Ejemplo n.º 1
0
 public ARefStringArray AllSymbols; //filled at the end with all known symbols (allocs, labels, kallocs, aobscan results, defines that are addresses, etc...)
 #endregion
 #region Constructor
 public ADisableInfo()
 {
     Allocs                = new AAllocArray();
     RegisteredSymbols     = new AStringArray();
     Exceptions            = new UArrayManager <Exception>();
     CCodeSymbols          = new ASymbolHandler();
     DoNotFreeCCodeSymbols = false;
     AllSymbols            = new ARefStringArray();
 }
Ejemplo n.º 2
0
        public UIntPtr GetAddressFromPointer(String s, out Boolean error)
        {
            error = true;
            var offsets = new UArrayManager <Int32>();
            var list    = new AStringArray();

            if (!ParseAsPointer(s, list))
            {
                return(UIntPtr.Zero);
            }
            UIntPtr baseAddress;

            try
            {
                baseAddress = GetAddressFromName(list[0]);
            }
            catch
            {
                return(UIntPtr.Zero);
            }
            offsets.SetLength(list.Length - 1);
            for (var i = 1; i < list.Length; i++) //start from the first offset
            {
                var off = AStringUtils.Copy(list[i], 1, list[i].Length);
                try
                {
                    offsets[i - 1] = (int)AStringUtils.StrToQWordEx("0x" + off);
                }
                catch
                {
                    return(UIntPtr.Zero);
                }
                if (list[i][0] == '-')
                {
                    offsets[i - 1] = -offsets[i - 1];
                }
            }
            //still here so notation was correct and baseAddress+offsets are filled in
            //now read
            var realAddress2 = baseAddress;

            for (var i = 0; i < offsets.Length; i++)
            {
                var realAddress = Process.Memory.Read <UIntPtr>(realAddress2.ToIntPtr());
                if (realAddress != UIntPtr.Zero)
                {
                    realAddress2 = realAddress + offsets[i];
                }
                else
                {
                    return(UIntPtr.Zero);
                }
            }
            error = false;
            return(realAddress2);
        }
Ejemplo n.º 3
0
        public void Tokenize(String s, AStringArray tokens)
        {
            String t;
            var    last    = 0;
            var    inQuote = false;

            for (var i = 0; i < s.Length; i++)
            {
                if (!UArrayUtils.InArray(s[i], '"', '[', ']', '+', '-', '*'))
                {
                    continue;
                }
                if (s[i] == '"')
                {
                    if (!inQuote)
                    {
                        last = i + 1;
                    }

                    inQuote = !inQuote;
                }
                if (inQuote)
                {
                    continue;
                }
                t = AStringUtils.Copy(s, last, i - last).Trim();
                if (t != "")
                {
                    tokens.SetLength(tokens.Length + 1);
                    tokens.Last = t;
                }
                //store separator char as well, unless it's "
                if (s[i] != '"')
                {
                    tokens.SetLength(tokens.Length + 1);
                    tokens.Last = s[i].ToString();
                }
                last = i + 1;
            }
            //last part
            t = AStringUtils.Copy(s, last, s.Length).Trim();
            if (t == "")
            {
                return;
            }
            tokens.SetLength(tokens.Length + 1);
            tokens.Last = t;
        }
Ejemplo n.º 4
0
        public Boolean Rewrite(ref String token)
        {
            if (token.Length == 0)
            {
                return(false); //empty string
            }
            var tokens    = new AStringArray();
            var quoteChar = '\0';

            tokens.SetLength(0);
            String temp;

            /* 5.4: special pointer notation case */
            if (token.Length > 4 && token.StartsWith("[[") && token.EndsWith("]]"))
            {
                //looks like a pointer in a address specifier (idiot user detected...)
                temp = "[" + AStringUtils.IntToHex(SymbolHandler.GetAddressFromName(AStringUtils.Copy(token, 2, token.Length - 4), true, out var haserror), 8) + ']';
                if (!haserror)
                {
                    token = temp;
                }
                else
                {
                    throw new Exception("Invalid");
                }
            }
            /* 5.4 ^^^ */
            temp = "";
            var i       = 0;
            var inQuote = false;

            while (i < token.Length)
            {
                if (UArrayUtils.InArray(token[i], '\'', '"'))
                {
                    if (inQuote)
                    {
                        if (token[i] == quoteChar)
                        {
                            inQuote = false;
                        }
                    }
                    else
                    {
                        //start of a quote
                        quoteChar = token[i];
                        inQuote   = true;
                    }
                }
                if (!inQuote)
                {
                    if (UArrayUtils.InArray(token[i], '[', ']', '+', '-', ' ')) //6.8.4 (added ' ' for FAR, LONG, SHORT)
                    {
                        if (temp != "")
                        {
                            tokens.SetLength(tokens.Length + 1);
                            tokens.Last = temp;
                            temp        = "";
                        }
                        if (tokens.Length > 0 && UArrayUtils.InArray(token[i], '+', '-') && (tokens[tokens.Length - 1] == " ")) //relative offset ' +xxx'
                        {
                            temp += token[i];
                            i++;
                            continue;
                        }
                        tokens.SetLength(tokens.Length + 1);
                        tokens[tokens.Length - 1] = token[i].ToString();
                        i++;
                        continue;
                    }
                }
                temp += token[i];
                i++;
            }
            if (temp != "")
            {
                tokens.SetLength(tokens.Length + 1);
                tokens[tokens.Length - 1] = temp;
                temp = "";
            }
            for (i = 0; i < tokens.Length; i++)
            {
                if (tokens[i].Length >= 1 && !UArrayUtils.InArray(tokens[i][0], '[', ']', '+', '-', '*', ' '))  //3/16/2011: 11:15 (replaced or with and)
                {
                    AStringUtils.Val("0x" + tokens[i], out Int64 _, out var err);
                    if (err != 0 && GetReg(tokens[i], false) == -1)     //not a hexadecimal value and not a register
                    {
                        temp = AStringUtils.IntToHex(SymbolHandler.GetAddressFromName(tokens[i], true, out var hasError), 8);
                        if (!hasError)
                        {
                            tokens[i] = temp; //can be rewritten as a hexadecimal
                        }
                        else
                        {
                            if (tokens.Length > 0 && UArrayUtils.InArray(token[i], '+', '-') && tokens[tokens.Length - 1] == " ")  //relative offset ' +xxx'
                            {
                                temp += token[i];
                                i++;
                                continue;
                            }
                            var j = AStringUtils.Pos("*", tokens[i]);
                            if (j != -1)  //getreg failed, but could be it's the 'other' one
                            {
                                if (tokens[i].Length > j && (UArrayUtils.InArray(AStringUtils.Copy(tokens[i], j + 1, 1)[0], '2', '4', '8')))
                                {
                                    continue; //reg*2 / *3, /*4
                                }
                            }
                            if (i < tokens.Length - 1)
                            {
                                //perhaps it can be concatenated with the next one
                                if (tokens[i + 1].Length > 0 && !UArrayUtils.InArray(tokens[i + 1][0], '\'', '"', '[', ']', '(', ')', ' '))  //not an invalid token char
                                {
                                    tokens[i + 1] = tokens[i] + tokens[i + 1];
                                    tokens[i]     = "";
                                }
                            }
                        }
                    }
                }
            }
            //do some calculations
            //check multiply first
            for (i = 1; i <= tokens.Length - 2; i++)
            {
                if (tokens[i] == "*")
                {
                    AStringUtils.Val("0x" + tokens[i - 1], out Int64 a, out var err);
                    AStringUtils.Val("0x" + tokens[i + 1], out Int64 b, out var err2);
                    if (err == 0 && err2 == 0)
                    {
                        a            *= b;
                        tokens[i - 1] = AStringUtils.IntToHex(a, 8);
                        tokens[i]     = "";
                        tokens[i + 1] = "";
                        i            -= 2;
                    }
                }
            }
            for (i = 1; i <= tokens.Length - 2; i++)
            {
                //get the value of the token before and after this token
                AStringUtils.Val("0x" + tokens[i - 1], out Int64 a, out var err);
                AStringUtils.Val("0x" + tokens[i + 1], out Int64 b, out var err2);
                //if no error, check if this token is a mathemetical value
                if (err == 0 && err2 == 0)
                {
                    switch (tokens[i][0])
                    {
                    case '+':
                    {
                        a            += b;
                        tokens[i - 1] = AStringUtils.IntToHex(a, 8);
                        tokens.Remove(i, 2);
                        i -= 2;
                    }
                    break;

                    case '-':
                    {
                        a            -= b;
                        tokens[i - 1] = AStringUtils.IntToHex(a, 8);
                        tokens.Remove(i, 2);
                        i -= 2;
                    }
                    break;
                    }
                }
                else
                {
                    if ((err2 == 0) && (tokens[i] != "") && (tokens[i][0] == '-') && (tokens[i - 1] != "#"))  //before is not a valid value, but after it is. and this is a -  (so -value) (don't mess with #-10000)
                    {
                        tokens[i]     = "+";
                        tokens[i + 1] = AStringUtils.IntToHex(-b, 8);
                    }
                }
            }
            token = "";
            //remove useless tokens
            for (i = 0; i < tokens.Length; i++)
            {
                token += tokens[i];
            }
            tokens.SetLength(0);
            return(true);
        }
Ejemplo n.º 5
0
        public Boolean Tokenize(String opCode, AStringArray tokens)
        {
            var quoteChar = '\0';

            tokens.SetLength(0);
            if (opCode.Length > 0)
            {
                opCode = opCode.TrimEnd(' ', ',');
            }
            var last = 0;
            var quoted = false;
            int i, j;

            for (i = 0; i <= opCode.Length; i++)
            {
                //check if this is a quote char
                if (i < opCode.Length && (opCode[i] == '\'' || opCode[i] == '"'))
                {
                    if (quoted)  //check if it's the end quote
                    {
                        if (opCode[i] == quoteChar)
                        {
                            quoted = false;
                        }
                    }
                    else
                    {
                        quoted    = true;
                        quoteChar = opCode[i];
                    }
                }
                //check if we encounter a token seperator. (space or , )
                //but only check when it's not inside a quoted string
                if ((i == opCode.Length) || ((!quoted) && ((opCode[i] == ' ') || (opCode[i] == ','))))
                {
                    tokens.SetLength(tokens.Length + 1);
                    if (i == opCode.Length)
                    {
                        j = i - last + 1;
                    }
                    else
                    {
                        j = i - last;
                    }
                    tokens.Last = AStringUtils.Copy(opCode, last, j);
                    if (j > 0 && (tokens.Last[0] != '$') && (j < 7 || (AStringUtils.Pos("KERNEL_", tokens.Last, true) == -1)))  //only uppercase if it's not kernel_
                    {
                        //don't uppercase empty strings, kernel_ strings or strings starting with $
                        if (tokens.Last.Length > 2)
                        {
                            if (!UArrayUtils.InArray(tokens.Last[0], '\'', '"'))  //if not a quoted string then make it uppercase
                            {
                                tokens.Last = tokens.Last.ToUpper();
                            }
                        }
                        else
                        {
                            tokens.Last = tokens.Last.ToUpper();
                        }
                    }
                    //6.1: Optimized this lookup. Instead of a 18 compares a full string lookup on each token it now only compares up to 4 times
                    var t         = tokens.Last;
                    var isPartial = false;
                    if (t.Length >= 3)  //3 characters are good enough to get the general idea, then do a string compare to verify
                    {
                        switch (t[0])
                        {
                        case 'B':                           //BYTE, BYTE PTR
                        {
                            if (t[1] == 'Y' && t[2] == 'T') //could be BYTE
                            {
                                isPartial = t == "BYTE" || t == "BYTE PTR";
                            }
                        }
                        break;

                        case 'D':     //DQWORD, DWORD, DQWORD PTR, DWORD PTR
                        {
                            switch (t[1])
                            {
                            case 'Q':             //DQWORD or DQWORD PTR
                            {
                                if (t[2] == 'W')
                                {
                                    isPartial = t == "DQWORD" || t == "DQWORD PTR";
                                }
                            }
                            break;

                            case 'W':             //DWORD or DWORD PTR
                            {
                                if (t[2] == 'O')
                                {
                                    isPartial = t == "DWORD" || t == "DWORD PTR";
                                }
                            }
                            break;
                            }
                        }
                        break;

                        case 'F':     //FAR
                        {
                            if (t[1] == 'A' && t[2] == 'R')
                            {
                                isPartial = t == "FAR";
                            }
                        }
                        break;

                        case 'L':     //LONG
                        {
                            if (t[1] == 'O' && t[2] == 'N')
                            {
                                isPartial = t == "LONG";
                            }
                        }
                        break;

                        case 'Q':                           //QWORD, QWORD PTR
                        {
                            if (t[1] == 'W' && t[2] == 'O') //could be QWORD
                            {
                                isPartial = t == "QWORD" || t == "QWORD PTR";
                            }
                        }
                        break;

                        case 'S':     //SHORT
                        {
                            if (t[1] == 'H' && t[2] == 'O')
                            {
                                isPartial = (t == "SHORT");
                            }
                        }
                        break;

                        case 'T':     //TBYTE, TWORD, TBYTE PTR, TWORD PTR,
                        {
                            switch (t[1])
                            {
                            case 'B':             //TBYTE or TBYTE PTR
                            {
                                if (t[2] == 'Y')
                                {
                                    isPartial = (t == "TBYTE") || (t == "TBYTE PTR");
                                }
                            }
                            break;

                            case 'W':             //TWORD or TWORD PTR
                            {
                                if (t[2] == 'O')
                                {
                                    isPartial = (t == "TWORD") || (t == "TWORD PTR");
                                }
                            }
                            break;
                            }
                        }
                        break;

                        case 'W':                           //WORD, WORD PTR
                        {
                            if (t[1] == 'O' && t[3] == 'R') //could be WORD
                            {
                                isPartial = t == "WORD" || t == "WORD PTR";
                            }
                        }
                        break;
                        }
                    }
                    if (isPartial)
                    {
                        tokens.SetLength(tokens.Length - 1);
                    }
                    else
                    {
                        last = i + 1;
                        if (tokens.Length > 1)
                        {
                            var lastElem = tokens.Last;
                            Rewrite(ref lastElem); //Rewrite
                            tokens.Last = lastElem;
                        }
                    }
                }
            }
            //remove useless tokens
            i = 0;
            while (i < tokens.Length)
            {
                if (tokens[i] == "" || tokens[i] == " " || tokens[i] == ",")
                {
                    for (j = i; j < tokens.Length - 1; j++)
                    {
                        tokens[j] = tokens[j + 1];
                    }
                    tokens.SetLength(tokens.Length - 1);
                    continue;
                }
                i++;
            }
            return(true);
        }
        public void RemoveString(string item)
        {
            // ...shortened for example.

            AStringArray = AStringArray.Except(new[] { item }).ToArray();
        }
        public void AddString(string item)
        {
            // ...shortened for example.

            AStringArray = AStringArray.Append(item).ToArray();
        }
Ejemplo n.º 8
0
        public UIntPtr GetAddressFromName(String name, Boolean waitForSymbols, out Boolean hasError)
        {
            var       result           = UIntPtr.Zero;
            const int calcAddition     = 0;
            const int calcSubstraction = 1;
            int       offset;
            int       i, j;
            Boolean   error;
            var       tokens = new AStringArray();
            string    mathstring;
            var       hasMultiplication = false;
            var       nextoperation     = 0;
            int       regnr;

            name = name.Trim();
            var hasPointer = false;

            hasError = false;
            offset   = 0;
            AStringUtils.Val("0x" + name, out result, out i);
            if (i == 0)
            {
                return(result); //it's a valid hexadecimal string
            }
            if (AStringUtils.Copy(name, 1, 2).ToLower() == "0x")
            {
                AStringUtils.Val(name, out result, out i);
                if (i == 0)
                {
                    return(result);
                }
            }
            //not a hexadecimal string
            Tokenize(name, tokens);
            //first check the most basic thing
            if (tokens.Length == 0)
            {
                hasError = true;
                return(result);
            }
            /*--if it starts with a * or ends with *, - or +, then it's a bad formula--*/
            if (tokens[0][0] == '*' || UArrayUtils.InArray(tokens[tokens.Length - 1][0], '*', '+', '-'))
            {
                hasError = true;
                return(result);
            }
            /*----convert the tokens into hexadecimal values--------*/
            lock (SymbolLock)
            {
                //try {tokens format ex.:=array('islandtribe.exe','+','AB754')}
                for (i = 0; i < tokens.Length; i++)
                {
                    if (!UArrayUtils.InArray(tokens[i][0], '[', ']', '+', '-', '*'))
                    {
                        AStringUtils.Val("0x" + tokens[i], out result, out j);
                        if (j <= 0)
                        {
                            continue; // hexadecimal value
                        }
                        //not a hexadecimal value
                        var mi = Process.ModuleFactory.FetchModule(tokens[i]);
                        if (mi != null)
                        {
                            tokens[i] = AStringUtils.IntToHex(mi.BaseAddress.ToUIntPtr(), 8);
                            continue;
                        }
                        var mib = _moduleList.FindBaseAddress(tokens[i]);
                        if (mib != IntPtr.Zero)
                        {
                            tokens[i] = AStringUtils.IntToHex(mib.ToUIntPtr(), 8);
                            continue;
                        }
                        regnr = -1;// getreg(tokens[i].ToUpper(), false); // todo fill this in?
                        if (regnr != -1)
                        {
                            #region NO CONTEXT
                            // //if (context<>nil) and (context^.{$ifdef cpu64}Rip{$else}Eip{$endif}<>0) then
                            // if (context != nil)
                            // {
                            //     //get the register value, and because this is an address specifier, use the full 32-bits
                            //     switch (regnr)
                            //     {
                            //         // 0: tokens[i]:=inttohex(context^.{$ifdef cpu64}rax{$else}eax{$endif},8);
                            //         // 1: tokens[i]:=inttohex(context^.{$ifdef cpu64}rcx{$else}ecx{$endif},8);
                            //         // 2: tokens[i]:=inttohex(context^.{$ifdef cpu64}rdx{$else}edx{$endif},8);
                            //         // 3: tokens[i]:=inttohex(context^.{$ifdef cpu64}rbx{$else}ebx{$endif},8);
                            //         // 4: tokens[i]:=inttohex(context^.{$ifdef cpu64}rsp{$else}esp{$endif},8);
                            //         // 5: tokens[i]:=inttohex(context^.{$ifdef cpu64}rbp{$else}ebp{$endif},8);
                            //         // 6: tokens[i]:=inttohex(context^.{$ifdef cpu64}rsi{$else}esi{$endif},8);
                            //         // 7: tokens[i]:=inttohex(context^.{$ifdef cpu64}rdi{$else}edi{$endif},8);
                            //         case 0: tokens[i] = inttohex(context->eax, 8); break;
                            //         case 1: tokens[i] = inttohex(context->ecx, 8); break;
                            //         case 2: tokens[i] = inttohex(context->edx, 8); break;
                            //         case 3: tokens[i] = inttohex(context->ebx, 8); break;
                            //         case 4: tokens[i] = inttohex(context->esp, 8); break;
                            //         case 5: tokens[i] = inttohex(context->ebp, 8); break;
                            //         case 6: tokens[i] = inttohex(context->esi, 8); break;
                            //         case 7: tokens[i] = inttohex(context->edi, 8); break;
                            //         //{$ifdef cpu64}
                            //         case 8: tokens[i] = inttohex(context->r8, 8); break;
                            //         case 9: tokens[i] = inttohex(context->r9, 8); break;
                            //         case 10: tokens[i] = inttohex(context->r10, 8); break;
                            //         case 11: tokens[i] = inttohex(context->r11, 8); break;
                            //         case 12: tokens[i] = inttohex(context->r12, 8); break;
                            //         case 13: tokens[i] = inttohex(context->r13, 8); break;
                            //         case 14: tokens[i] = inttohex(context->r14, 8); break;
                            //         case 15: tokens[i] = inttohex(context->r15, 8); break;
                            //             //{$endif}
                            //     }
                            //
                            //     continue_; //handled
                            // }
                            // //not handled, but since it's a register, quit now
                            #endregion
                        }
                        else
                        {
                            /*-----------------user defined symbol-------------------*/
                            result = GetUserDefinedSymbolByName(tokens[i]);
                            if (result != UIntPtr.Zero)
                            {
                                tokens[i] = AStringUtils.IntToHex(result, 8);
                                continue;
                            }
                            /*----------------Process Module Symbol----------------*/
                            if (waitForSymbols)
                            {
                                WaitForSymbolsLoaded();
                            }
                            result = GetAddressFromSymbol(tokens[i]);
                            if (result != UIntPtr.Zero)
                            {
                                tokens[i] = AStringUtils.IntToHex(result, 8);
                                continue;
                            }
                        }
                        //not a register or symbol
                        //One last attempt to fix it, check if it is the last symbol, if not add it. (perhaps the symbol got split into tokens)
                        if (i < tokens.Length - 1)
                        {
                            tokens[i + 1] = tokens[i] + tokens[i + 1]; //(if not, it will error out eventually anyhow)
                            tokens[i]     = "";                        //empty
                        }
                        else
                        {
                            hasError = true;
                            return(result);
                        }
                    }
                    else
                    { //it's not a real token
                        switch (tokens[i][0])
                        {
                        case '*':
                            hasMultiplication = true;
                            break;

                        case '[':
                        case ']':
                            hasPointer = true;
                            break;
                        }
                    }
                }
            }
            mathstring = "";
            for (i = 0; i < tokens.Length; i++)
            {
                mathstring += tokens[i];
            }
            if (hasPointer)
            {
                result = GetAddressFromPointer(mathstring, out error);
                if (!error)
                {
                    result += offset;
                    return(result);
                }
                //it has a pointer notation but the pointer didn't get handled... ERROR!
                hasError = true;
                return(result);
            }
            //handle the math string
            if (hasMultiplication)
            {
                //first do the multiplications
                for (i = 0; i < tokens.Length; i++)
                {
                    if (tokens[i] == "*")
                    {
                        //multiply the left and right
                        tokens[i - 1] = AStringUtils.IntToHex(AStringUtils.StrToQWordEx("0x" + tokens[i - 1]) * AStringUtils.StrToQWord("0x" + tokens[i + 1]), 8);
                        tokens[i]     = "";
                        tokens[i + 1] = "";
                    }
                }
            }
            result = UIntPtr.Zero;
            //handle addition and subtraction
            nextoperation = calcAddition;
            for (i = 0; i < tokens.Length; i++)
            {
                if (tokens[i].Length > 0)
                {
                    switch (tokens[i][0])
                    {
                    case '+':
                        nextoperation = calcAddition;
                        break;

                    case '-':
                    {
                        if (nextoperation == calcSubstraction)
                        {
                            nextoperation = calcAddition;
                        }
                        else         //--=+
                        {
                            nextoperation = calcSubstraction;
                        }
                    }
                    break;

                    default: //else of case;
                    {        //do the calculation
                        switch (nextoperation)
                        {
                        case calcAddition:
                            result = (UIntPtr)(result.ToUInt64() + AStringUtils.StrToQWordEx("0x" + tokens[i]));
                            break;

                        case calcSubstraction:
                            result = (UIntPtr)(result.ToUInt64() + AStringUtils.StrToQWordEx("0x" + tokens[i]));
                            break;
                        }
                    }
                    break;
                    }
                } //end of if length(tokens[i])...
            }
            return(result);
        }
Ejemplo n.º 9
0
        public Boolean ParseAsPointer(String s, AStringArray list)
        {
            //parse the string
            var currentLevel = 0;
            var prolog       = true;
            var temps        = "";
            var isPointer    = false;

            for (var i = 0; i < s.Length; i++)
            {
                if (s[i] == '[')
                {
                    if (prolog)
                    {
                        currentLevel += 1;
                        isPointer     = true;
                    }
                    else
                    {
                        return(false); //bracket open after the prolog is not allowed
                    }
                }
                else
                {
                    if (prolog)
                    {
                        if (!UArrayUtils.InArray(s[i], '\t', ' '))   //no space or tab
                        {
                            prolog = false;
                        }
                    }
                    if (!prolog)
                    {
                        //definition, currentLevel is set, now parse till last ] (currentLevel=0)
                        if (s[i] == ']')  //end of a level
                        {
                            currentLevel -= 1;
                            if (temps == "")
                            {
                                temps = "+0";
                            }
                            list.Add(temps);

                            temps = "";
                            if (currentLevel < 0)
                            {
                                return(false);
                            }
                            continue;
                        }
                        temps += s[i];
                    }
                }
            }
            if (temps == "")
            {
                temps = "+0";
            }
            if ((isPointer) && (temps != ""))
            {
                list.Add(temps);
            }
            if (currentLevel > 0)
            {
                return(false);
            }
            return(isPointer);
        }