ---------- Creates a new Doll client by creating or attaching to a process. doll CMDLINE doll --attach PID CMDLINE Create a new process by running CMDLINE. PID Attach to process PID. Use `ps` to get the list of available PIDs. -------------------------------------------------------------------------------- shell - (M) Starts a instance of command interpreter. ---------- Starts a instance of command interpreter (%COMSPEC%, usually CMD.EXE). shell [ARGUMENTS ...] ARGUMENTS Arguments passed to %COMSPEC%. -------------------------------------------------------------------------------- kill - (M) Terminates process(es) with PID or name. ---------- Terminates process(es) with PID or name. kill PID kill --all NAME PID The PID of the process to be terminated. Use `ps` to get the list of available PIDs. NAME Terminate all processes with name NAME. -------------------------------------------------------------------------------- ps - (M) Displays a list of running processes. ---------- Displays a list of running processes. ps -------------------------------------------------------------------------------- hook - (D) Installs a new hook and set its actions. ---------- Installs a new hook and set its actions. hook hook {[MODULE!]SYMBOL|0xADDR|*PATTERN} [--convention=CONVENTION] [--stack=STACK[,RETURN]] [--before [ACTION ...]] [--after [ACTION ...]] Type `hook` without any arguments displays a list of hooks. Call `hook` on an existing hook will overwrite its convention and actions. MODULE The target module to search for symbol SYMBOL. If omitted, default to the first module containing the symbol. SYMBOL The function's symbol name (e.g. WinExec or kernel32!Sleep). ADDR The function's virtual address (e.g. 0x401000). PATTERN The hexadecimal pattern of the function (e.g. *8B4C240885D2). CONVENTION The function's calling convention. Possible conventions are: x86 client: stdcall(default), cdecl, fastcall x64 client: msvc(default), gcc STACK Count of bytes poped from stack when the function returns. Default to 0. RETURN The value to return on a Rejected verdict. Default to 0. ACTION An action to perform on an activated hook. Possible actions are: --echo=ECHO - Display a string. --dump=DUMPADDR,DUMPSIZE - Dump data to storage. --ctx=CTXKEY,CTXVALUE - Add an entry to dictionary. --verdict=VERDICT - Set the default verdict. Actions may appear more than once. ECHO A string, may contain expressions, to be displayed. DUMPADDR A expression that evaluates to a `uword` value, as the address. DUMPSIZE A expression that evaluates to an integer value, as the size. CTXKEY A string, may contain expressions, as the key. CTXVALUE A string, may contain expressions, as the value. VERDICT The verdict. Refer to `help verdict` for possible values. If omitted, the hook waits for user reply. Expressions in the strings are formatted based on their values' type: Unsigned integers and `byte`s: Zero-padded hexadecimal display. Signed integers and `sbyte`s: Decimal display. Strings: String embraced with double-quotes. `char`s: Character embraced with quotes. `bool`s: "True" or "False", respectively. Array of above types: Comma-separated formatted elements, embraced with braces. Any other type: Triggers an evaluation error. For help information on expressions, type `help eval`. -------------------------------------------------------------------------------- unhook - (D) Uninstalls a hook. ---------- Uninstalls a hook. unhook ID ID ID of the hook. -------------------------------------------------------------------------------- break - (D) Breaks or continues the process's execution. ---------- Breaks or continues the process's execution. break This command toggles the execution state between running and suspended. A new Doll client is always put suspended by libDoll. -------------------------------------------------------------------------------- loaddll - (D) Loads a module into the process's address space. ---------- Loads a module into the process's address space. loaddll MODULE MODULE The module path passed to LoadLibrary(). Internally, `loaddll` calls LoadLibrary() on a new thread. Call `loaddll` with libDoll will cause nothing but must never be attempted. -------------------------------------------------------------------------------- eval - (D) Evaluates a expression on current context. ---------- Evaluates a expression on current context. eval EXPR EXPR The expression to be evaluated. An "expression" is a C# expression embraced with braces, e.g. {(uint)poi(ax)+4} The types from these namespaces: System, System.Linq, System.Collections.Generic, among with the following methods and fields, are provided: (type alias) word A integer of the native word size (`int` on x86 or `long` on x64). (type alias) uword Similar to `word` but unsigned (`uint` on x86 or `ulong` on x64). string str(uword PTR) Returns the C-style string PTR points to. string wstr(uword PTR) Returns the C-style wide-char string PTR points to. string ctx(string KEY) Returns the entry under key KEY in context dictionary. byte[] mem(uword PTR, uint LEN) Returns a binary blob of length <= LEN pointer PTR points to. uword poi(uword PTR) Returns the integer pointer PTR points to as a `uword`. uword arg(uint INDEX) Returns the value of function argument at zero-based index INDEX. int dump(byte[] BLOB) Dumps BLOB, then returns the index of the dump entry. uword ax, cx, dx, bx, sp, bp, si, di, r8, r9 The value of the corresponding register. Readonly. `r8` and `r9` are available only on a x64 client. -------------------------------------------------------------------------------- dump - Displays or saves dumped data. ---------- Displays or saves dumped data. dump dump ID [--format=FORMAT] [--save=SAVEFILE] Type `hook` without any arguments displays a list of dumped data. ID ID of the dump to operate. FORMAT Show or save data under FORMAT. Possible formats are: hex(default), raw, ansi, unicode, utf8, 8086, x86, x64 SAVEFILE Save the data to SAVEFILE instead of displaying them. SAVEFILE will be overwritten if it exists. -------------------------------------------------------------------------------- verdict - (D) Verdicts an activated hook. ---------- Verdicts an activated hook. verdict {approve|reject|terminate} approve Continue the execution. reject Reject the call to the function and immediately return. Refer to `help hook` for information about stack balancing. terminate Terminate the client process. --------------------------------------------------------------------------------