/// <summary>
/// Resolves the address of an address, pointer, or managed object.
/// </summary>
/// <returns>The base address of this object.</returns>
protected override IntPtr ResolveAddress()
{
IntPtr pointer = AddressResolver.GetInstance().ResolveModule(this.ModuleName);
Boolean successReading = true;
pointer = pointer.Add(this.ModuleOffset);
if (this.PointerOffsets == null || this.PointerOffsets.Count() == 0)
{
return(pointer);
}
foreach (Int32 offset in this.PointerOffsets)
{
if (EngineCore.GetInstance().Processes.IsOpenedProcess32Bit())
{
pointer = EngineCore.GetInstance().VirtualMemory.Read <Int32>(pointer, out successReading).ToIntPtr();
}
else
{
pointer = EngineCore.GetInstance().VirtualMemory.Read <Int64>(pointer, out successReading).ToIntPtr();
}
if (pointer == IntPtr.Zero || !successReading)
{
pointer = IntPtr.Zero;
break;
}
pointer = pointer.Add(offset);
}
return(pointer);
}
/// <summary>
/// Loads the instructions to display.
/// </summary>
private void LoadInstructions()
{
Byte[] bytes = EngineCore.GetInstance().VirtualMemory.ReadBytes(this.BaseAddress.ToIntPtr(), 200, out _);
if (bytes.IsNullOrEmpty())
{
return;
}
Boolean isProcess32Bit = EngineCore.GetInstance().Processes.IsOpenedProcess32Bit();
// Disassemble instructions
IEnumerable <NormalizedInstruction> disassembledInstructions = this.Disassembler.Disassemble(bytes, isProcess32Bit, this.BaseAddress.ToIntPtr());
IList <InstructionItem> instructions = new List <InstructionItem>();
foreach (NormalizedInstruction disassembledInstruction in disassembledInstructions)
{
String moduleName;
UInt64 address = AddressResolver.GetInstance().AddressToModule(disassembledInstruction.Address, out moduleName);
instructions.Add(new InstructionItem(address.ToIntPtr(), moduleName, disassembledInstruction.Instruction, disassembledInstruction.Bytes));
}
this.Instructions = new FullyObservableCollection <InstructionItem>(instructions);
}
/// <summary>
/// Loads the results for the current page.
/// </summary>
private void LoadScanResults()
{
Snapshot snapshot = SnapshotManagerViewModel.GetInstance().GetSnapshot(SnapshotManagerViewModel.SnapshotRetrievalMode.FromActiveSnapshot);
IList <ScanResult> newAddresses = new List <ScanResult>();
if (snapshot != null)
{
UInt64 startIndex = Math.Min(ScanResultsViewModel.PageSize * this.CurrentPage, snapshot.ElementCount);
UInt64 endIndex = Math.Min((ScanResultsViewModel.PageSize * this.CurrentPage) + ScanResultsViewModel.PageSize, snapshot.ElementCount);
for (UInt64 index = startIndex; index < endIndex; index++)
{
SnapshotElementIndexer element = snapshot[index];
String label = element.GetElementLabel() != null?element.GetElementLabel().ToString() : String.Empty;
Object currentValue = element.HasCurrentValue() ? element.LoadCurrentValue() : null;
Object previousValue = element.HasPreviousValue() ? element.LoadPreviousValue() : null;
String moduleName;
UInt64 address = AddressResolver.GetInstance().AddressToModule(element.BaseAddress, out moduleName);
PointerItem pointerItem = new PointerItem(baseAddress: address.ToIntPtr(), dataType: this.ActiveType, moduleName: moduleName, value: currentValue);
newAddresses.Add(new ScanResult(pointerItem, previousValue, label));
}
}
this.Addresses = new FullyObservableCollection <ScanResult>(newAddresses);
// Ensure results are visible
this.IsVisible = true;
this.IsSelected = true;
this.IsActive = true;
}
/// <summary>
/// Starts useful services that run in the background to assist in various operations.
/// </summary>
private void StartBackgroundServices()
{
SnapshotPrefilterFactory.GetSnapshotPrefilter(typeof(ChunkLinkedListPrefilter)).BeginPrefilter();
//// PointerCollector.GetInstance().Begin();
DotNetObjectCollector.GetInstance().Begin();
AddressResolver.GetInstance().Begin();
OutputViewModel.GetInstance().Log(OutputViewModel.LogLevel.Info, "Background Services Started");
}
/// <summary>
/// Starts useful services that run in the background to assist in various operations.
/// </summary>
private void StartBackgroundServices()
{
DotNetObjectCollector.GetInstance().Start();
AddressResolver.GetInstance().Start();
AnalyticsService.GetInstance().Start();
AnalyticsService.GetInstance().SendEvent(AnalyticsService.AnalyticsAction.General, "Start");
OutputViewModel.GetInstance().Log(OutputViewModel.LogLevel.Info, "Background services started");
}
/// <summary>
/// Resolves the address of an address, pointer, or managed object.
/// </summary>
/// <returns>The base address of this object.</returns>
public IntPtr ResolveAddress()
{
IntPtr pointer = IntPtr.Zero;
Boolean successReading = true;
switch (this.ResolveType)
{
case AddressResolver.ResolveTypeEnum.Module:
pointer = AddressResolver.GetInstance().ResolveModule(this.BaseIdentifier);
break;
case AddressResolver.ResolveTypeEnum.GlobalKeyword:
pointer = AddressResolver.GetInstance().ResolveGlobalKeyword(this.BaseIdentifier);
break;
case AddressResolver.ResolveTypeEnum.DotNet:
pointer = AddressResolver.GetInstance().ResolveDotNetObject(this.BaseIdentifier);
break;
}
pointer = pointer.Add(this.BaseAddress);
if (this.Offsets == null || this.Offsets.Count() == 0)
{
return(pointer);
}
foreach (Int32 offset in this.Offsets)
{
if (EngineCore.GetInstance().Processes.IsOpenedProcess32Bit())
{
pointer = EngineCore.GetInstance().OperatingSystemAdapter.Read <Int32>(pointer, out successReading).ToIntPtr();
}
else
{
pointer = EngineCore.GetInstance().OperatingSystemAdapter.Read <Int64>(pointer, out successReading).ToIntPtr();
}
pointer = pointer.Add(offset);
if (pointer == IntPtr.Zero || !successReading)
{
pointer = IntPtr.Zero;
break;
}
}
return(pointer);
}
/// <summary>
/// Enumerates the pointers of the specified pointer branch.
/// </summary>
/// <param name="baseAddress">The current base address.</param>
/// <param name="offsets">The offsets leading to this branch.</param>
/// <param name="branch">The current branch.</param>
/// <param name="pointerIndicies">The indicies at which to return non-null values.</param>
/// <returns>The full pointer path to the branch.</returns>
private IEnumerable <PointerItem> EnumerateBranches(UInt64 baseAddress, Stack <Int32> offsets, PointerBranch branch, PointerIndicies pointerIndicies)
{
offsets.Push(branch.Offset);
// End index reached
if (pointerIndicies.Finished)
{
yield break;
}
if (branch.Branches.Count <= 0)
{
PointerItem pointerItem;
// Only create pointer items when in the range of the selection indicies. This is an optimization to prevent creating unneeded objects.
if (pointerIndicies.IterateNext())
{
String moduleName;
UInt64 address = AddressResolver.GetInstance().AddressToModule(baseAddress, out moduleName);
pointerItem = new PointerItem(address.ToIntPtr(), DataTypes.Int32, "New Pointer", moduleName, offsets.ToArray().Reverse());
}
else
{
pointerItem = null;
}
yield return(pointerItem);
}
else
{
foreach (PointerBranch childBranch in branch)
{
foreach (PointerItem pointerItem in this.EnumerateBranches(baseAddress, offsets, childBranch, pointerIndicies))
{
yield return(pointerItem);
}
}
}
offsets.Pop();
}
protected override IntPtr ResolveAddress()
{
return(AddressResolver.GetInstance().ResolveModule(this.ModuleName).Add(this.ModuleOffset));
}
/// <summary>
/// Resolves the address of this object.
/// </summary>
/// <returns>The base address of this object.</returns>
protected override UInt64 ResolveAddress()
{
return(AddressResolver.GetInstance().ResolveDotNetObject(this.Identifier));
}