Beispiel #1
0
 private void PersistObjectMap(ObjectTreeMap source, string fileName)
 {
     byte[] bytesToCompress = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(source));
     using (FileStream fileToCompress = File.Create(fileName))
         using (GZipStream compressionStream = new GZipStream(fileToCompress, CompressionMode.Compress))
         {
             compressionStream.Write(bytesToCompress, 0, bytesToCompress.Length);
         }
 }
Beispiel #2
0
        public ObjectTree(Profile profile, DataProviderBase dataProvider) : base(profile, dataProvider)
        {
            // check pre-reqs
            if (_profile == null || _profile.KernelBaseAddress == 0 || _profile.KernelAddressSpace == null || _dataProvider == null || _dataProvider.CacheFolder == "")
            {
                throw new ArgumentException("Missing Prerequisites");
            }
            _objectMap = new ObjectTreeMap();
            _objectMap.ObjectTreeRecords = new List <ObjectTreeRecord>();
            ObjectHeader oh = new ObjectHeader(_profile);

            _objectMap.ObjectHeaderSize         = (ulong)oh.Size;
            _objectMap.ObjectDirectoryEntrySize = (uint)_profile.GetStructureSize("_OBJECT_DIRECTORY_ENTRY");
            _objectMap.ObjectDirectorySize      = (uint)_profile.GetStructureSize("_OBJECT_DIRECTORY");
        }
Beispiel #3
0
        public List <ObjectTreeRecord> Run()
        {
            _isx64 = (_profile.Architecture == "AMD64");
            // first let's see if it already exists
            FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\object_tree_map.gz");

            if (cachedFile.Exists && !_dataProvider.IsLive)
            {
                ObjectTreeMap otm = RetrieveObjectMap(cachedFile);
                if (otm != null)
                {
                    _objectMap = otm;
                    return(Records);
                }
            }

            uint  rootDirectoryOffset = (uint)_profile.GetConstant("ObpRootDirectoryObject");
            ulong vAddr = _profile.KernelBaseAddress + rootDirectoryOffset;

            _dataProvider.ActiveAddressSpace = _profile.KernelAddressSpace;
            ulong tableAddress = 0;

            if (_isx64)
            {
                var v = _dataProvider.ReadUInt64(vAddr);
                if (v == null)
                {
                    return(null);
                }
                tableAddress = (ulong)v & 0xffffffffffff;
            }
            else
            {
                var v = _dataProvider.ReadUInt32(vAddr);
                if (v == null)
                {
                    return(null);
                }
                tableAddress = (ulong)v;
            }
            ProcessDirectory(tableAddress, 0);
            if (!_dataProvider.IsLive)
            {
                PersistObjectMap(_objectMap, _dataProvider.CacheFolder + "\\object_tree_map.gz");
            }
            return(Records);
        }