/// <summary>
/// BLOCK ALIGNED
/// </summary>
/// <param name="VA"></param>
/// <returns>BLOCK of memory (ALIGNED)</returns>
public byte[] VGetBlock(long VA)
{
bool GotData = false;
long[] rv = new long[512];
var _va = VA & ~0xfff;
HARDWARE_ADDRESS_ENTRY hw;
if (vmcs == null)
{
hw = MemAccess.VirtualToPhysical(CR3Value, _va);
}
else
{
hw = MemAccess.VirtualToPhysical(vmcs.EPTP, CR3Value, _va);
}
MemAccess.GetPageForPhysAddr(hw, ref rv, ref GotData);
if (!GotData)
{
return(null);
}
byte[] buffer = new byte[4096];
Buffer.BlockCopy(rv, 0, buffer, 0, 4096);
return(buffer);
}
/// <summary>
/// BLOCK ALIGNED
/// </summary>
/// <param name="VA"></param>
/// <returns></returns>
public byte[] VGetBlock(long VA)
{
bool GotData = false;
long[] rv = new long[512];
byte[] buffer = new byte[4096];
var _va = VA & ~0xfff;
HARDWARE_ADDRESS_ENTRY hw;
if (vmcs == null)
{
hw = MemAccess.VirtualToPhysical(CR3Value, _va);
}
else
{
hw = MemAccess.VirtualToPhysical(vmcs.EPTP, CR3Value, _va);
}
//unsafe
//{
//fixed (void* lp = rv, bp = buffer)
//{
MemAccess.GetPageForPhysAddr(hw, ref rv, ref GotData, true);
Buffer.BlockCopy(rv, 0, buffer, 0, 4096);
//Buffer.MemoryCopy((byte*)lp, (byte*)bp, 4096, 4096);
//}
//}
return(buffer);
}
/// <summary>
/// See all other PAGE ALIGNED
/// </summary>
/// <param name="VA"></param>
/// <param name="GotData"></param>
/// <returns></returns>
public long[] VGetBlockLong(long VA, ref bool GotData)
{
long[] rv = new long[512];
var _va = VA & ~0xfff;
HARDWARE_ADDRESS_ENTRY hw;
if (vmcs == null)
{
hw = MemAccess.VirtualToPhysical(CR3Value, _va);
}
else
{
hw = MemAccess.VirtualToPhysical(vmcs.EPTP, CR3Value, _va);
}
MemAccess.GetPageForPhysAddr(hw, ref rv, ref GotData);
return(rv);
}
public List <ScanResult> YaraScan(string RulesFile, bool IncludeData = false, bool KernelSpace = false)
{
var rv = new List <ScanResult>();
using (var ctx = new YaraContext())
{
Rules rules = null;
try
{
// Rules and Compiler objects must be disposed.
using (var compiler = new Compiler())
{
compiler.AddRuleFile(RulesFile);
rules = compiler.GetRules();
}
PageTable.AddProcess(this, MemAccess);
//var cnt = PT.FillPageQueue(false, KernelSpace);
var curr = 0;
YaraTotalScanned = 0;
// single threaded worked best so far
//Parallel.For(0, cnt, (i, loopState) => x
foreach (var range in PT.FillPageQueue(false, KernelSpace, true, false))
//for (int i = 0; i < cnt; i++)
{
curr++;
if (Vtero.VerboseLevel > 1)
{
//var curr = cnt - PT.PageQueue.Count;
//var done = Convert.ToDouble(curr) / Convert.ToDouble(cnt) * 100.0;
Console.CursorLeft = 0;
Console.Write($"{curr} scanned");
}
if (range.PTE.Valid)
{
// skip data as requested
if (!IncludeData && range.PTE.NoExecute)
{
continue;
}
// Scanner and ScanResults do not need to be disposed.
var scanner = new libyaraNET.Scanner();
unsafe
{
long[] block = null;
bool GotData = false;
if (range.PTE.LargePage)
{
block = new long[0x40000];
}
else
{
block = new long[0x200];
}
MemAccess.GetPageForPhysAddr(range.PTE, ref block, ref GotData);
if (GotData)
{
fixed(void *lp = block)
{
var res = scanner.ScanMemory((byte *)lp, block.Length, rules, ScanFlags.None);
rv.AddRange(res);
YaraTotalScanned += block.Length;
}
}
}
}
}
}
finally
{
// Rules and Compiler objects must be disposed.
if (rules != null)
{
rules.Dispose();
}
}
}
YaraOutput = rv;
return(YaraOutput);
}
private static extern IntPtr OpenFileMappingW([In, MarshalAs(UnmanagedType.U4)] MemAccess dwDesiredAccess, [In, MarshalAs(UnmanagedType.U1)] bool bInheritHandle, string lpName);
private static extern IntPtr MapViewOfFile(IntPtr hFileMapping, [In, MarshalAs(UnmanagedType.U4)] MemAccess dwDesiredAccess, int dwFileOffsetHi, int dwFileOffsetLo, int dwNumberOfBytesToMap);