Ejemplo n.º 1
0
        public static Vtero Scanit(ConfigOptions co)
        {
            bool SkipVMCS = (co.VersionsToEnable & PTType.VMCS) != PTType.VMCS;
            var Filename = co.FileName;

            co.VersionsToEnable = co.VersionsToEnable & ~PTType.VMCS;

            // allocate now so that we can un-serialize or keep an instance
            Vtero vtero = new Vtero();

            // this instance is temporally used for loading state
            // i.e. don't set properties or fields here

            var saveStateFile = $"{Filename}.inVtero.net";

            if (File.Exists(saveStateFile))
            {
                if (!co.IgnoreSaveData)
                {
                    vtero = vtero.CheckpointRestoreState(saveStateFile);
                    if(vtero == null)
                    {
                        WriteColor(ConsoleColor.Red, "ERROR IN SERIALIZER");
                        return null;
                    }

                    vtero.OverRidePhase = true;
                }
                else
                    File.Delete(saveStateFile);
            }

            if (vtero.Phase < 2)
                vtero = new Vtero(Filename);

            if (!vtero.OverRidePhase)
            {
                Mem.InitMem(co.FileName, vtero.MRD);
                ProgressBarz.BaseMessage = new ConsoleString("First pass, looking for processes");
                ForegroundColor = ConsoleColor.Cyan;
#if TESTING
            Timer = Stopwatch.StartNew();

                if ((Version & PTType.VALUE) == PTType.VALUE)
                {
                    var off = vtero.ScanValue(Is64Scan, valuL, 0);
                    
                    WriteLine(FormatRate(vtero.FileSize, Timer.Elapsed));
                    using (var dstream = File.OpenRead(vtero.MemFile))
                    {
                        using (var dbin = new BinaryReader(dstream))
                        {
                            foreach (var xoff in off)
                            {
                                WriteLine($"Checking Memory Descriptor @{(xoff + 28):X}");
                                if (xoff > vtero.FileSize)
                                {
                                    WriteLine($"offset {xoff:X} > FileSize {vtero.FileSize:X}");
                                    continue;
                                }

                                dstream.Position = xoff + 28;
                                var MemRunDescriptor = new MemoryDescriptor();
                                MemRunDescriptor.NumberOfRuns = dbin.ReadInt64();
                                MemRunDescriptor.NumberOfPages = dbin.ReadInt64();

                                Console.WriteLine($"Runs: {MemRunDescriptor.NumberOfRuns}, Pages: {MemRunDescriptor.NumberOfPages} ");

                                if (MemRunDescriptor.NumberOfRuns < 0 || MemRunDescriptor.NumberOfRuns > 32)
                                {
                                    continue;
                                }
                                for (int i = 0; i < MemRunDescriptor.NumberOfRuns; i++)
                                {
                                    var basePage = dbin.ReadInt64();
                                    var pageCount = dbin.ReadInt64();

                                    MemRunDescriptor.Run.Add(new MemoryRun() { BasePage = basePage, PageCount = pageCount });
                                }
                                WriteLine($"MemoryDescriptor {MemRunDescriptor}");
                            }
                        }
                    }
                    WriteLine("Finished VALUE scan.");
                    return;
                }
                if ((Version & PTType.VALUE) == PTType.VALUE)
                    return;
#endif
            }
            // basic perf checking
            QuickOptions.Timer = Stopwatch.StartNew();
                
            var procCount = vtero.ProcDetectScan(co.VersionsToEnable);

            if (!vtero.OverRidePhase)
            {
                WriteColor(ConsoleColor.Blue, ConsoleColor.Yellow, $"{procCount} candidate process page tables. Time so far: {QuickOptions.Timer.Elapsed}, second pass starting. {QuickOptions.FormatRate(vtero.FileSize, QuickOptions.Timer.Elapsed)}");
                if (procCount < 3)
                {
                    WriteColor(ConsoleColor.Red, "Seems like a fail. Try generic scanning or implement a state scan like LinuxS");
                    return null;
                }
            }
            // second pass
            // with the page tables we acquired, locate candidate VMCS pages in the format
            // [31-bit revision id][abort indicator]
            // the page must also have at least 1 64bit value which is all set (-1)
            // Root-HOST CR3 will have uniform diff
            // unless an extent based dump image is input, some .DMP variations
            // TODO: Add support for extent based inputs
            // Guest VMCS will contain host CR3 & guest CR3 (hCR3 & gCR3)
            // sometimes CR3 will be found in multiple page tables, e.g. system process or SMP 
            // if I have more than 1 CR3 from different file_offset, just trim them out for now
            // future may have a reason to isolate based on original locationAG

            if (SkipVMCS)
            {
                if (!vtero.OverRidePhase)
                    vtero.GroupAS();

                if (co.VerboseLevel > 1)
                    WriteColor(ConsoleColor.Yellow, "Skipping VMCS scan (as requested).");
            }
            else
            {
                ProgressBarz.BaseMessage = new ConsoleString("Second pass, correlating for VMCS pages");

                var VMCSCount = vtero.VMCSScan();
                //Timer.Stop();

                if (!vtero.OverRidePhase)
                {
                    WriteColor(ConsoleColor.Blue, ConsoleColor.Yellow, $"{VMCSCount} candidate VMCS pages. Time to process: {QuickOptions.Timer.Elapsed}, Data scanned: {vtero.FileSize:N}");

                    // second time 
                    WriteColor(ConsoleColor.Blue, ConsoleColor.Yellow, $"Second pass done. {QuickOptions.FormatRate(vtero.FileSize * 2, QuickOptions.Timer.Elapsed)}");

                    // each of these depends on a VMCS scan/pass having been done at the moment
                    WriteColor(ConsoleColor.Cyan, ConsoleColor.Black, "grouping and joining all memory");
                }
                // After this point were fairly functional
                vtero.GroupAS();
            }
            // sync-save state so restarting is faster
            if (!File.Exists(saveStateFile))
            {
                Write($"Saving checkpoint... ");
                saveStateFile = vtero.CheckpointSaveState();
                WriteColor(ConsoleColor.White, saveStateFile);
            }
            Console.CursorVisible = true;
            return vtero;
        }
Ejemplo n.º 2
0
        public static void DumpIt(Vtero vtero, ConfigOptions co, DumpOptions dmpo)
        {
            var Version = vtero.Version;

            Mem.InitMem(co.FileName, vtero.MRD);

            // Extract Address Spaces verifies the linkages between
            // process<->CR3<->EPTP(if there is one)
            // and that they are functional

            var vetted = vtero.ExtrtactAddressSpaces(null, null, Version);

            // leaving this in as an example maybe? ;)

            //WriteLine("enter a group ID: ");
            //input = ReadLine();
            //int Grp = int.Parse(input);
            //WriteLine("enter a process ID: ");
            //input = ReadLine();
            //long procID = long.Parse(input, NumberStyles.HexNumber);
            //var proc = (from procz in vtero.ASGroups[Grp]
            //            where procz.CR3Value == procID
            //            select procz).First();
            //int i = 1;
            //DetectedProc dp = proc;
            //while(dp == null)
            //    dp = vtero.GetKernelRangeFromGroup(i++);


            // Scan for kernel
            // NT kernel may be in 0xFFFFF80000000 to 0xFFFFF8800000 range
            long         KernVAStart  = 0xF80000000000;
            long         KernVAEnd    = KernVAStart + (0x8000000000 - 0x1000);
            string       input        = string.Empty;
            var          Detections   = new Dictionary <long, Extract>();
            DetectedProc LikelyKernel = null;
            bool         Decoded      = false;

            // were doing this in nested loops to brute force our way past any errors
            // but only need the first set of detections per group

            foreach (var grpz in vtero.ASGroups)
            {
                foreach (var vm in vtero.VMCSs.Values)
                {
                    WriteColor(ConsoleColor.White, $"Group ID: {grpz.Key}");
                    foreach (var p in grpz.Value)
                    {
                        WriteLine($"Proc: {p.CR3Value:X}");
                        Detections = Detections.Concat(
                            vtero.ModuleScan(p, 3, KernVAStart, KernVAEnd).Where(x => !Detections.ContainsKey(x.Key)))
                                     .ToDictionary(x => x.Key, x => x.Value);

                        if (Detections.Count() > 0)
                        {
                            LikelyKernel = p;

                            if (vm.EPTP == 0)
                            {
                                p.vmcs = null;
                            }
                            else
                            {
                                p.vmcs = vm;
                            }

                            // scan for kernel
                            foreach (var detected in Detections)
                            {
                                WriteColor(ConsoleColor.Green, $"Attempting to parse detected PE module loaded @ {detected.Key:X}");
                                WriteColor(ConsoleColor.Cyan, detected.Value.ToString());

                                if (detected.Value.ToString().Contains("POOLCODE"))
                                {
                                    WriteColor(ConsoleColor.White, "Likely Kernel analyzing for CV data");

                                    /*
                                     * var cv_data = vtero.ExtractCVDebug(LikelyKernel, detected.Value, detected.Key);
                                     *
                                     * if (cv_data != null)
                                     * {
                                     *  var sympath = Environment.GetEnvironmentVariable("_NT_SYMBOL_PATH");
                                     *  if (string.IsNullOrWhiteSpace(sympath))
                                     *      sympath = "SRV*http://msdl.microsoft.com/download/symbols";
                                     *
                                     *  if (Vtero.TryLoadSymbols(cv_data, detected.Key, sympath))
                                     *      Decoded = vtero.GetKernelDebuggerData(LikelyKernel, detected.Value, cv_data, sympath);
                                     * }
                                     */
                                }
                            }
                        }
                        if (Decoded)
                        {
                            break;
                        }
                    }
                    if (Decoded)
                    {
                        break;
                    }
                }
                if (Decoded)
                {
                    break;
                }
            }
            ForegroundColor = ConsoleColor.Green;
            WriteLine($"{Environment.NewLine}Final analysis completed, address spaces extracted. {QuickOptions.Timer.Elapsed} {QuickOptions.FormatRate(vtero.FileSize * 3, QuickOptions.Timer.Elapsed)}");

            // do a test dump
            // extract & dump could be done at the same time

            if (!dmpo.ListOnly)
            {
                vtero.DumpASToFile();
            }

            //if (Vtero.VerboseOutput)
            //vtero.DumpFailList();

            return;
        }
Ejemplo n.º 3
0
        public void config([DefaultValue(""), ArgDescription("set true to ")] string reset, [DefaultValue(""), ArgDescription("will dump history or clear")] string history)
        {
            // dump info
            if (reset.StartsWith("his") || string.IsNullOrWhiteSpace(reset))
            {
                ConsoleString.WriteLine(option, ConsoleColor.White);
                var tc = (typeof(CLI).GetCustomAttributes(typeof(TabCompletion), true)[0] as TabCompletion);

                if(!File.Exists(tc.HistoryFileNameInternal) || new FileInfo(tc.HistoryFileNameInternal).Length <= 1)
                    ConsoleString.WriteLine($"History file {tc.HistoryFileNameInternal} contains no data. (check permissions)", ConsoleColor.Yellow);

                if(!string.IsNullOrWhiteSpace(history) || reset.StartsWith("his"))
                    foreach (var line in File.ReadAllLines(tc.HistoryFileNameInternal))
                        ConsoleString.WriteLine(line, ConsoleColor.White);
            } else if(reset.Equals("reset")) {
                option = null;

                if(history.StartsWith("hist"))
                    (typeof(CLI).GetCustomAttributes(typeof(TabCompletion), true)[0] as TabCompletion).ClearHistory();

                option = new ConfigOptions();
                MemoryDump = null;

                ConsoleString.WriteLine("done clearing data");
            }
        }
Ejemplo n.º 4
0
        public static void DumpIt(Vtero vtero, ConfigOptions co, DumpOptions dmpo)
        {
            var Version = vtero.Version;

            Mem.InitMem(co.FileName, vtero.MRD);

            // Extract Address Spaces verifies the linkages between
            // process<->CR3<->EPTP(if there is one)
            // and that they are functional

            var vetted = vtero.ExtrtactAddressSpaces(null, null, Version);

            // leaving this in as an example maybe? ;)

            //WriteLine("enter a group ID: ");
            //input = ReadLine();
            //int Grp = int.Parse(input);
            //WriteLine("enter a process ID: ");
            //input = ReadLine();
            //long procID = long.Parse(input, NumberStyles.HexNumber);
            //var proc = (from procz in vtero.ASGroups[Grp]
            //            where procz.CR3Value == procID
            //            select procz).First();
            //int i = 1;
            //DetectedProc dp = proc;
            //while(dp == null)
            //    dp = vtero.GetKernelRangeFromGroup(i++);


            // Scan for kernel 
            // NT kernel may be in 0xFFFFF80000000 to 0xFFFFF8800000 range
            long KernVAStart = 0xF80000000000;
            long KernVAEnd = KernVAStart + (0x8000000000 - 0x1000);
            string input = string.Empty;
            var Detections = new Dictionary<long, Extract>();
            DetectedProc LikelyKernel = null;
            bool Decoded = false;
            // were doing this in nested loops to brute force our way past any errors
            // but only need the first set of detections per group

            foreach (var grpz in vtero.ASGroups)
            {
                foreach (var vm in vtero.VMCSs.Values)
                {
                    WriteColor(ConsoleColor.White, $"Group ID: {grpz.Key}");
                    foreach (var p in grpz.Value)
                    {
                        WriteLine($"Proc: {p.CR3Value:X}");
                        Detections = Detections.Concat(
                            vtero.ModuleScan(p, KernVAStart, KernVAEnd).Where(x => !Detections.ContainsKey(x.Key)))
                            .ToDictionary(x => x.Key, x => x.Value);

                        if (Detections.Count() > 0)
                        {
                            LikelyKernel = p;

                            if (vm.EPTP == 0)
                                p.vmcs = null;
                            else
                                p.vmcs = vm;

                            // scan for kernel
                            foreach (var detected in Detections)
                            {
                                WriteColor(ConsoleColor.Green, $"Attempting to parse detected PE module loaded @ {detected.Key:X}");
                                WriteColor(ConsoleColor.Cyan, detected.Value.ToString());

                                if (detected.Value.ToString().Contains("POOLCODE"))
                                {
                                    WriteColor(ConsoleColor.White, "Likely Kernel analyzing for CV data");

                                    /*
                                     * var cv_data = vtero.ExtractCVDebug(LikelyKernel, detected.Value, detected.Key);

                                    if (cv_data != null)
                                    {
                                        var sympath = Environment.GetEnvironmentVariable("_NT_SYMBOL_PATH");
                                        if (string.IsNullOrWhiteSpace(sympath))
                                            sympath = "SRV*http://msdl.microsoft.com/download/symbols";

                                        if (vtero.TryLoadSymbols(cv_data, detected.Key, sympath))
                                            Decoded = vtero.GetKernelDebuggerData(LikelyKernel, detected.Value, cv_data, sympath);
                                    }
                                    */
                                }
                            }
                        }
                        if (Decoded) break;
                    }
                    if (Decoded) break;
                }
                if (Decoded) break;
            }
            ForegroundColor = ConsoleColor.Green;
            WriteLine($"{Environment.NewLine}Final analysis completed, address spaces extracted. {QuickOptions.Timer.Elapsed} {QuickOptions.FormatRate(vtero.FileSize * 3, QuickOptions.Timer.Elapsed)}");

            // do a test dump
            // extract & dump could be done at the same time

            if(!dmpo.ListOnly)
                vtero.DumpASToFile();

            //if (Vtero.VerboseOutput)
                //vtero.DumpFailList();
            
            return;
        }
Ejemplo n.º 5
0
        public CLI() {
            if (option == null) option = new ConfigOptions();

            option.VersionsToEnable = PTType.Windows | PTType.FreeBSD | PTType.VMCS | PTType.HyperV;

        }