Beispiel #1
0
        /// <summary>
        /// Resolves the address of an address, pointer, or managed object.
        /// </summary>
        /// <returns>The base address of this object.</returns>
        protected override IntPtr ResolveAddress()
        {
            IntPtr  pointer        = AddressResolver.GetInstance().ResolveModule(this.ModuleName);
            Boolean successReading = true;

            pointer = pointer.Add(this.ModuleOffset);

            if (this.PointerOffsets == null || this.PointerOffsets.Count() == 0)
            {
                return(pointer);
            }

            foreach (Int32 offset in this.PointerOffsets)
            {
                if (EngineCore.GetInstance().Processes.IsOpenedProcess32Bit())
                {
                    pointer = EngineCore.GetInstance().VirtualMemory.Read <Int32>(pointer, out successReading).ToIntPtr();
                }
                else
                {
                    pointer = EngineCore.GetInstance().VirtualMemory.Read <Int64>(pointer, out successReading).ToIntPtr();
                }

                if (pointer == IntPtr.Zero || !successReading)
                {
                    pointer = IntPtr.Zero;
                    break;
                }

                pointer = pointer.Add(offset);
            }

            return(pointer);
        }
Beispiel #2
0
        /// <summary>
        /// Loads the instructions to display.
        /// </summary>
        private void LoadInstructions()
        {
            Byte[] bytes = EngineCore.GetInstance().VirtualMemory.ReadBytes(this.BaseAddress.ToIntPtr(), 200, out _);

            if (bytes.IsNullOrEmpty())
            {
                return;
            }

            Boolean isProcess32Bit = EngineCore.GetInstance().Processes.IsOpenedProcess32Bit();

            // Disassemble instructions
            IEnumerable <NormalizedInstruction> disassembledInstructions = this.Disassembler.Disassemble(bytes, isProcess32Bit, this.BaseAddress.ToIntPtr());
            IList <InstructionItem>             instructions             = new List <InstructionItem>();

            foreach (NormalizedInstruction disassembledInstruction in disassembledInstructions)
            {
                String moduleName;
                UInt64 address = AddressResolver.GetInstance().AddressToModule(disassembledInstruction.Address, out moduleName);

                instructions.Add(new InstructionItem(address.ToIntPtr(), moduleName, disassembledInstruction.Instruction, disassembledInstruction.Bytes));
            }

            this.Instructions = new FullyObservableCollection <InstructionItem>(instructions);
        }
        /// <summary>
        /// Loads the results for the current page.
        /// </summary>
        private void LoadScanResults()
        {
            Snapshot           snapshot     = SnapshotManagerViewModel.GetInstance().GetSnapshot(SnapshotManagerViewModel.SnapshotRetrievalMode.FromActiveSnapshot);
            IList <ScanResult> newAddresses = new List <ScanResult>();

            if (snapshot != null)
            {
                UInt64 startIndex = Math.Min(ScanResultsViewModel.PageSize * this.CurrentPage, snapshot.ElementCount);
                UInt64 endIndex   = Math.Min((ScanResultsViewModel.PageSize * this.CurrentPage) + ScanResultsViewModel.PageSize, snapshot.ElementCount);

                for (UInt64 index = startIndex; index < endIndex; index++)
                {
                    SnapshotElementIndexer element = snapshot[index];

                    String label = element.GetElementLabel() != null?element.GetElementLabel().ToString() : String.Empty;

                    Object currentValue  = element.HasCurrentValue() ? element.LoadCurrentValue() : null;
                    Object previousValue = element.HasPreviousValue() ? element.LoadPreviousValue() : null;

                    String moduleName;
                    UInt64 address = AddressResolver.GetInstance().AddressToModule(element.BaseAddress, out moduleName);

                    PointerItem pointerItem = new PointerItem(baseAddress: address.ToIntPtr(), dataType: this.ActiveType, moduleName: moduleName, value: currentValue);
                    newAddresses.Add(new ScanResult(pointerItem, previousValue, label));
                }
            }

            this.Addresses = new FullyObservableCollection <ScanResult>(newAddresses);

            // Ensure results are visible
            this.IsVisible  = true;
            this.IsSelected = true;
            this.IsActive   = true;
        }
        /// <summary>
        /// Starts useful services that run in the background to assist in various operations.
        /// </summary>
        private void StartBackgroundServices()
        {
            SnapshotPrefilterFactory.GetSnapshotPrefilter(typeof(ChunkLinkedListPrefilter)).BeginPrefilter();
            //// PointerCollector.GetInstance().Begin();
            DotNetObjectCollector.GetInstance().Begin();
            AddressResolver.GetInstance().Begin();

            OutputViewModel.GetInstance().Log(OutputViewModel.LogLevel.Info, "Background Services Started");
        }
Beispiel #5
0
        /// <summary>
        /// Starts useful services that run in the background to assist in various operations.
        /// </summary>
        private void StartBackgroundServices()
        {
            DotNetObjectCollector.GetInstance().Start();
            AddressResolver.GetInstance().Start();
            AnalyticsService.GetInstance().Start();

            AnalyticsService.GetInstance().SendEvent(AnalyticsService.AnalyticsAction.General, "Start");
            OutputViewModel.GetInstance().Log(OutputViewModel.LogLevel.Info, "Background services started");
        }
        /// <summary>
        /// Resolves the address of an address, pointer, or managed object.
        /// </summary>
        /// <returns>The base address of this object.</returns>
        public IntPtr ResolveAddress()
        {
            IntPtr  pointer        = IntPtr.Zero;
            Boolean successReading = true;

            switch (this.ResolveType)
            {
            case AddressResolver.ResolveTypeEnum.Module:
                pointer = AddressResolver.GetInstance().ResolveModule(this.BaseIdentifier);
                break;

            case AddressResolver.ResolveTypeEnum.GlobalKeyword:
                pointer = AddressResolver.GetInstance().ResolveGlobalKeyword(this.BaseIdentifier);
                break;

            case AddressResolver.ResolveTypeEnum.DotNet:
                pointer = AddressResolver.GetInstance().ResolveDotNetObject(this.BaseIdentifier);
                break;
            }

            pointer = pointer.Add(this.BaseAddress);

            if (this.Offsets == null || this.Offsets.Count() == 0)
            {
                return(pointer);
            }

            foreach (Int32 offset in this.Offsets)
            {
                if (EngineCore.GetInstance().Processes.IsOpenedProcess32Bit())
                {
                    pointer = EngineCore.GetInstance().OperatingSystemAdapter.Read <Int32>(pointer, out successReading).ToIntPtr();
                }
                else
                {
                    pointer = EngineCore.GetInstance().OperatingSystemAdapter.Read <Int64>(pointer, out successReading).ToIntPtr();
                }

                pointer = pointer.Add(offset);

                if (pointer == IntPtr.Zero || !successReading)
                {
                    pointer = IntPtr.Zero;
                    break;
                }
            }

            return(pointer);
        }
Beispiel #7
0
        /// <summary>
        /// Enumerates the pointers of the specified pointer branch.
        /// </summary>
        /// <param name="baseAddress">The current base address.</param>
        /// <param name="offsets">The offsets leading to this branch.</param>
        /// <param name="branch">The current branch.</param>
        /// <param name="pointerIndicies">The indicies at which to return non-null values.</param>
        /// <returns>The full pointer path to the branch.</returns>
        private IEnumerable <PointerItem> EnumerateBranches(UInt64 baseAddress, Stack <Int32> offsets, PointerBranch branch, PointerIndicies pointerIndicies)
        {
            offsets.Push(branch.Offset);

            // End index reached
            if (pointerIndicies.Finished)
            {
                yield break;
            }

            if (branch.Branches.Count <= 0)
            {
                PointerItem pointerItem;

                // Only create pointer items when in the range of the selection indicies. This is an optimization to prevent creating unneeded objects.
                if (pointerIndicies.IterateNext())
                {
                    String moduleName;
                    UInt64 address = AddressResolver.GetInstance().AddressToModule(baseAddress, out moduleName);
                    pointerItem = new PointerItem(address.ToIntPtr(), DataTypes.Int32, "New Pointer", moduleName, offsets.ToArray().Reverse());
                }
                else
                {
                    pointerItem = null;
                }

                yield return(pointerItem);
            }
            else
            {
                foreach (PointerBranch childBranch in branch)
                {
                    foreach (PointerItem pointerItem in this.EnumerateBranches(baseAddress, offsets, childBranch, pointerIndicies))
                    {
                        yield return(pointerItem);
                    }
                }
            }

            offsets.Pop();
        }
 protected override IntPtr ResolveAddress()
 {
     return(AddressResolver.GetInstance().ResolveModule(this.ModuleName).Add(this.ModuleOffset));
 }
Beispiel #9
0
 /// <summary>
 /// Resolves the address of this object.
 /// </summary>
 /// <returns>The base address of this object.</returns>
 protected override UInt64 ResolveAddress()
 {
     return(AddressResolver.GetInstance().ResolveDotNetObject(this.Identifier));
 }