protected void Overlay(string name)
{
string shorterVersion = name.TrimStart(new char[] { '_' });
_is64 = (_profile.Architecture == "AMD64");
_addressSpace = _dataProvider.ActiveAddressSpace;
_structureSize = (int)_profile.GetStructureSize(name);
if (_structureSize == -1)
{
throw new ArgumentException("Error: Profile didn't contain a definition for " + name);
}
if (_virtualAddress == 0)
{
_buffer = _dataProvider.ReadPhysicalMemory(_physicalAddress, (uint)_structureSize);
}
else
{
_physicalAddress = _addressSpace.vtop(_virtualAddress);
_buffer = _dataProvider.ReadMemoryBlock(_virtualAddress, (uint)_structureSize);
}
if (_buffer == null)
{
throw new ArgumentException("Invallid address " + _virtualAddress.ToString("x12"));
}
var dll = _profile.GetStructureAssembly(name);
Type t = dll.GetType("liveforensics." + shorterVersion);
GCHandle pinedPacket = GCHandle.Alloc(_buffer, GCHandleType.Pinned);
_members = Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(_buffer, 0), t);
pinedPacket.Free();
}
protected List <HandleTableEntry> MakeHandleArray(ulong virtualAddress, uint level, int handleAddress = 0)
{
List <HandleTableEntry> results = new List <HandleTableEntry>();
// Profile profile = _project["profile"] as Profile;
// AddressBase kernelAS;
// if (_isx64)
// kernelAS = _project["kernelAs"] as AddressSpacex64;
// else
// kernelAS = _project["kernelAs"] as AddressSpacex86Pae;
// ulong pageAddress = kernelAS.vtop(virtualAddress);
byte[] buffer = _dataProvider.ReadMemoryBlock(virtualAddress, 0x1000); // ReadBytes(pageAddress, 4096);
if (buffer == null)
{
return(null);
}
if (level == 0)
{
// if level is zero then we have an array of handle entries
int count = _isx64 ? 256 : 512;
byte[] transfer = _isx64 ? new byte[16] : new byte[8];
for (int i = 0; i < count; i++)
{
Array.Copy(buffer, (4096 / count) * i, transfer, 0, 4096 / count);
HandleTableEntry hte = new HandleTableEntry(_profile, transfer, handleAddress);
if (hte.IsValid)
{
results.Add(hte);
}
handleAddress++;
}
}
else
{
// otherwise we have an array of pointers to more handle index pages
int count = _isx64 ? 512 : 1024;
for (int i = 0; i < count; i++)
{
ulong ptr = _isx64 ? (BitConverter.ToUInt64(buffer, (int)i * 8) & 0xffffffffffff) : BitConverter.ToUInt32(buffer, (int)i * 4);
if (ptr == 0)
{
continue;
}
List <HandleTableEntry> partialResults = MakeHandleArray(ptr, level - 1, i * count / 2);
foreach (HandleTableEntry h in partialResults)
{
results.Add(h);
}
}
}
return(results);
}
public HandleTableEntry(Profile profile, DataProviderBase dataProvider, ulong virtualAddress, int index) : base(profile, dataProvider, virtualAddress)
{
_is64 = (_profile.Architecture == "AMD64");
if (_virtualAddress == 0)
{
throw new ArgumentException("Error - Offset is ZERO for _HANDLE_TABLE_ENTRY");
}
_structureSize = _profile.GetStructureSize("_HANDLE_TABLE_ENTRY");
if (_structureSize == -1)
{
throw new ArgumentException("Error - Profile didn't contain a definition for _HANDLE_TABLE_ENTRY");
}
_buffer = dataProvider.ReadMemoryBlock(virtualAddress, (uint)_structureSize);
if (_buffer == null)
{
throw new ArgumentException("Error - Invalid Virtual Address");
}
Parse();
}
