Example #1
0
        /// <summary>
        /// BLOCK ALIGNED
        /// </summary>
        /// <param name="VA"></param>
        /// <returns>BLOCK of memory (ALIGNED)</returns>
        public byte[] VGetBlock(long VA)
        {
            bool GotData = false;

            long[] rv = new long[512];

            var _va = VA & ~0xfff;

            HARDWARE_ADDRESS_ENTRY hw;

            if (vmcs == null)
            {
                hw = MemAccess.VirtualToPhysical(CR3Value, _va);
            }
            else
            {
                hw = MemAccess.VirtualToPhysical(vmcs.EPTP, CR3Value, _va);
            }
            MemAccess.GetPageForPhysAddr(hw, ref rv, ref GotData);
            if (!GotData)
            {
                return(null);
            }

            byte[] buffer = new byte[4096];
            Buffer.BlockCopy(rv, 0, buffer, 0, 4096);
            return(buffer);
        }
Example #2
0
        /// <summary>
        /// BLOCK ALIGNED
        /// </summary>
        /// <param name="VA"></param>
        /// <returns></returns>
        public byte[] VGetBlock(long VA)
        {
            bool GotData = false;

            long[] rv     = new long[512];
            byte[] buffer = new byte[4096];

            var _va = VA & ~0xfff;

            HARDWARE_ADDRESS_ENTRY hw;

            if (vmcs == null)
            {
                hw = MemAccess.VirtualToPhysical(CR3Value, _va);
            }
            else
            {
                hw = MemAccess.VirtualToPhysical(vmcs.EPTP, CR3Value, _va);
            }

            //unsafe
            //{
            //fixed (void* lp = rv, bp = buffer)
            //{
            MemAccess.GetPageForPhysAddr(hw, ref rv, ref GotData, true);
            Buffer.BlockCopy(rv, 0, buffer, 0, 4096);
            //Buffer.MemoryCopy((byte*)lp, (byte*)bp, 4096, 4096);
            //}
            //}
            return(buffer);
        }
Example #3
0
        /// <summary>
        /// See all other PAGE ALIGNED
        /// </summary>
        /// <param name="VA"></param>
        /// <param name="GotData"></param>
        /// <returns></returns>
        public long[] VGetBlockLong(long VA, ref bool GotData)
        {
            long[] rv = new long[512];

            var _va = VA & ~0xfff;

            HARDWARE_ADDRESS_ENTRY hw;

            if (vmcs == null)
            {
                hw = MemAccess.VirtualToPhysical(CR3Value, _va);
            }
            else
            {
                hw = MemAccess.VirtualToPhysical(vmcs.EPTP, CR3Value, _va);
            }

            MemAccess.GetPageForPhysAddr(hw, ref rv, ref GotData);

            return(rv);
        }
Example #4
0
        public List <ScanResult> YaraScan(string RulesFile, bool IncludeData = false, bool KernelSpace = false)
        {
            var rv = new List <ScanResult>();

            using (var ctx = new YaraContext())
            {
                Rules rules = null;
                try
                {
                    // Rules and Compiler objects must be disposed.
                    using (var compiler = new Compiler())
                    {
                        compiler.AddRuleFile(RulesFile);
                        rules = compiler.GetRules();
                    }

                    PageTable.AddProcess(this, MemAccess);
                    //var cnt = PT.FillPageQueue(false, KernelSpace);
                    var curr = 0;
                    YaraTotalScanned = 0;
                    // single threaded worked best so far
                    //Parallel.For(0, cnt, (i, loopState) => x
                    foreach (var range in PT.FillPageQueue(false, KernelSpace, true, false))
                    //for (int i = 0; i < cnt; i++)
                    {
                        curr++;
                        if (Vtero.VerboseLevel > 1)
                        {
                            //var curr = cnt - PT.PageQueue.Count;
                            //var done = Convert.ToDouble(curr) / Convert.ToDouble(cnt) * 100.0;
                            Console.CursorLeft = 0;
                            Console.Write($"{curr} scanned");
                        }
                        if (range.PTE.Valid)
                        {
                            // skip data as requested
                            if (!IncludeData && range.PTE.NoExecute)
                            {
                                continue;
                            }

                            // Scanner and ScanResults do not need to be disposed.
                            var scanner = new libyaraNET.Scanner();
                            unsafe
                            {
                                long[] block   = null;
                                bool   GotData = false;

                                if (range.PTE.LargePage)
                                {
                                    block = new long[0x40000];
                                }
                                else
                                {
                                    block = new long[0x200];
                                }

                                MemAccess.GetPageForPhysAddr(range.PTE, ref block, ref GotData);
                                if (GotData)
                                {
                                    fixed(void *lp = block)
                                    {
                                        var res = scanner.ScanMemory((byte *)lp, block.Length, rules, ScanFlags.None);

                                        rv.AddRange(res);
                                        YaraTotalScanned += block.Length;
                                    }
                                }
                            }
                        }
                    }
                }
                finally
                {
                    // Rules and Compiler objects must be disposed.
                    if (rules != null)
                    {
                        rules.Dispose();
                    }
                }
            }
            YaraOutput = rv;
            return(YaraOutput);
        }