Ejemplo n.º 1
0
        public List <HookAnalysisResult> AnalyzeModule(ProcessAnalyzer analyzer, CopiedProcessModule module)
        {
            var results = new List <HookAnalysisResult>();

            foreach (var importThunk in module.Image.Imports)
            {
                foreach (var symbol in importThunk.Symbols.Where(s => s.IsImportByName))
                {
                    if (!analyzer.EMapper.TryGetEntry(importThunk.Name, symbol.Name, out var expected))
                    {
                        continue;
                    }
                    var expectedAbs = (ulong)expected.Module.BaseAddress.ToInt64() + expected.Symbol.Address.Rva;
                    if (symbol.Address != expectedAbs)
                    {
                        results.Add(new HookAnalysisResult($"{importThunk.Name}!{symbol.Name}", "IAT")
                        {
                            ModuleName     = module.ModuleName,
                            OriginalData   = expectedAbs.ToString("X8"),
                            PatchedData    = symbol.Address.ToString("X8"),
                            AdditionalInfo = ""
                        });
                    }
                }
            }

            return(results);
        }
Ejemplo n.º 2
0
 static void Main()
 {
     ProcessAnalyzer.SetupAnalyses();
     Application.EnableVisualStyles();
     Application.SetCompatibleTextRenderingDefault(false);
     Application.Run(new MainWindow());
 }
Ejemplo n.º 3
0
        public List <HookAnalysisResult> AnalyzeModule(ProcessAnalyzer analyzer, CopiedProcessModule module)
        {
            var results = new List <HookAnalysisResult>();

            if (module.Image.Exports == null || module.ImageOnDisk.Exports == null)
            {
                return(results);
            }

            for (int i = 0; i < module.Image.Exports.Entries.Count; i++)
            {
                var export = module.Image.Exports.Entries[i];
                if (module.ImageOnDisk.Exports.Entries.Count <= i)
                {
                    break;
                }

                var exportOnDisk = module.ImageOnDisk.Exports.Entries[i];
                if (exportOnDisk.Address.Rva != export.Address.Rva)
                {
                    results.Add(new HookAnalysisResult($"{export.Name}", "EAT")
                    {
                        ModuleName     = module.ModuleName,
                        OriginalData   = $"[RVA] - {exportOnDisk.Address.Rva:X8}",
                        PatchedData    = $"[RVA] - {export.Address.Rva:X8}",
                        AdditionalInfo = ""
                    });
                }
            }

            return(results);
        }
Ejemplo n.º 4
0
        private void analyzeButton_Click(object sender, EventArgs e)
        {
            analysisGrid.Rows.Clear();
            var targetProcess  = Processes[processList.SelectedIndex];
            var analysisEngine = new ProcessAnalyzer(targetProcess);

            foreach (var entry in analysisEngine.AnalyzeFull())
            {
                analysisGrid.Rows.Add(entry.Location, entry.ModuleName, entry.Type, entry.OriginalData, entry.PatchedData, entry.AdditionalInfo);
            }
        }
Ejemplo n.º 5
0
        static void Main(string[] args)
        {
            ProcessReader pr = new ProcessReader();

            pr.LoadProcessesFromFile("../../../input.txt");

            ProcessAnalyzer pa = new ProcessAnalyzer(pr.ResultProcesses, pr.ResultTests);

            pa.AnalyzeProcesses();
            pa.DisplayProcessesWithThreeOrMore();
            pa.SetNamesToOPCodes();
            pa.RunTestingProgram();
        }
Ejemplo n.º 6
0
        private void analyzeButton_Click(object sender, EventArgs e)
        {
            maintabcontrol.SelectedIndex = 0; //exit disass window
            analyzelabel.Visible         = true;
            backbutton.Visible           = false;



            analysisGrid.Rows.Clear();
            var targetProcess  = Processes[IndexMap[processList.SelectedIndex]];
            var analysisEngine = new ProcessAnalyzer(targetProcess);

            var ana = analysisEngine.AnalyzeFull();

            _cachedAnalyses[targetProcess.Id] = ana;
            foreach (var entry in ana)
            {
                analysisGrid.Rows.Add(entry.Location, entry.ModuleName, entry.Type, entry.OriginalData, entry.PatchedData, entry.AdditionalInfo);
            }
        }
Ejemplo n.º 7
0
        public override bool ScanForKnownGameEmulator()
        {
            if (GameProcess != null)
            {
                GameProcess.CloseProcess();
            }
            GameProcess = new ProcessManipulation();

            List <Tuple <string, string> > namesAndTitle = new List <Tuple <string, string> >();

            var cs = BFFManager.CurrentControlSet;

            namesAndTitle.Add(new Tuple <string, string>(cs.ProcessDescriptor.ProcessName, cs.ProcessDescriptor.MainWindowTitle));

            // Scan processes and main windows title
            var found = ProcessAnalyzer.ScanProcessesForKnownNamesAndTitle(namesAndTitle, true, false);

            // Store detected profile
            if (found.Count == 0)
            {
                return(false);
            }
            // Pick first
            var    proc     = found[0].Item1;
            string gamename = proc.MainWindowTitle;

            Log("Found " + proc.ProcessName + " main window " + gamename + " matched with current control set " + cs.UniqueName, LogLevels.IMPORTANT);

            // Known game?
            if (!DetectGameFromMainWindowTitle(gamename))
            {
                Log("Failed to match a known Raw output windows name for " + gamename, LogLevels.IMPORTANT);
                return(false);
            }

            GameProcess.OpenProcess(ProcessManipulation.ProcessAccess.PROCESS_WM_READ, proc);

            FillAddressFromGame();

            return(true);
        }
Ejemplo n.º 8
0
        private void analyzeButton_Click(object sender, EventArgs e)
        {
            BackToMainview();
            analysisGrid.Rows.Clear();
            var targetProcess  = Processes[IndexMap[processList.SelectedIndex]];
            var analysisEngine = new ProcessAnalyzer(targetProcess);

            var ana = analysisEngine.AnalyzeFull();

            _cachedAnalyses[targetProcess.Id] = ana;

            if (ana.Count == 0)
            {
                analysisGrid.Rows.Add("", "", "", "", "", "No Hooks Found");
            }


            foreach (var entry in ana)
            {
                analysisGrid.Rows.Add(entry.Location, entry.ModuleName, entry.Type, entry.OriginalData, entry.PatchedData, entry.AdditionalInfo);
            }
        }
Ejemplo n.º 9
0
 private void btnOpenvJoyConfig_Click(object sender, EventArgs e)
 {
     ProcessAnalyzer.StartProcess(@"C:\Program Files\vJoy\x64\vJoyConf.exe");
 }
Ejemplo n.º 10
0
 private void btnOpenJoyCPL_Click(object sender, EventArgs e)
 {
     ProcessAnalyzer.StartProcess(@"joy.cpl");
 }
Ejemplo n.º 11
0
        public List <HookAnalysisResult> AnalyzeModule(ProcessAnalyzer analyzer, CopiedProcessModule module)
        {
            var results = new List <HookAnalysisResult>();

            foreach (var section in module.ImageFile.Sections)
            {
                if (section.IsMemoryWrite || !section.IsMemoryExecute)
                {
                    continue;
                }

                var onDiskSection = module.ImageFileOnDisk.GetSectionContainingRva(section.Rva);
                if (onDiskSection.GetPhysicalSize() == 0)
                {
                    continue;
                }

                var inMemoryData = (DataSegment)((VirtualSegment)section.Contents).PhysicalContents;
                var onDiskData   = (DataSegment)((VirtualSegment)onDiskSection.Contents).PhysicalContents;

                //this is a ghetto reloc fix but whatever
                var toSkip = new Dictionary <uint, uint>();
                foreach (var reloc in module.Image.Relocations)
                {
                    toSkip[reloc.Location.Rva] = (reloc.Type == AsmResolver.PE.Relocations.RelocationType.Dir64 ? 8U : 4U);
                }

                //this is an even more ghetto fix for IAT entries in readonly places
                foreach (var import in module.Image.Imports)
                {
                    var dataReader = module.ImageFile.CreateReaderAtRva(import.AddressRva);

                    uint c = 0;
                    while (dataReader.ReadNativeInt(module.Image.PEKind == OptionalHeaderMagic.Pe32) != 0)
                    {
                        var offs = module.Image.PEKind == OptionalHeaderMagic.Pe32 ? 4U : 8U;
                        toSkip[import.AddressRva + c] = offs;
                        c += offs;
                    }
                }

                //isolate rvas we want
                toSkip = toSkip.Where(v => section.ContainsRva(v.Key)).ToDictionary(kvp => kvp.Key - section.Rva, kvp => kvp.Value);

                //these datatypes make me want to kill myself lol
                var diffList = new List <Tuple <uint, List <Tuple <byte, byte> > > >();
                Tuple <uint, List <Tuple <byte, byte> > > currDiff = null;

                int tolerance = 0;
                for (uint i = 0; i < section.GetPhysicalSize();)
                {
                    //skip delta
                    if (toSkip.TryGetValue(i, out var j))
                    {
                        // handle overlapping cases
                        while (j != 0)
                        {
                            i++;
                            j--;

                            if (toSkip.TryGetValue(i, out var k))
                            {
                                j = Math.Max(j, k);
                            }
                        }
                        continue;
                    }

                    if (onDiskData.Data[i] != inMemoryData.Data[i])
                    {
                        tolerance = 4;
                        if (currDiff == null || currDiff.Item2.Count == 0)
                        {
                            currDiff = Tuple.Create(i, new List <Tuple <byte, byte> >());
                        }
                        currDiff.Item2.Add(Tuple.Create(onDiskData.Data[i], inMemoryData.Data[i]));
                    }
                    else if (--tolerance < 0)
                    {
                        if (currDiff != null && currDiff.Item2.Count != 0)
                        {
                            diffList.Add(currDiff);
                            currDiff = null;
                        }
                    }
                    else
                    {
                        currDiff.Item2.Add(Tuple.Create(onDiskData.Data[i], inMemoryData.Data[i]));
                    }

                    if (tolerance < 0)
                    {
                        tolerance = 0;
                    }

                    i++;
                }

                if (currDiff != null && currDiff.Item2.Count != 0)
                {
                    diffList.Add(currDiff);
                }

                foreach (var diffEntry in diffList)
                {
                    var originalSb = new StringBuilder();
                    var modifiedSb = new StringBuilder();

                    for (int i = 0; i < diffEntry.Item2.Count; i++)
                    {
                        var b = diffEntry.Item2[i];

                        if (i != 0)
                        {
                            originalSb.Append(' ');
                            modifiedSb.Append(' ');
                        }

                        originalSb.Append(b.Item1.ToString("X2"));
                        modifiedSb.Append(b.Item2.ToString("X2"));
                    }

                    var addr = module.BaseAddress.ToInt64() + section.Rva + diffEntry.Item1;

                    //todo: improve this trash ass logic
                    var closestExport = analyzer.EMapper.Exports
                                        .Where(kvp => kvp.Key.ToInt64() <= addr)
                                        .OrderByDescending(kvp => kvp.Key.ToInt64())
                                        .FirstOrDefault();

                    if (closestExport.Key == IntPtr.Zero)
                    {
                        results.Add(new HookAnalysisResult($"{(addr):X8} ({section.Name}!0x{diffEntry.Item1:X})", "Inline")
                        {
                            ModuleName     = module.ModuleName,
                            OriginalData   = originalSb.ToString(),
                            PatchedData    = modifiedSb.ToString(),
                            AdditionalInfo = ""
                        });
                    }
                    else
                    {
                        var val = closestExport.Value;
                        var k   = addr - closestExport.Key.ToInt64();
                        results.Add(new HookAnalysisResult($"{(addr):X8} ({val.Module.ModuleName}!{val.Symbol.Name}+0x{k:X})", "Inline")
                        {
                            ModuleName     = module.ModuleName,
                            OriginalData   = originalSb.ToString(),
                            PatchedData    = modifiedSb.ToString(),
                            AdditionalInfo = ""
                        });
                    }
                }
            }

            return(results);
        }