Beispiel #1
0
 public LibraryRebaseForm(ref LibraryResultsProcessor processor)
 {
     InitializeComponent();
     this.Libraries = processor.Libraries;
     this.libraryBindingSource.DataSource = this.Libraries.Select(e => e.Name);
 }
Beispiel #2
0
        private void processInstructionFileButton_Click(object sender, EventArgs e)
        {
            libraryProcessor = new LibraryResultsProcessor("libraryTrace.txt");

            processor = new InstructionProcessor("instructionTrace.txt", libraryProcessor.Libraries, libraryProcessor);
            librariesBindingSource.DataSource = processor.Libraries.Select(x => x.Name);
            instructionBindingSource.DataSource = processor.Instructions;
            threadBindingSource.DataSource = processor.Threads;

            // remove the data source changed handler briefly, since it slows things down
            this.resultsGridView.DataSourceChanged -= new System.EventHandler(this.resultsGridView_DataSourceChanged);

            for (int i = 0; i < processor.Libraries.Count; i++)
            {
                loadedLibraryList.SetSelected(i, true); // select all the libraries initially
            }

            for (int i = 0; i < processor.Threads.Count; i++)
            {
                loadedThreadList.SetSelected(i, true); // select all threads initially
            }

            // re add the event handler for data source adds
            this.resultsGridView.DataSourceChanged += new System.EventHandler(this.resultsGridView_DataSourceChanged);

            // invoke the data source change handler since we were ignoring it before
            resultsGridView_DataSourceChanged(null, null);
            Console.WriteLine("Done processing.");
        }
        public InstructionProcessor(string filename, IList <Library> libraries, LibraryResultsProcessor processor)
        {
            this.libraries          = libraries;
            instructions            = new List <Instruction>();
            includedLibraries       = new List <string>();
            threads                 = new List <int>();
            includedThreads         = new List <int>();
            libraryOffsetDictionary = new Dictionary <string, int>();

            // initialise the color bank
            colorBank     = new Color[16];
            colorBank[0]  = Color.FromArgb(246, 150, 121);
            colorBank[1]  = Color.FromArgb(249, 173, 129);
            colorBank[2]  = Color.FromArgb(253, 198, 137);
            colorBank[3]  = Color.FromArgb(255, 247, 153);
            colorBank[4]  = Color.FromArgb(196, 223, 155);
            colorBank[5]  = Color.FromArgb(163, 211, 156);
            colorBank[6]  = Color.FromArgb(130, 202, 156);
            colorBank[7]  = Color.FromArgb(122, 204, 200);
            colorBank[8]  = Color.FromArgb(109, 207, 246);
            colorBank[9]  = Color.FromArgb(125, 167, 217);
            colorBank[10] = Color.FromArgb(131, 147, 202);
            colorBank[11] = Color.FromArgb(135, 129, 189);
            colorBank[12] = Color.FromArgb(161, 134, 190);
            colorBank[13] = Color.FromArgb(189, 140, 191);
            colorBank[14] = Color.FromArgb(244, 154, 193);
            colorBank[15] = Color.FromArgb(245, 152, 157);

            Library strange = new Library();

            strange.Name = "INVALID";

            using (FileStream fs = new FileStream(filename, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
            {
                using (StreamReader sr = new StreamReader(fs))
                {
                    while (!sr.EndOfStream)
                    {
                        string      line    = sr.ReadLine();
                        string[]    entries = line.Split(new char[] { '|' });
                        Instruction instr   = new Instruction();
                        foreach (string s in entries)
                        {
                            string[] keyvalue = s.Split(new char[] { ':' });
                            if (keyvalue.Length < 2)
                            {
                                continue;
                            }
                            if (keyvalue.Length > 2)
                            {
                                // there is a colon besides the field delimeter
                                for (int i = 2; i < keyvalue.Length; i++)
                                {
                                    keyvalue[1] += ":" + keyvalue[i];
                                }
                            }

                            keyvalue[0] = keyvalue[0].Trim();
                            keyvalue[1] = keyvalue[1].Trim();

                            switch (keyvalue[0])
                            {
                            case "Thread ID":
                                int id;
                                if (Int32.TryParse(keyvalue[1], out id))
                                {
                                    instr.Threadid = (uint)id;
                                    if (!Threads.Contains(id))
                                    {
                                        Threads.Add(id);
                                    }
                                    if (!IncludedThreads.Contains(id))
                                    {
                                        IncludedThreads.Add(id);
                                    }
                                }
                                else
                                {
                                    instr.Threadid = 0;
                                }
                                break;

                            case "Instruction Address":
                                int addr;
                                if (int.TryParse(keyvalue[1], out addr))
                                {
                                    instr.Address = instr.Address_traced = (uint)addr;
                                }
                                else
                                {
                                    instr.Address = instr.Address_traced = 0;
                                }
                                break;

                            case "Library Name":
                                if (libraries.Where(x => x.Name.Equals(keyvalue[1].Trim())).ToList().Count == 0)
                                {
                                    instr.Library = strange;
                                    //throw new InvalidDataException("Somehow executed a non-loaded library!");
                                    if (!libraries.Contains(strange))
                                    {
                                        libraries.Add(strange);
                                    }
                                }
                                List <Library> lib = libraries.Where(x => x.Name.Equals(keyvalue[1].Trim())).ToList();
                                if (lib.Count != 0)
                                {
                                    instr.Library = lib.First();
                                }
                                else
                                {
                                    Console.WriteLine("Found an instruction without a corresponding library!");
                                }
                                if (!IncludedLibraries.Contains(keyvalue[1]))
                                {
                                    IncludedLibraries.Add(keyvalue[1]);
                                }
                                break;

                            case "Instruction Count":
                                int count;
                                if (Int32.TryParse(keyvalue[1], out count))
                                {
                                    instr.Instructionnumber = count;
                                }
                                else
                                {
                                    instr.Instructionnumber = -1;
                                }
                                break;

                            case "Time":
                                int time;
                                if (Int32.TryParse(keyvalue[1], out time))
                                {
                                    instr.Time = (uint)time;
                                }
                                else
                                {
                                    instr.Instructionnumber = -1;
                                }
                                break;

                            case "Depth":
                                int depth;
                                if (Int32.TryParse(keyvalue[1], out depth))
                                {
                                    instr.Depth = (int)depth;
                                    instr.Color = ColorBank[instr.Depth % ColorBank.Length];
                                }
                                else
                                {
                                    instr.Depth = -1;
                                }
                                break;

                            default:
                                break;
                            }
                        }

                        if (MaxDepth < instr.Depth)
                        {
                            MaxDepth = instr.Depth;
                        }
                        if (MinDepth > instr.Depth)
                        {
                            MinDepth = instr.Depth;
                        }
                        instructions.Add(instr);
                    }
                }
            }



            foreach (Instruction instr in this.instructions)
            {
                if (instr.Library == strange)
                {
                    // This is an unresolved library, instruction address pairing. Let's patch it up.
                    instr.LibraryName = processor.GetLibraryName((int)instr.Address);
                    foreach (Library l in this.Libraries)
                    {
                        if (l.Name != null && l.Name.CompareTo(instr.LibraryName) == 0)
                        {
                            instr.Library = l;
                            break;
                        }
                    }
                    if (instr.LibraryName == null)
                    {
                        //Debug.WriteLine("Couldnt resolve address {0:X} to a library. Traced as {1:X}.", instr.Address, instr.Address_traced);
                        instr.Library     = strange;
                        instr.LibraryName = "STRANGE MODE";
                    }
                }

                List <string> outValue = new List <string>();
                if (instr.Library.PeSupport != null && instr.Library.PeSupport.Exports.TryGetValue((int)instr.Address, out outValue))
                {
                    instr.SystemCallName = outValue[0];
                }
            }
        }
Beispiel #4
0
        private void histogramData_Enter(object sender, EventArgs e)
        {
            if (libraryProcessor == null)
                libraryProcessor = new LibraryResultsProcessor("memorypin.txt");
            if (processor == null)
                processor = new InstructionProcessor("instructionTrace.txt", libraryProcessor.Libraries, libraryProcessor);

            IList<Instruction> instrs = processor.Instructions;

            Dictionary<uint, uint> histogram = new Dictionary<uint, uint>(); ; // <instruction address, count>

            foreach (Instruction i in instrs)
            {
                if (histogram.ContainsKey(i.Address) == false)
                {
                    histogram.Add(i.Address, 1);
                }
                else
                {
                    histogram[i.Address]++;
                }
            }

            List<HistogramEntry> convertedHistogram = new List<HistogramEntry>();
            foreach (uint key in histogram.Keys)
            {
                convertedHistogram.Add(new HistogramEntry(key, histogram[key]));
            }

            convertedHistogram.Sort();
            convertedHistogram.Reverse();

            histogramDataView.DataSource = convertedHistogram;
            histogramDataView.DefaultCellStyle.Format = "X08";
        }
Beispiel #5
0
        public InstructionProcessor(string filename, IList<Library> libraries, LibraryResultsProcessor processor)
        {
            this.libraries = libraries;
            instructions = new List<Instruction>();
            includedLibraries = new List<string>();
            threads = new List<int>();
            includedThreads = new List<int>();
            libraryOffsetDictionary = new Dictionary<string, int>();

            // initialise the color bank
            colorBank = new Color[16];
            colorBank[0] = Color.FromArgb(246, 150, 121);
            colorBank[1] = Color.FromArgb(249, 173, 129);
            colorBank[2] = Color.FromArgb(253, 198, 137);
            colorBank[3] = Color.FromArgb(255, 247, 153);
            colorBank[4] = Color.FromArgb(196, 223, 155);
            colorBank[5] = Color.FromArgb(163, 211, 156);
            colorBank[6] = Color.FromArgb(130, 202, 156);
            colorBank[7] = Color.FromArgb(122, 204, 200);
            colorBank[8] = Color.FromArgb(109, 207, 246);
            colorBank[9] = Color.FromArgb(125, 167, 217);
            colorBank[10] = Color.FromArgb(131, 147, 202);
            colorBank[11] = Color.FromArgb(135, 129, 189);
            colorBank[12] = Color.FromArgb(161, 134, 190);
            colorBank[13] = Color.FromArgb(189, 140, 191);
            colorBank[14] = Color.FromArgb(244, 154, 193);
            colorBank[15] = Color.FromArgb(245, 152, 157);

            Library strange = new Library();
            strange.Name = "INVALID";

            using (FileStream fs = new FileStream(filename, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
            {
                using (StreamReader sr = new StreamReader(fs))
                {
                    while (!sr.EndOfStream)
                    {
                        string line = sr.ReadLine();
                        string[] entries = line.Split(new char[]{'|'});
                        Instruction instr = new Instruction();
                        foreach(string s in entries)
                        {
                            string[] keyvalue = s.Split(new char[] {':'});
                            if (keyvalue.Length < 2)
                                continue;
                            if (keyvalue.Length > 2)
                            {
                                // there is a colon besides the field delimeter
                                for (int i = 2; i < keyvalue.Length; i++)
                                {
                                    keyvalue[1] += ":" + keyvalue[i];
                                }
                            }

                            keyvalue[0] = keyvalue[0].Trim();
                            keyvalue[1] = keyvalue[1].Trim();

                            switch (keyvalue[0])
                            {
                                case "Thread ID":
                                    int id;
                                    if (Int32.TryParse(keyvalue[1], out id))
                                    {
                                        instr.Threadid = (uint)id;
                                        if (!Threads.Contains(id))
                                            Threads.Add(id);
                                        if (!IncludedThreads.Contains(id))
                                            IncludedThreads.Add(id);
                                    }
                                    else
                                        instr.Threadid = 0;
                                    break;
                                case "Instruction Address":
                                    int addr;
                                    if (int.TryParse(keyvalue[1], out addr))
                                    {
                                        instr.Address = instr.Address_traced = (uint)addr;
                                    }
                                    else
                                        instr.Address = instr.Address_traced = 0;
                                    break;
                                case "Library Name":
                                    if (libraries.Where(x => x.Name.Equals(keyvalue[1].Trim())).ToList().Count == 0)
                                    {
                                        instr.Library = strange;
                                        //throw new InvalidDataException("Somehow executed a non-loaded library!");
                                        if(!libraries.Contains(strange))
                                            libraries.Add(strange);
                                    }
                                    List<Library> lib = libraries.Where(x => x.Name.Equals(keyvalue[1].Trim())).ToList();
                                    if (lib.Count != 0)
                                    {
                                        instr.Library = lib.First();
                                    }
                                    else
                                    {
                                        Console.WriteLine("Found an instruction without a corresponding library!");
                                    }
                                    if (!IncludedLibraries.Contains(keyvalue[1]))
                                    {
                                        IncludedLibraries.Add(keyvalue[1]);
                                    }
                                    break;
                                case "Instruction Count":
                                    int count;
                                    if (Int32.TryParse(keyvalue[1], out count))
                                        instr.Instructionnumber = count;
                                    else
                                        instr.Instructionnumber = -1;
                                    break;
                                case "Time":
                                    int time;
                                    if (Int32.TryParse(keyvalue[1], out time))
                                        instr.Time = (uint)time;
                                    else
                                        instr.Instructionnumber = -1;
                                    break;
                                case "Depth":
                                    int depth;
                                    if (Int32.TryParse(keyvalue[1], out depth))
                                    {
                                        instr.Depth = (int)depth;
                                        instr.Color = ColorBank[instr.Depth % ColorBank.Length];
                                    }
                                    else
                                        instr.Depth = -1;
                                    break;
                                default:
                                    break;

                            }
                        }

                        if (MaxDepth < instr.Depth)
                            MaxDepth = instr.Depth;
                        if (MinDepth > instr.Depth)
                            MinDepth = instr.Depth;
                        instructions.Add(instr);
                    }
                }
            }

            foreach(Instruction instr in this.instructions)
            {
                if (instr.Library == strange)
                {
                    // This is an unresolved library, instruction address pairing. Let's patch it up.
                    instr.LibraryName = processor.GetLibraryName((int)instr.Address);
                    foreach(Library l in this.Libraries)
                    {
                        if (l.Name != null && l.Name.CompareTo(instr.LibraryName) == 0)
                        {
                            instr.Library = l;
                            break;
                        }
                    }
                    if (instr.LibraryName == null)
                    {
                        //Debug.WriteLine("Couldnt resolve address {0:X} to a library. Traced as {1:X}.", instr.Address, instr.Address_traced);
                        instr.Library = strange;
                        instr.LibraryName = "STRANGE MODE";
                    }
                }

                List<string> outValue = new List<string>();
                if (instr.Library.PeSupport != null && instr.Library.PeSupport.Exports.TryGetValue((int)instr.Address, out outValue))
                {
                    instr.SystemCallName = outValue[0];
                }
            }
        }