protected ExportedModuleTestBase(string modulePath) { mbbsEmuMemoryCore = new MemoryCore(); mbbsEmuCpuRegisters = new CpuRegisters(); mbbsEmuCpuCore = new CpuCore(); mbbsModule = new MbbsModule(FileUtility.CreateForTest(), _serviceResolver.GetService <ILogger>(), null, modulePath, mbbsEmuMemoryCore); testSessions = new PointerDictionary <SessionBase>(); testSessions.Allocate(new TestSession(null)); testSessions.Allocate(new TestSession(null)); majorbbs = new HostProcess.ExportedModules.Majorbbs( _serviceResolver.GetService <ILogger>(), _serviceResolver.GetService <AppSettings>(), _serviceResolver.GetService <IFileUtility>(), _serviceResolver.GetService <IGlobalCache>(), mbbsModule, testSessions, _serviceResolver.GetService <IAccountKeyRepository>(), _serviceResolver.GetService <IAccountRepository>()); galgsbl = new HostProcess.ExportedModules.Galgsbl( _serviceResolver.GetService <ILogger>(), _serviceResolver.GetService <AppSettings>(), _serviceResolver.GetService <IFileUtility>(), _serviceResolver.GetService <IGlobalCache>(), mbbsModule, testSessions); mbbsEmuCpuCore.Reset(mbbsEmuMemoryCore, mbbsEmuCpuRegisters, ExportedFunctionDelegate); }
/// <summary> /// Reads the four by four matrix. /// </summary> /// <param name="handle">The handle to the process where the matrix is located in memory.</param> /// <param name="lpBaseAddress">The <see cref="IntPtr" /> address of where the four by four matrix is located in memory.</param> /// <returns></returns> public static Matrix4X4 ReadFourByFourMatrix(SafeMemoryHandle handle, IntPtr lpBaseAddress) { var tmp = new Matrix4X4(); var buffer = MemoryCore.ReadBytes(handle, lpBaseAddress, 64); tmp.M11 = BitConverter.ToSingle(buffer, 0 * 4); tmp.M12 = BitConverter.ToSingle(buffer, 1 * 4); tmp.M13 = BitConverter.ToSingle(buffer, 2 * 4); tmp.M14 = BitConverter.ToSingle(buffer, 3 * 4); tmp.M21 = BitConverter.ToSingle(buffer, 4 * 4); tmp.M22 = BitConverter.ToSingle(buffer, 5 * 4); tmp.M23 = BitConverter.ToSingle(buffer, 6 * 4); tmp.M24 = BitConverter.ToSingle(buffer, 7 * 4); tmp.M31 = BitConverter.ToSingle(buffer, 8 * 4); tmp.M32 = BitConverter.ToSingle(buffer, 9 * 4); tmp.M33 = BitConverter.ToSingle(buffer, 10 * 4); tmp.M34 = BitConverter.ToSingle(buffer, 11 * 4); tmp.M41 = BitConverter.ToSingle(buffer, 12 * 4); tmp.M42 = BitConverter.ToSingle(buffer, 13 * 4); tmp.M43 = BitConverter.ToSingle(buffer, 14 * 4); tmp.M44 = BitConverter.ToSingle(buffer, 15 * 4); return(tmp); }
protected MajorbbsTestBase() { mbbsEmuMemoryCore = new MemoryCore(); mbbsEmuCpuRegisters = new CpuRegisters(); mbbsEmuCpuCore = new CpuCore(); majorbbs = new HostProcess.ExportedModules.Majorbbs(new MbbsModule(null, string.Empty, mbbsEmuMemoryCore), new PointerDictionary <Session.SessionBase>()); mbbsEmuCpuCore.Reset(mbbsEmuMemoryCore, mbbsEmuCpuRegisters, MajorbbsFunctionDelegate); }
/// <summary> /// Initializes a new instance of the <see cref="RemoteModule" /> class. /// </summary> /// <param name="memorySharp">The reference of the <see cref="MemorySharp" /> object.</param> /// <param name="module">The native <see cref="ProcessModule" /> object corresponding to this module.</param> internal RemoteModule(MemoryBase memorySharp, ProcessModule module) : base(memorySharp, module.BaseAddress) { // Save the parameter Native = module; LazyData = new Lazy <byte[]>( () => MemoryCore.ReadBytes(memorySharp.Handle, module.BaseAddress, module.ModuleMemorySize)); }
/// <summary> /// Write an array of bytes in the remote process. /// </summary> /// <param name="address">The address where the array is written.</param> /// <param name="byteArray">The array of bytes to write.</param> /// <param name="isRelative">[Optional] State if the address is relative to the main module.</param> protected void WriteBytes(IntPtr address, byte[] byteArray, bool isRelative = true) { // Change the protection of the memory to allow writable using (new MemoryProtection(this, isRelative ? MakeAbsolute(address) : address, MarshalType <byte> .Size * byteArray.Length)) { // Write the byte array MemoryCore.WriteBytes(Handle, isRelative ? MakeAbsolute(address) : address, byteArray); } }
/// <summary> /// Writes a set of bytes to memory. /// </summary> /// <param name="address">The address.</param> /// <param name="bytes">The bytes.</param> /// <param name="isRelative">if set to <c>true</c> [is relative].</param> /// <returns> /// Number of bytes written. /// </returns> public override int WriteBytes(IntPtr address, byte[] bytes, bool isRelative = false) { // Change the protection of the memory to allow writable using ( new MemoryProtection(this, isRelative ? GetAbsolute(address) : address, MarshalType <byte> .Size * bytes.Length)) { // Write the byte array MemoryCore.WriteBytes(Handle, isRelative ? GetAbsolute(address) : address, bytes); } return(bytes.Length); }
public void CreateRemoteThread() { // Arrange var handle = MemoryCore.OpenProcess(ProcessAccessFlags.AllAccess, Resources.ProcessTest.Id); // Act var thread = ThreadCore.CreateRemoteThread(handle, new IntPtr(1), IntPtr.Zero, ThreadCreationFlags.Suspended); var threadId = HandleManipulator.HandleToThreadId(thread); // Assert Assert.IsFalse(thread.IsInvalid); Assert.IsTrue(Resources.ProcessTest.Threads.Cast <ProcessThread>().Any(t => t.Id == threadId)); }
public void VirtualQueryEx_AnyProcess_ListAllMemoryPages() { // Arrange var handle = Resources.MemorySharp.Handle; var starting = new IntPtr(0); var ending = new IntPtr(0x07fffffff); // Act var regions = MemoryCore.Query(handle, starting, ending); // Assert Assert.AreNotEqual(0, regions.Count(), "Memory pages cannot be gathered."); }
protected MajorbbsTestBase() { mbbsEmuMemoryCore = new MemoryCore(); mbbsEmuCpuRegisters = new CpuRegisters(); mbbsEmuCpuCore = new CpuCore(); mbbsModule = new MbbsModule(FileUtility.CreateForTest(), _serviceResolver.GetService <ILogger>(), null, string.Empty, mbbsEmuMemoryCore); majorbbs = new HostProcess.ExportedModules.Majorbbs( _serviceResolver.GetService <ILogger>(), _serviceResolver.GetService <IConfiguration>(), _serviceResolver.GetService <IFileUtility>(), _serviceResolver.GetService <IGlobalCache>(), mbbsModule, new PointerDictionary <Session.SessionBase>()); mbbsEmuCpuCore.Reset(mbbsEmuMemoryCore, mbbsEmuCpuRegisters, MajorbbsFunctionDelegate); }
public void AllocateFree() { // Arrange var handle = MemoryCore.OpenProcess(ProcessAccessFlags.AllAccess, Resources.ProcessTest.Id); // Act try { var address = MemoryCore.Allocate(handle, 1); MemoryCore.Free(handle, address); } catch (Win32Exception ex) { Assert.Fail(ex.Message); } }
/// <summary> /// Initializes a new instance of the <see cref="MemorySharp"/> class. /// </summary> /// <param name="process">Process to open.</param> public MemorySharp(Process process) { // Save the reference of the process Native = process; // Open the process with all rights Handle = MemoryCore.OpenProcess(ProcessAccessFlags.AllAccess, process.Id); // Initialize the PEB Peb = new ManagedPeb(this, ManagedPeb.FindPeb(Handle)); // Create instances of the factories Factories = new List <IFactory>(); Factories.AddRange( new IFactory[] { Assembly = new AssemblyFactory(this), Memory = new MemoryFactory(this), Modules = new ModuleFactory(this), Threads = new ThreadFactory(this), Windows = new WindowFactory(this) }); }
public void VirtualProtectExWriteReadBytes() { // Arrange var handle = MemoryCore.OpenProcess(ProcessAccessFlags.AllAccess, Resources.ProcessTest.Id); var expected = new byte[] { 0x90, 0x90, 0x90, 0x90, 0x90 }; var memory = new IntPtr(0x00400000); // Act try { MemoryCore.ChangeProtection(handle, memory, 5, MemoryProtectionFlags.ExecuteReadWrite); MemoryCore.WriteBytes(handle, memory, expected); var actual = MemoryCore.ReadBytes(handle, memory, 5); // Assert CollectionAssert.AreEqual(expected, actual, "The collections are not equal."); } catch (Win32Exception ex) { Assert.Fail(ex.Message); } }
/// <summary> /// Performs a pattern scan. /// </summary> /// <param name="processHandle">The process the <see cref="ProcessModule" /> containing the data resides in.</param> /// <param name="processModule">The <see cref="ProcessModule" /> that contains the pattern data resides in.</param> /// <param name="data">The array of bytes containing the data to search for matches in.</param> /// <param name="mask"> /// The mask that defines the byte pattern we are searching for. /// <example> /// <code> /// var bytes = new byte[]{55,45,00,00,55} ; /// var mask = "xx??x"; /// </code> /// </example> /// </param> /// <param name="offsetToAdd">The offset to add to the offset result found from the pattern.</param> /// <param name="reBase">If the address should be rebased to this Instance's base address.</param> /// <param name="wildCardChar"> /// [Optinal] The 'wild card' defines the <see cref="char" /> value that the mask uses to differentiate /// between pattern data that is relevant, and pattern data that should be ignored. The default value is 'x'. /// </param> /// <param name="pattern">The byte array that contains the pattern of bytes we're looking for.</param> /// <returns>A new <see cref="PatternScanResult" /> instance.</returns> public static PatternScanResult Find(SafeMemoryHandle processHandle, ProcessModule processModule, byte[] data, byte[] pattern, string mask, int offsetToAdd, bool reBase, char wildCardChar = 'x') { for (var offset = 0; offset < data.Length; offset++) { if (mask.Where((m, b) => m == 'x' && pattern[b] != data[b + offset]).Any()) { continue; } var found = MemoryCore.Read <IntPtr>(processHandle, processModule.BaseAddress + offset + offsetToAdd); var result = new PatternScanResult { OriginalAddress = found, Address = reBase ? found : found.Subtract(processModule.BaseAddress), Offset = (IntPtr)offset }; return(result); } // If this is reached, the pattern was not found. throw new Exception("The pattern scan for the pattern mask: " + "[" + mask + "]" + " was not found."); }
protected ExportedModuleTestBase(string modulePath) { _serviceResolver = new ServiceResolver(fakeClock, SessionBuilder.ForTest($"MBBSDb_{RANDOM.Next()}")); var textVariableService = _serviceResolver.GetService <ITextVariableService>(); mbbsEmuMemoryCore = new MemoryCore(); mbbsEmuCpuRegisters = new CpuRegisters(); mbbsEmuCpuCore = new CpuCore(); mbbsModule = new MbbsModule(FileUtility.CreateForTest(), fakeClock, _serviceResolver.GetService <ILogger>(), null, modulePath, mbbsEmuMemoryCore); testSessions = new PointerDictionary <SessionBase>(); testSessions.Allocate(new TestSession(null, textVariableService)); testSessions.Allocate(new TestSession(null, textVariableService)); majorbbs = new HostProcess.ExportedModules.Majorbbs( _serviceResolver.GetService <IClock>(), _serviceResolver.GetService <ILogger>(), _serviceResolver.GetService <AppSettings>(), _serviceResolver.GetService <IFileUtility>(), _serviceResolver.GetService <IGlobalCache>(), mbbsModule, testSessions, _serviceResolver.GetService <IAccountKeyRepository>(), _serviceResolver.GetService <IAccountRepository>()); galgsbl = new HostProcess.ExportedModules.Galgsbl( _serviceResolver.GetService <IClock>(), _serviceResolver.GetService <ILogger>(), _serviceResolver.GetService <AppSettings>(), _serviceResolver.GetService <IFileUtility>(), _serviceResolver.GetService <IGlobalCache>(), mbbsModule, testSessions); mbbsEmuCpuCore.Reset(mbbsEmuMemoryCore, mbbsEmuCpuRegisters, ExportedFunctionDelegate, null); }
/// <summary> /// Finds the Process Environment Block address of a specified process. /// </summary> /// <param name="processHandle">A handle of the process.</param> /// <returns>A <see cref="IntPtr"/> pointer of the PEB.</returns> public static IntPtr FindPeb(SafeMemoryHandle processHandle) { return(MemoryCore.NtQueryInformationProcess(processHandle).PebBaseAddress); }
/// <summary> /// Constructor for MbbsModule /// /// Pass in an empty/blank moduleIdentifier for a Unit Test/Fake Module /// </summary> /// <param name="logger"></param> /// <param name="moduleIdentifier">Will be null in a test</param> /// <param name="path"></param> /// <param name="memoryCore"></param> /// <param name="fileUtility"></param> public MbbsModule(IFileUtility fileUtility, IClock clock, ILogger logger, string moduleIdentifier, string path = "", MemoryCore memoryCore = null) { _fileUtility = fileUtility; _logger = logger; _clock = clock; ModuleIdentifier = moduleIdentifier; ModuleDlls = new List <MbbsDll>(); //Sanitize and setup Path if (string.IsNullOrEmpty(path)) { path = Directory.GetCurrentDirectory(); } if (!Path.EndsInDirectorySeparator(path)) { path += Path.DirectorySeparatorChar; } ModulePath = path; // will be null in tests if (string.IsNullOrEmpty(ModuleIdentifier)) { Mdf = MdfFile.createForTest(); ModuleDlls.Add(new MbbsDll(fileUtility, logger) { File = NEFile.createForTest() }); } else { //Verify MDF File Exists var mdfFile = fileUtility.FindFile(ModulePath, $"{ModuleIdentifier}.MDF"); var fullMdfFilePath = Path.Combine(ModulePath, mdfFile); if (!System.IO.File.Exists(fullMdfFilePath)) { throw new FileNotFoundException($"Unable to locate Module: {fullMdfFilePath}"); } Mdf = new MdfFile(fullMdfFilePath); var moduleDll = new MbbsDll(fileUtility, logger); moduleDll.Load(Mdf.DLLFiles[0].Trim(), ModulePath); ModuleDlls.Add(moduleDll); if (Mdf.Requires.Count > 0) { foreach (var r in Mdf.Requires) { var requiredDll = new MbbsDll(fileUtility, logger); if (requiredDll.Load(r.Trim(), ModulePath)) { requiredDll.SegmentOffset = (ushort)(ModuleDlls.Sum(x => x.File.SegmentTable.Count) + 1); ModuleDlls.Add(requiredDll); } } } if (Mdf.MSGFiles.Count > 0) { Msgs = new List <MsgFile>(Mdf.MSGFiles.Count); foreach (var m in Mdf.MSGFiles) { Msgs.Add(new MsgFile(ModulePath, m)); } } } //Set Initial Values RtkickRoutines = new PointerDictionary <RealTimeRoutine>(); RtihdlrRoutines = new PointerDictionary <RealTimeRoutine>(); TaskRoutines = new PointerDictionary <RealTimeRoutine>(); TextVariables = new Dictionary <string, FarPtr>(); GlobalCommandHandlers = new List <FarPtr>(); ExportedModuleDictionary = new Dictionary <ushort, IExportedModule>(6); ExecutionUnits = new Queue <ExecutionUnit>(2); Memory = memoryCore ?? new MemoryCore(); //Declare PSP Segment var psp = new PSPStruct { NextSegOffset = 0x9FFF, EnvSeg = 0xFFFF }; Memory.AddSegment(0x4000); Memory.SetArray(0x4000, 0, psp.Data); Memory.AllocateVariable("Int21h-PSP", sizeof(ushort)); Memory.SetWord("Int21h-PSP", 0x4000); //Find _INIT_ values if any foreach (var dll in ModuleDlls) { //If it's a Test, setup a fake _INIT_ if (string.IsNullOrEmpty(ModuleIdentifier)) { dll.EntryPoints["_INIT_"] = null; return; } //Setup _INIT_ Entrypoint FarPtr initEntryPointPointer; var initResidentName = dll.File.ResidentNameTable.FirstOrDefault(x => x.Name.StartsWith("_INIT__")); if (initResidentName == null) { //This only happens with MajorMUD -- I have no idea why it's a special little snowflake ¯\_(ツ)_/¯ _logger.Warn($"({moduleIdentifier}) Unable to locate _INIT_ in Resident Name Table, checking Non-Resident Name Table..."); var initNonResidentName = dll.File.NonResidentNameTable.FirstOrDefault(x => x.Name.StartsWith("_INIT__")); if (initNonResidentName == null) { throw new Exception("Unable to locate _INIT__ entry in Resident Name Table"); } var initEntryPoint = dll.File.EntryTable.First(x => x.Ordinal == initNonResidentName.IndexIntoEntryTable); initEntryPointPointer = new FarPtr((ushort)(initEntryPoint.SegmentNumber + dll.SegmentOffset), initEntryPoint.Offset); } else { var initEntryPoint = dll.File.EntryTable.First(x => x.Ordinal == initResidentName.IndexIntoEntryTable); initEntryPointPointer = new FarPtr((ushort)(initEntryPoint.SegmentNumber + dll.SegmentOffset), initEntryPoint.Offset); } _logger.Debug($"({ModuleIdentifier}) Located _INIT__: {initEntryPointPointer}"); dll.EntryPoints["_INIT_"] = initEntryPointPointer; } }
/// <summary> /// Constructor for MbbsModule /// /// Pass in an empty/blank moduleIdentifier for a Unit Test/Fake Module /// </summary> /// <param name="moduleIdentifier"></param> /// <param name="path"></param> /// <param name="memoryCore"></param> public MbbsModule(string moduleIdentifier, string path = "", MemoryCore memoryCore = null) { ModuleIdentifier = moduleIdentifier; //Sanitize and setup Path if (string.IsNullOrEmpty(path)) { path = Directory.GetCurrentDirectory(); } if (!path.EndsWith(Path.DirectorySeparatorChar)) { path += Path.DirectorySeparatorChar; } ModulePath = path; //Verify MDF File Exists if (!string.IsNullOrEmpty(ModuleIdentifier) && !System.IO.File.Exists($"{ModulePath}{ModuleIdentifier}.MDF")) { throw new FileNotFoundException($"Unable to locate Module: {ModulePath}{ModuleIdentifier}.MDF"); } Mdf = !string.IsNullOrEmpty(ModuleIdentifier) ? new MdfFile($"{ModulePath}{ModuleIdentifier}.MDF") : MdfFile.createForTest(); File = !string.IsNullOrEmpty(ModuleIdentifier) ? new NEFile($"{ModulePath}{Mdf.DLLFiles[0].Trim()}.DLL") : NEFile.createForTest(); if (Mdf.MSGFiles.Count > 0) { Msgs = new List <MsgFile>(Mdf.MSGFiles.Count); foreach (var m in Mdf.MSGFiles) { Msgs.Add(new MsgFile(ModulePath, m)); } } //Set Initial Values EntryPoints = new Dictionary <string, IntPtr16>(); RtkickRoutines = new PointerDictionary <RealTimeRoutine>(); RtihdlrRoutines = new PointerDictionary <RealTimeRoutine>(); TaskRoutines = new PointerDictionary <RealTimeRoutine>(); TextVariables = new Dictionary <string, IntPtr16>(); ExecutionUnits = new Queue <ExecutionUnit>(2); ExportedModuleDictionary = new Dictionary <ushort, IExportedModule>(4); GlobalCommandHandlers = new List <IntPtr16>(); Memory = memoryCore ?? new MemoryCore(); //If it's a Test, setup a fake _INIT_ if (string.IsNullOrEmpty(ModuleIdentifier)) { EntryPoints["_INIT_"] = null; return; } //Setup _INIT_ Entrypoint IntPtr16 initEntryPointPointer; var initResidentName = File.ResidentNameTable.FirstOrDefault(x => x.Name.StartsWith("_INIT__")); if (initResidentName == null) { //This only happens with MajorMUD -- I have no idea why it's a special little snowflake ¯\_(ツ)_/¯ _logger.Warn("Unable to locate _INIT_ in Resident Name Table, checking Non-Resident Name Table..."); var initNonResidentName = File.NonResidentNameTable.FirstOrDefault(x => x.Name.StartsWith("_INIT__")); if (initNonResidentName == null) { throw new Exception("Unable to locate _INIT__ entry in Resident Name Table"); } var initEntryPoint = File.EntryTable.First(x => x.Ordinal == initNonResidentName.IndexIntoEntryTable); initEntryPointPointer = new IntPtr16(initEntryPoint.SegmentNumber, initEntryPoint.Offset); } else { var initEntryPoint = File.EntryTable.First(x => x.Ordinal == initResidentName.IndexIntoEntryTable); initEntryPointPointer = new IntPtr16(initEntryPoint.SegmentNumber, initEntryPoint.Offset); } _logger.Info($"Located _INIT__: {initEntryPointPointer}"); EntryPoints["_INIT_"] = initEntryPointPointer; }
/// <summary> /// Reads a specific number of bytes from memory. /// </summary> /// <param name="address">The address.</param> /// <param name="count">The count.</param> /// <param name="isRelative">if set to <c>true</c> [is relative].</param> /// <returns></returns> public override byte[] ReadBytes(IntPtr address, int count, bool isRelative = false) { return(MemoryCore.ReadBytes(Handle, isRelative ? GetAbsolute(address) : address, count)); }
/// <summary> /// Reads an array of bytes in the remote process. /// </summary> /// <param name="address">The address where the array is read.</param> /// <param name="count">The number of cells.</param> /// <param name="isRelative">[Optional] State if the address is relative to the main module.</param> /// <returns>The array of bytes.</returns> protected byte[] ReadBytes(IntPtr address, int count, bool isRelative = true) { return(MemoryCore.ReadBytes(Handle, isRelative ? MakeAbsolute(address) : address, count)); }