private void dumpMemoryMenuItem_Click(object sender, EventArgs e)
{
using (SaveFileDialog sfd = new SaveFileDialog
{
FileName = "Memory.bin",
Filter = "Binary Files (*.bin)|*.bin|All Files (*.*)|*.*"
})
{
if (sfd.ShowDialog() == DialogResult.OK)
{
try
{
using (ProcessHandle phandle = new ProcessHandle(_pid, ProcessAccess.VmRead))
using (FileHandle fhandle = FileHandle.CreateWin32(sfd.FileName, FileAccess.GenericWrite, FileShareMode.Read))
{
foreach (ListViewItem litem in listMemory.SelectedItems)
{
MemoryItem item = (MemoryItem)litem.Tag;
using (MemoryAlloc alloc = new MemoryAlloc((int)item.Size))
{
phandle.ReadMemory(item.Address, (IntPtr)alloc, (int)item.Size);
fhandle.Write(alloc.Memory, (int)item.Size);
}
}
}
}
catch (Exception ex)
{
PhUtils.ShowException("Unable to dump the selected memory regions", ex);
}
}
}
}
public MappedImage(string fileName, bool readOnly)
{
using (var fhandle = FileHandle.CreateWin32(
fileName,
readOnly ? (FileAccess.Execute | FileAccess.ReadAttributes | FileAccess.ReadData) :
(FileAccess.AppendData | FileAccess.Execute | FileAccess.ReadAttributes | FileAccess.ReadData | FileAccess.WriteAttributes | FileAccess.WriteData),
FileShareMode.Read,
FileCreationDispositionWin32.OpenExisting
))
this.MapAndLoad(fhandle, readOnly);
}
public MemoryFileSystem(string fileName, MfsOpenMode mode, bool readOnly, MfsParameters createParams)
{
FileCreationDispositionWin32 cdWin32;
if (readOnly && mode != MfsOpenMode.Open)
{
throw new ArgumentException("Invalid mode for read only access.");
}
switch (mode)
{
case MfsOpenMode.Open:
cdWin32 = FileCreationDispositionWin32.OpenExisting;
break;
default:
case MfsOpenMode.OpenIf:
cdWin32 = FileCreationDispositionWin32.OpenAlways;
break;
case MfsOpenMode.OverwriteIf:
cdWin32 = FileCreationDispositionWin32.CreateAlways;
break;
}
using (var fhandle = FileHandle.CreateWin32(
fileName,
FileAccess.GenericRead | (!readOnly ? FileAccess.GenericWrite : 0),
FileShareMode.Read,
cdWin32
))
{
bool justCreated = false;
_readOnly = readOnly;
_protection = !readOnly ? MemoryProtection.ReadWrite : MemoryProtection.ReadOnly;
if (fhandle.GetSize() == 0)
{
if (readOnly)
{
throw new MfsInvalidFileSystemException();
}
else
{
// File is too small. Make it 1 byte large and we'll deal with it
// soon.
fhandle.SetEnd(1);
}
}
_section = new Section(fhandle, _protection);
_blockSize = MfsBlockSizeBase; // fake block size to begin with; we'll fix it up later.
if (fhandle.GetSize() < _blockSize)
{
if (readOnly)
{
throw new MfsInvalidFileSystemException();
}
else
{
// We're creating a new file system. We need the correct block size
// now.
if (createParams != null)
{
_blockSize = createParams.BlockSize;
}
else
{
_blockSize = MfsDefaultBlockSize;
}
_section.Extend(_blockSize);
using (var view = _section.MapView(0, _blockSize, _protection))
this.InitializeFs((MfsFsHeader *)view.Memory, createParams);
justCreated = true;
}
}
_header = (MfsFsHeader *)this.ReferenceBlock(0);
// Check the magic.
if (_header->Magic != MfsMagic)
{
throw new MfsInvalidFileSystemException();
}
// Set up the local constants.
_blockSize = _header->BlockSize;
_cellSize = _header->CellSize;
// Backwards compatibility.
if (_blockSize == 0)
{
_blockSize = MfsDefaultBlockSize;
}
if (_cellSize == 0)
{
_cellSize = MfsDefaultCellSize;
}
// Validate the parameters.
this.ValidateFsParameters(_blockSize, _cellSize);
_blockMask = _blockSize - 1;
_cellCount = _blockSize / _cellSize;
_dataCellDataMaxLength = _cellSize - MfsDataCell.DataOffset;
// Remap block 0 with the correct block size.
this.DereferenceBlock(0);
// If we just created a new file system, fix the section size.
if (justCreated)
{
_section.Extend(_blockSize);
}
_header = (MfsFsHeader *)this.ReferenceBlock(0);
// Set up the root object.
_rootObject = (MfsObjectHeader *)((byte *)_header + _cellSize);
_rootObjectMo = new MemoryObject(this, _rootObjectCellId, true);
if (_header->NextFreeBlock != 1 && !readOnly)
{
ushort lastBlockId = (ushort)(_header->NextFreeBlock - 1);
this.ReferenceBlock(lastBlockId);
_cachedLastBlockView = _views[lastBlockId];
}
}
}
public static VerifyResult VerifyFile(string fileName)
{
VerifyResult result = VerifyResult.NoSignature;
using (MemoryAlloc strMem = new MemoryAlloc(fileName.Length * 2 + 2))
{
WintrustFileInfo fileInfo = new WintrustFileInfo();
strMem.WriteUnicodeString(0, fileName);
strMem.WriteByte(fileName.Length * 2, 0);
strMem.WriteByte(fileName.Length * 2 + 1, 0);
fileInfo.Size = Marshal.SizeOf(fileInfo);
fileInfo.FilePath = strMem;
WintrustData trustData = new WintrustData();
trustData.Size = 12 * 4;
trustData.UIChoice = 2; // WTD_UI_NONE
trustData.UnionChoice = 1; // WTD_CHOICE_FILE
trustData.RevocationChecks = WtRevocationChecks.None;
trustData.ProvFlags = WtProvFlags.Safer;
if (OSVersion.IsAboveOrEqual(WindowsVersion.Vista))
{
trustData.ProvFlags |= WtProvFlags.CacheOnlyUrlRetrieval;
}
using (MemoryAlloc mem = new MemoryAlloc(fileInfo.Size))
{
Marshal.StructureToPtr(fileInfo, mem, false);
trustData.UnionData = mem;
uint winTrustResult = Win32.WinVerifyTrust(IntPtr.Zero, WintrustActionGenericVerifyV2, ref trustData);
result = StatusToVerifyResult(winTrustResult);
}
}
if (result == VerifyResult.NoSignature)
{
using (FileHandle sourceFile = FileHandle.CreateWin32(fileName, FileAccess.GenericRead, FileShareMode.Read,
FileCreationDispositionWin32.OpenExisting))
{
byte[] hash = new byte[256];
int hashLength = 256;
if (!Win32.CryptCATAdminCalcHashFromFileHandle(sourceFile, ref hashLength, hash, 0))
{
hash = new byte[hashLength];
if (!Win32.CryptCATAdminCalcHashFromFileHandle(sourceFile, ref hashLength, hash, 0))
{
return(VerifyResult.NoSignature);
}
}
StringBuilder memberTag = new StringBuilder(hashLength * 2);
for (int i = 0; i < hashLength; i++)
{
memberTag.Append(hash[i].ToString("X2"));
}
IntPtr catAdmin;
if (!Win32.CryptCATAdminAcquireContext(out catAdmin, DriverActionVerify, 0))
{
return(VerifyResult.NoSignature);
}
IntPtr catInfo = Win32.CryptCATAdminEnumCatalogFromHash(catAdmin, hash, hashLength, 0, IntPtr.Zero);
if (catInfo == IntPtr.Zero)
{
Win32.CryptCATAdminReleaseContext(catAdmin, 0);
return(VerifyResult.NoSignature);
}
CatalogInfo ci;
if (!Win32.CryptCATCatalogInfoFromContext(catInfo, out ci, 0))
{
Win32.CryptCATAdminReleaseCatalogContext(catAdmin, catInfo, 0);
Win32.CryptCATAdminReleaseContext(catAdmin, 0);
return(VerifyResult.NoSignature);
}
WintrustCatalogInfo wci = new WintrustCatalogInfo();
wci.Size = Marshal.SizeOf(wci);
wci.CatalogFilePath = ci.CatalogFile;
wci.MemberFilePath = fileName;
wci.MemberTag = memberTag.ToString();
WintrustData trustData = new WintrustData();
trustData.Size = 12 * 4;
trustData.UIChoice = 1;
trustData.UnionChoice = 2;
trustData.RevocationChecks = WtRevocationChecks.None;
if (OSVersion.IsAboveOrEqual(WindowsVersion.Vista))
{
trustData.ProvFlags = WtProvFlags.CacheOnlyUrlRetrieval;
}
using (MemoryAlloc mem = new MemoryAlloc(wci.Size))
{
Marshal.StructureToPtr(wci, mem, false);
try
{
trustData.UnionData = mem;
uint winTrustResult = Win32.WinVerifyTrust(IntPtr.Zero, DriverActionVerify, ref trustData);
result = StatusToVerifyResult(winTrustResult);
}
finally
{
Win32.CryptCATAdminReleaseCatalogContext(catAdmin, catInfo, 0);
Win32.CryptCATAdminReleaseContext(catAdmin, 0);
Marshal.DestroyStructure(mem, typeof(WintrustCatalogInfo));
}
}
}
}
return(result);
}
public static VerifyResult VerifyFile(string fileName, out string signerName)
{
VerifyResult result;
using (MemoryAlloc strMem = new MemoryAlloc(fileName.Length * 2 + 2))
{
WintrustFileInfo fileInfo = new WintrustFileInfo();
strMem.WriteUnicodeString(0, fileName);
strMem.WriteInt16(fileName.Length * 2, 0);
fileInfo.Size = WintrustFileInfo.SizeOf;
fileInfo.FilePath = strMem;
WintrustData trustData = new WintrustData
{
Size = WintrustData.SizeOf,
UIChoice = 2, // WTD_UI_NONE
UnionChoice = 1, // WTD_CHOICE_FILE
RevocationChecks = WtdRevocationChecks.None,
ProvFlags = WtdProvFlags.Safer,
StateAction = WtdStateAction.Verify
};
if (OSVersion.IsAboveOrEqual(WindowsVersion.Vista))
{
trustData.ProvFlags |= WtdProvFlags.CacheOnlyUrlRetrieval;
}
using (MemoryAlloc mem = new MemoryAlloc(fileInfo.Size))
{
mem.WriteStruct(fileInfo);
trustData.UnionData = mem;
uint winTrustResult = Win32.WinVerifyTrust(IntPtr.Zero, WintrustActionGenericVerifyV2, ref trustData);
result = StatusToVerifyResult(winTrustResult);
try
{
if (result != VerifyResult.NoSignature)
{
signerName = GetSignerNameFromStateData(trustData.StateData);
return(result);
}
}
finally
{
// Close the state data.
trustData.StateAction = WtdStateAction.Close;
Win32.WinVerifyTrust(IntPtr.Zero, WintrustActionGenericVerifyV2, ref trustData);
}
}
}
signerName = null;
using (FileHandle sourceFile = FileHandle.CreateWin32(fileName, FileAccess.GenericRead, FileShareMode.Read, FileCreationDispositionWin32.OpenExisting))
{
byte[] hash = new byte[256];
int hashLength = 256;
if (!Win32.CryptCATAdminCalcHashFromFileHandle(sourceFile, ref hashLength, hash, 0))
{
hash = new byte[hashLength];
if (!Win32.CryptCATAdminCalcHashFromFileHandle(sourceFile, ref hashLength, hash, 0))
{
return(VerifyResult.NoSignature);
}
}
StringBuilder memberTag = new StringBuilder(hashLength * 2);
for (int i = 0; i < hashLength; i++)
{
memberTag.Append(hash[i].ToString("X2"));
}
IntPtr catAdmin;
if (!Win32.CryptCATAdminAcquireContext(out catAdmin, DriverActionVerify, 0))
{
return(VerifyResult.NoSignature);
}
IntPtr catInfo = Win32.CryptCATAdminEnumCatalogFromHash(catAdmin, hash, hashLength, 0, IntPtr.Zero);
if (catInfo == IntPtr.Zero)
{
Win32.CryptCATAdminReleaseContext(catAdmin, 0);
return(VerifyResult.NoSignature);
}
CatalogInfo ci;
if (!Win32.CryptCATCatalogInfoFromContext(catInfo, out ci, 0))
{
Win32.CryptCATAdminReleaseCatalogContext(catAdmin, catInfo, 0);
Win32.CryptCATAdminReleaseContext(catAdmin, 0);
return(VerifyResult.NoSignature);
}
WintrustCatalogInfo wci = new WintrustCatalogInfo
{
Size = WintrustCatalogInfo.SizeOf,
CatalogFilePath = ci.CatalogFile,
MemberFilePath = fileName,
MemberTag = memberTag.ToString()
};
WintrustData trustData = new WintrustData
{
Size = WintrustData.SizeOf,
UIChoice = 1,
UnionChoice = 2,
RevocationChecks = WtdRevocationChecks.None,
StateAction = WtdStateAction.Verify
};
if (OSVersion.IsAboveOrEqual(WindowsVersion.Vista))
{
trustData.ProvFlags = WtdProvFlags.CacheOnlyUrlRetrieval;
}
using (MemoryAlloc mem = new MemoryAlloc(wci.Size))
{
mem.WriteStruct(wci);
try
{
trustData.UnionData = mem;
uint winTrustResult = Win32.WinVerifyTrust(IntPtr.Zero, DriverActionVerify, ref trustData);
result = StatusToVerifyResult(winTrustResult);
if (result != VerifyResult.NoSignature)
{
signerName = GetSignerNameFromStateData(trustData.StateData);
}
}
finally
{
try
{
// Close the state data.
trustData.StateAction = WtdStateAction.Close;
Win32.WinVerifyTrust(IntPtr.Zero, DriverActionVerify, ref trustData);
}
finally
{
Win32.CryptCATAdminReleaseCatalogContext(catAdmin, catInfo, 0);
Win32.CryptCATAdminReleaseContext(catAdmin, 0);
mem.DestroyStruct <WintrustCatalogInfo>();
}
}
}
}
return(result);
}
