protected List <LIST_ENTRY> FindAllLists(DataProviderBase dataProvider, LIST_ENTRY source)
{
List <LIST_ENTRY> results = new List <LIST_ENTRY>();
List <ulong> seen = new List <ulong>();
List <LIST_ENTRY> stack = new List <LIST_ENTRY>();
AddressBase addressSpace = dataProvider.ActiveAddressSpace;
stack.Add(source);
while (stack.Count > 0)
{
LIST_ENTRY item = stack[0];
stack.RemoveAt(0);
if (!seen.Contains(item.PhysicalAddress))
{
seen.Add(item.PhysicalAddress);
results.Add(item);
ulong Blink = item.Blink;
if (Blink != 0)
{
ulong refr = addressSpace.vtop(Blink);
stack.Add(new LIST_ENTRY(dataProvider, item.Blink));
}
ulong Flink = item.Flink;
if (Flink != 0)
{
ulong refr = addressSpace.vtop(Flink);
stack.Add(new LIST_ENTRY(dataProvider, item.Flink));
}
}
}
return(results);
}
public HashSet <ulong> Run()
{
// first let's see if it already exists
FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\pslist_Sessions.gz");
if (cachedFile.Exists && !_dataProvider.IsLive)
{
OffsetMap cachedMap = RetrieveOffsetMap(cachedFile);
if (cachedMap != null)
{
return(cachedMap.OffsetRecords);
}
}
HashSet <ulong> results = new HashSet <ulong>();
HashSet <ulong> sessionList = new HashSet <ulong>(); // a list of pointers to _MM_SESSION_SPAVE objects
if (_processList != null)
{
foreach (ProcessInfo info in _processList)
{
if (info.Session != 0)
{
sessionList.Add(info.Session);
}
}
}
ulong sOffset = (ulong)_profile.GetOffset("_EPROCESS", "SessionProcessLinks");
ulong plOffset = (ulong)_profile.GetOffset("_MM_SESSION_SPACE", "ProcessList");
foreach (ulong item in sessionList)
{
SessionSpace ss = new SessionSpace(_profile, _dataProvider, item);
LIST_ENTRY sle = ss.ProcessList;
List <LIST_ENTRY> procLists = FindAllLists(_dataProvider, sle);
HashSet <ulong> tempList = new HashSet <ulong>();
foreach (LIST_ENTRY entry in procLists)
{
tempList.Add(entry.Blink);
tempList.Add(entry.Flink);
}
foreach (ulong ul in tempList)
{
if (ul - plOffset == item)
{
continue;
}
if (ul == 0)
{
continue;
}
results.Add(ul - sOffset);
}
}
return(TrySave(results));
}
public HashSet <ulong> Run()
{
// first let's see if it already exists
FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\pslist_PsActiveProcessHead.gz");
if (cachedFile.Exists && !_dataProvider.IsLive)
{
OffsetMap cachedMap = RetrieveOffsetMap(cachedFile);
if (cachedMap != null)
{
return(cachedMap.OffsetRecords);
}
}
HashSet <ulong> results = new HashSet <ulong>();
uint processHeadOffset = (uint)_profile.GetConstant("PsActiveProcessHead");
ulong vAddr = _profile.KernelBaseAddress + processHeadOffset;
_dataProvider.ActiveAddressSpace = _profile.KernelAddressSpace;
LIST_ENTRY le = new LIST_ENTRY(_dataProvider, vAddr);
ulong apl = (ulong)_profile.GetOffset("_EPROCESS", "ActiveProcessLinks");
List <LIST_ENTRY> lists = FindAllLists(_dataProvider, le);
foreach (LIST_ENTRY entry in lists)
{
if (entry.VirtualAddress == vAddr)
{
continue;
}
if (entry.VirtualAddress == 0)
{
continue;
}
results.Add(entry.VirtualAddress - apl);
}
return(TrySave(results));
}
public HashSet <ulong> Run()
{
// first let's see if it already exists
FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\pslist_CSRSS.gz");
if (cachedFile.Exists && !_dataProvider.IsLive)
{
OffsetMap cachedMap = RetrieveOffsetMap(cachedFile);
if (cachedMap != null)
{
return(cachedMap.OffsetRecords);
}
}
HashSet <ulong> results = new HashSet <ulong>();
// check to see if we already have a process list with CSRSS in it
if (_processList != null)
{
foreach (ProcessInfo info in _processList)
{
try
{
if (info.ProcessName == "csrss.exe")
{
ulong handleTableAddress = info.ObjectTableAddress;
HandleTable ht = new HandleTable(_profile, _dataProvider, handleTableAddress);
List <HandleTableEntry> records = EnumerateHandles(ht.TableStartAddress, ht.Level);
foreach (HandleTableEntry e in records)
{
try
{
ObjectHeader header = new ObjectHeader(_profile, _dataProvider, e.ObjectPointer);
string objectName = GetObjectName(e.TypeInfo);
if (objectName == "Process")
{
results.Add(e.ObjectPointer + (ulong)header.Size);
}
}
catch (Exception)
{
continue;
}
}
}
}
catch (Exception ex)
{
continue;
}
}
if (results.Count > 0)
{
return(TrySave(results));
}
}
// either we didn't have a process list, or it didn't contain any CSRSS processes
uint processHeadOffset = (uint)_profile.GetConstant("PsActiveProcessHead");
ulong vAddr = _profile.KernelBaseAddress + processHeadOffset;
_dataProvider.ActiveAddressSpace = _profile.KernelAddressSpace;
LIST_ENTRY le = new LIST_ENTRY(_dataProvider, vAddr);
ulong apl = (ulong)_profile.GetOffset("_EPROCESS", "ActiveProcessLinks");
List <LIST_ENTRY> lists = FindAllLists(_dataProvider, le);
foreach (LIST_ENTRY entry in lists)
{
if (entry.VirtualAddress == vAddr)
{
continue;
}
if (entry.VirtualAddress == 0)
{
continue;
}
EProcess ep = new EProcess(_profile, _dataProvider, entry.VirtualAddress - apl);
if (ep.ImageFileName == "csrss.exe")
{
ulong handleTableAddress = ep.ObjectTable;
HandleTable ht = new HandleTable(_profile, _dataProvider, handleTableAddress);
List <HandleTableEntry> records = EnumerateHandles(ht.TableStartAddress, ht.Level);
foreach (HandleTableEntry e in records)
{
try
{
ObjectHeader header = new ObjectHeader(_profile, _dataProvider, e.ObjectPointer);
string objectName = GetObjectName(e.TypeInfo);
if (objectName == "Process")
{
results.Add(e.ObjectPointer + (ulong)header.Size);
}
}
catch (Exception)
{
continue;
}
}
}
}
return(TrySave(results));
}
