public PE(DataProviderBase dataProvider, AddressBase addressSpace, ulong address)
{
_dataProvider = dataProvider;
_imageBaseVirtualAddress = address;
_kernelAddressSpace = addressSpace;
int marker = 0;
try
{
ulong alignedAddress = _imageBaseVirtualAddress & 0xfffffffff000;
ulong pAddr = _kernelAddressSpace.vtop(alignedAddress);
if (pAddr == 0)
{
throw new ArgumentException("Error mapping virtual address 0x" + alignedAddress.ToString("X08"));
}
byte[] buffer = dataProvider.ReadMemory(pAddr, 1);
GCHandle pinnedPacket = GCHandle.Alloc(buffer, GCHandleType.Pinned);
_dosHeader = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, marker), typeof(IMAGE_DOS_HEADER));
_valid = (_dosHeader.e_magic == 0x5a4d);
marker += (int)_dosHeader.e_lfanew;
UInt32 ntHeadersSignature = BitConverter.ToUInt32(buffer, marker);
if (ntHeadersSignature == 0x4550)
{
marker += 4;
_fileHeader = (IMAGE_FILE_HEADER)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, marker), typeof(IMAGE_FILE_HEADER));
marker += Marshal.SizeOf(_fileHeader);
if (Is32BitHeader)
{
_optionalHeader32 = (IMAGE_OPTIONAL_HEADER32)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, marker), typeof(IMAGE_OPTIONAL_HEADER32));
marker += Marshal.SizeOf(_optionalHeader32);
}
else
{
_optionalHeader64 = (IMAGE_OPTIONAL_HEADER64)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, marker), typeof(IMAGE_OPTIONAL_HEADER64));
marker += Marshal.SizeOf(_optionalHeader64);
}
_imageSectionHeaders = new IMAGE_SECTION_HEADER[_fileHeader.NumberOfSections];
for (int headerNo = 0; headerNo < _imageSectionHeaders.Length; ++headerNo)
{
_imageSectionHeaders[headerNo] = (IMAGE_SECTION_HEADER)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, marker), typeof(IMAGE_SECTION_HEADER));
marker += Marshal.SizeOf(_imageSectionHeaders[0]);
}
ulong debugVAddr = Is32BitHeader ? _optionalHeader32.Debug.VirtualAddress + _imageBaseVirtualAddress : _optionalHeader64.Debug.VirtualAddress + _imageBaseVirtualAddress;
pinnedPacket.Free();
pAddr = _kernelAddressSpace.vtop(debugVAddr, false);
buffer = dataProvider.ReadMemory(pAddr & 0xfffffffff000, 2);
pinnedPacket = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IMAGE_DEBUG_DIRECTORY idd = (IMAGE_DEBUG_DIRECTORY)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, (int)(pAddr & 0xfff)), typeof(IMAGE_DEBUG_DIRECTORY));
_debugSectionOffset = idd.AddressOfRawData + _imageBaseVirtualAddress;
pinnedPacket.Free();
}
else
{
pinnedPacket.Free();
}
}
catch { }
}
public RSDS(DataProviderBase dataProvider, ulong offset)
{
try
{
ulong alignedAddress = offset & 0xfffffffff000;
byte[] buffer = dataProvider.ReadMemory(alignedAddress, 2);
GCHandle pinnedPacket = GCHandle.Alloc(buffer, GCHandleType.Pinned);
RSDS_HEADER rsds = (RSDS_HEADER)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, (int)(offset - alignedAddress)), typeof(RSDS_HEADER));
pinnedPacket.Free();
_signature = System.Text.Encoding.UTF8.GetString(rsds.Signature);
_guid = new Guid(rsds.Guid);
_age = rsds.Age;
int marker = 24 + (int)(offset - alignedAddress);
char c = (char)buffer[marker];
while (c != 0 && marker < 0x2000)
{
_filename += c;
c = (char)buffer[++marker];
}
}
catch (Exception ex)
{
throw new ArgumentException("Error Creating RSDS: " + ex.Message);
}
}
public byte[] ReadData(ulong physicalMemory, uint count = 1)
{
try
{
byte[] buffer = _dataProvider.ReadMemory(physicalMemory, count);
return(buffer);
}
catch (Exception ex)
{
throw new ArgumentException("Error Reading Data - " + ex.Message);
}
}
public KUserSharedData(DataProviderBase dataProvider, Profile profile, ulong physicalAddress)
{
_dataProvider = dataProvider;
_profile = profile;
int structureSize = (int)_profile.GetStructureSize("_KUSER_SHARED_DATA");
if (structureSize == -1)
{
throw new ArgumentException("Error - Profile didn't contain a definition for _KUSER_SHARED_DATA");
}
// need to ix this if there is a likelyhood that the structure is bigger than a single page
// for now just be lazy and assume it';; fit into a single memory page.
if (structureSize > 4096)
{
throw new ArgumentException("Error - _KUSER_SHARED_DATA is larger than a single memory page");
}
_buffer = _dataProvider.ReadMemory(physicalAddress, 1);
}
public IEnumerable <Dictionary <string, List <ulong> > > Scan()
{
ulong filePointer = 0;
ulong bufferStart = 0;
ulong hitMarker = 0;
uint pages = 0;
byte[] dataBuffer = null;
foreach (var item in _dataProvider.MemoryRangeList)
{
filePointer = item.StartAddress;
bufferStart = item.StartAddress;
pages = item.PageCount;
uint pageBlockSize = 64;
if (pages < pageBlockSize)
{
pageBlockSize = pages;
}
while (pages > 0)
{
try
{
dataBuffer = _dataProvider.ReadMemory(bufferStart, pageBlockSize + 1);
hitMarker = bufferStart;
filePointer += (pageBlockSize * 0x1000);
bufferStart = filePointer - 0x1000; // read backwards one page
pages -= pageBlockSize;
if (pages < pageBlockSize)
{
pageBlockSize = pages;
}
}
catch
{
pages = 0;
continue;
}
foreach (string needle in _needleList)
{
List <ulong> hitList = new List <ulong>();
byte[] pattern = Encoding.UTF8.GetBytes(needle);
List <uint> result = IndexOfSequence(dataBuffer, pattern);
foreach (uint i in result)
{
hitList.Add(hitMarker + i);
}
if (hitList.Count > 0)
{
List <ulong> existingHitList;
if (_hitListDict.TryGetValue(needle, out existingHitList))
{
foreach (ulong l in hitList)
{
existingHitList.Add(l);
}
}
else
{
_hitListDict.Add(needle, hitList);
}
yield return(_hitListDict);
_hitListDict.Clear();
}
}
}
}
}
