protected Dictionary <T, int> ScanMemory <T>(MemoryRegionType memoryRegionType, string signature) { if (!Enabled) { return(null); } var signatureObject = ParseSignature(signature); var results = new Dictionary <T, int>(); foreach (var region in Reader.Regions.Where(x => x.MatchesType(memoryRegionType))) { //for (int i = 0; i < 100; i++) ScanRegion <T>(region, signatureObject, (value, address) => { if (results.ContainsKey(value)) { results[value]++; } else { results.Add(value, 1); } }); } return(results); }
public bool MatchesType(MemoryRegionType type) { if (type == MemoryRegionType.EXECUTE && Execute == false) { return(false); } return(true); }
public Dictionary <T, int> ScanAllFrequencies <T>(MemoryRegionType memoryRegionType, string signature) { var results = ScanMemory <T>(memoryRegionType, signature); if (results == null) { return(new Dictionary <T, int>()); } else { return(results); } }
public IEnumerable <T> ScanAll <T>(MemoryRegionType memoryRegionType, string signature) { var results = ScanMemory <T>(memoryRegionType, signature); if (results == null) { return(new List <T>()); } else { return(results.Keys); } }
public T Scan <T>(MemoryRegionType memoryRegionType, string signature) { var results = ScanMemory <T>(memoryRegionType, signature); if (results != null) { // Get the best match out of it. var best = (from entry in results orderby entry.Value descending select entry.Key).FirstOrDefault(); return(best); } else { return(new List <T>().FirstOrDefault()); } }
public override void AddTransitionsToSimulation(Simulation simulation) { var dataTypes = new MemoryContentDataType[] { MemoryContentDataType.AttackerControlledData, MemoryContentDataType.WriteBasePointer, MemoryContentDataType.WriteDisplacement, MemoryContentDataType.WriteContent, MemoryContentDataType.WriteExtent, MemoryContentDataType.ReadBasePointer, MemoryContentDataType.ReadContent, MemoryContentDataType.ReadDisplacement, MemoryContentDataType.ReadExtent, MemoryContentDataType.FunctionPointer, MemoryContentDataType.CppVirtualTablePointer, MemoryContentDataType.CppVirtualTable, }; var regionTypes = new MemoryRegionType[] { MemoryRegionType.Heap, MemoryRegionType.Any }; foreach (MemoryRegionType regionType in regionTypes) { foreach (MemoryContentDataType dataType in dataTypes) { MemoryAddress address = new MemoryAddress(dataType, regionType); simulation.AddRootTransition( this, new InitializeDestinationContentPrimitive( String.Format("heap spray content to init dest {0}", address), destinationAddress: address, constraints: (context) => ( (context.CanInitializeContentViaHeapSpray() == true) ), onSuccess: (SimulationContext context, ref Violation v) => { context.Assume(AssumptionName.CanInitializeContentViaHeapSpray); context.Assume(new Assumption.CanFindAddress(MemoryAddress.AddressOfAttackerControlledData)); } ) ); simulation.AddRootTransition( this, new InitializeSourceContentPrimitive( String.Format("heap spray content to init src {0}", address), sourceAddress: address, constraints: (context) => ( (context.CanInitializeContentViaHeapSpray() == true) ), onSuccess: (SimulationContext context, ref Violation v) => { context.Assume(AssumptionName.CanInitializeContentViaHeapSpray); context.Assume(new Assumption.CanFindAddress(MemoryAddress.AddressOfAttackerControlledData)); } ) ); } } // // Heap spraying can also be used to spray code (on systems that don't support or enable // NX). // MemoryAddress codeAddress = new MemoryAddress(MemoryContentDataType.AttackerControlledData); simulation.AddRootTransition( this, new InitializeExecutableContentPrimitive( String.Format("initialize content with code via heap spray"), codeAddress, constraints: (context) => ( // no need for this technique if we can already accomplish this via spraying data. (context.CanExecuteMemoryAtAddress(new MemoryAddress(MemoryContentDataType.AttackerControlledData, null)) == false) && (context.CanInitializeContentViaHeapSpray() == true) ), onSuccess: (SimulationContext context, ref Violation v) => { context.Assume(AssumptionName.CanInitializeContentViaHeapSpray); context.Assume(new Assumption.CanFindAddress(MemoryAddress.AddressOfAttackerControlledData)); context.Assume(new Assumption.CanFindAddress(MemoryAddress.AddressOfAttackerControlledCode)); } ) ); }