|
public disassembler ( byte bytesToDisassam, System disasmBox, |
||
| bytesToDisassam | byte | |
| disasmBox | System | The listbox to dump disasm to |
| methodIntPtr | The trueIntPtr of the Method that we want to attack so that our jmp,call,etc are at the correct offsets. | |
| return | void | |
private void displayPayload(object shellcode)
{
shellcode_RTB.Clear();
payload = shellcode as GrayStorm.dataBox;
if (shellcode is GrayStorm.dataBox)
{
if (disassemble_CB.Checked)
{
beaEngine.disassemble disasm = new beaEngine.disassemble();
unsafe
{
//Prevent garbage collector from relocating a movable variable for the duration of the disassembly and get the IntPtr of a byte array.
fixed(byte *pointer = payload.data)
{
IntPtr offset = (IntPtr)pointer;
disasm.disassembler(payload.data, this.shellcode_RTB, offset);
}
}
}
else
{
foreach (byte opcode in payload.data)
{
shellcode_RTB.AppendText(String.Format("0x{0:X2}\n", opcode));
}
}
}
}
public void dumpAsm_BT_Click(object sender, EventArgs e)
{
editor_RTB.Clear();
IntPtr trueIntPtr = IntPtr.Zero;
Delegate targetMethodDelegate = null;
if (domainTraverser.currentMethod == null || domainTraverser.currentMethod.Name.Contains("Dispose"))
return;
int containedIndex = methodHelpers.containedInList(domainTraverser.currentMethod);
if (containedIndex == -1 || methodHelpers.StorageInformationArrayList[containedIndex].dumped != true)
{
byte[] memory;
if (containedIndex != -1)
{
memory = assemblyHelpers.DumpAFunction(methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr);
grayStorm._addrOfMethod_TB.Text = methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr.ToString("X");
if (memory == null)
{
editor_RTB.AppendText(String.Format("COULD NOT READ MEMORY\n"));
return;
}
else
{
methodHelpers.StorageInformationArrayList[containedIndex].memory = memory;
methodHelpers.StorageInformationArrayList[containedIndex].dumped = true;
}
}
else
{
methodInvoking invokeMethods = new methodInvoking();
System.Runtime.CompilerServices.RuntimeHelpers.PrepareMethod(domainTraverser.currentMethod.MethodHandle); //JIT the method!
grayStorm._addrOfMethod_TB.Text = domainTraverser.currentMethod.MethodHandle.GetFunctionPointer().ToString("X");
targetMethodDelegate = invokeMethods.getMethodDelegate(domainTraverser.currentMethod); //Get the Delegate of the method.
trueIntPtr = invokeMethods.getIntPtrFromDelegate(targetMethodDelegate);
memory = assemblyHelpers.DumpAFunction(trueIntPtr);
if (memory == null)
{
editor_RTB.AppendText(String.Format("COULD NOT READ MEMORY\n"));
return;
}
else
{
currentMethod = new StorageInformation();
currentMethod.memory = memory;
currentMethod.methodSignature = domainTraverser.currentMethod;
currentMethod.dumped = true;
currentMethod.methodIntPtr = trueIntPtr;
currentMethod.oldMethod = currentMethod.memory;
currentMethod.methodDelegate = targetMethodDelegate;
methodHelpers.StorageInformationArrayList.Add(currentMethod);
containedIndex = methodHelpers.StorageInformationArrayList.Count - 1;
grayStorm._addrOfMethod_TB.Text = methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr.ToString("X");
}
}
}
if (disassemble_CB.Checked)
{
beaEngine.disassemble disasm = new beaEngine.disassemble();
disasm.disassembler(methodHelpers.StorageInformationArrayList[containedIndex].memory, this.editor_RTB, methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr);
}
else
{
foreach (byte b in methodHelpers.StorageInformationArrayList[containedIndex].memory)
{
editor_RTB.AppendText(String.Format("0x{0:X2}\n", b));
}
}
}
public void dumpAsm_BT_Click(object sender, EventArgs e)
{
editor_RTB.Clear();
IntPtr trueIntPtr = IntPtr.Zero;
Delegate targetMethodDelegate = null;
if (domainTraverser.currentMethod == null || domainTraverser.currentMethod.Name.Contains("Dispose"))
{
return;
}
int containedIndex = methodHelpers.containedInList(domainTraverser.currentMethod);
if (containedIndex == -1 || methodHelpers.StorageInformationArrayList[containedIndex].dumped != true)
{
byte[] memory;
if (containedIndex != -1)
{
memory = assemblyHelpers.DumpAFunction(methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr);
grayStorm._addrOfMethod_TB.Text = methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr.ToString("X");
if (memory == null)
{
editor_RTB.AppendText(String.Format("COULD NOT READ MEMORY\n"));
return;
}
else
{
methodHelpers.StorageInformationArrayList[containedIndex].memory = memory;
methodHelpers.StorageInformationArrayList[containedIndex].dumped = true;
}
}
else
{
methodInvoking invokeMethods = new methodInvoking();
System.Runtime.CompilerServices.RuntimeHelpers.PrepareMethod(domainTraverser.currentMethod.MethodHandle); //JIT the method!
grayStorm._addrOfMethod_TB.Text = domainTraverser.currentMethod.MethodHandle.GetFunctionPointer().ToString("X");
targetMethodDelegate = invokeMethods.getMethodDelegate(domainTraverser.currentMethod); //Get the Delegate of the method.
trueIntPtr = invokeMethods.getIntPtrFromDelegate(targetMethodDelegate);
memory = assemblyHelpers.DumpAFunction(trueIntPtr);
if (memory == null)
{
editor_RTB.AppendText(String.Format("COULD NOT READ MEMORY\n"));
return;
}
else
{
currentMethod = new StorageInformation();
currentMethod.memory = memory;
currentMethod.methodSignature = domainTraverser.currentMethod;
currentMethod.dumped = true;
currentMethod.methodIntPtr = trueIntPtr;
currentMethod.oldMethod = currentMethod.memory;
currentMethod.methodDelegate = targetMethodDelegate;
methodHelpers.StorageInformationArrayList.Add(currentMethod);
containedIndex = methodHelpers.StorageInformationArrayList.Count - 1;
grayStorm._addrOfMethod_TB.Text = methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr.ToString("X");
}
}
}
if (disassemble_CB.Checked)
{
beaEngine.disassemble disasm = new beaEngine.disassemble();
disasm.disassembler(methodHelpers.StorageInformationArrayList[containedIndex].memory, this.editor_RTB, methodHelpers.StorageInformationArrayList[containedIndex].methodIntPtr);
}
else
{
foreach (byte b in methodHelpers.StorageInformationArrayList[containedIndex].memory)
{
editor_RTB.AppendText(String.Format("0x{0:X2}\n", b));
}
}
}
private void displayPayload(object shellcode)
{
shellcode_RTB.Clear();
payload = shellcode as GrayStorm.dataBox;
if (shellcode is GrayStorm.dataBox)
{
if (disassemble_CB.Checked)
{
beaEngine.disassemble disasm = new beaEngine.disassemble();
unsafe
{
//Prevent garbage collector from relocating a movable variable for the duration of the disassembly and get the IntPtr of a byte array.
fixed (byte* pointer = payload.data)
{
IntPtr offset = (IntPtr)pointer;
disasm.disassembler(payload.data, this.shellcode_RTB, offset);
}
}
}
else
{
foreach (byte opcode in payload.data)
{
shellcode_RTB.AppendText(String.Format("0x{0:X2}\n", opcode));
}
}
}
}
