protected Dictionary <T, int> ScanMemory <T>(MemoryRegionType memoryRegionType, string signature)
{
if (!Enabled)
{
return(null);
}
var signatureObject = ParseSignature(signature);
var results = new Dictionary <T, int>();
foreach (var region in Reader.Regions.Where(x => x.MatchesType(memoryRegionType)))
{
//for (int i = 0; i < 100; i++)
ScanRegion <T>(region, signatureObject, (value, address) =>
{
if (results.ContainsKey(value))
{
results[value]++;
}
else
{
results.Add(value, 1);
}
});
}
return(results);
}
public bool MatchesType(MemoryRegionType type)
{
if (type == MemoryRegionType.EXECUTE && Execute == false)
{
return(false);
}
return(true);
}
public Dictionary <T, int> ScanAllFrequencies <T>(MemoryRegionType memoryRegionType, string signature)
{
var results = ScanMemory <T>(memoryRegionType, signature);
if (results == null)
{
return(new Dictionary <T, int>());
}
else
{
return(results);
}
}
public IEnumerable <T> ScanAll <T>(MemoryRegionType memoryRegionType, string signature)
{
var results = ScanMemory <T>(memoryRegionType, signature);
if (results == null)
{
return(new List <T>());
}
else
{
return(results.Keys);
}
}
public T Scan <T>(MemoryRegionType memoryRegionType, string signature)
{
var results = ScanMemory <T>(memoryRegionType, signature);
if (results != null)
{
// Get the best match out of it.
var best = (from entry in results orderby entry.Value descending select entry.Key).FirstOrDefault();
return(best);
}
else
{
return(new List <T>().FirstOrDefault());
}
}
public override void AddTransitionsToSimulation(Simulation simulation)
{
var dataTypes = new MemoryContentDataType[]
{
MemoryContentDataType.AttackerControlledData,
MemoryContentDataType.WriteBasePointer,
MemoryContentDataType.WriteDisplacement,
MemoryContentDataType.WriteContent,
MemoryContentDataType.WriteExtent,
MemoryContentDataType.ReadBasePointer,
MemoryContentDataType.ReadContent,
MemoryContentDataType.ReadDisplacement,
MemoryContentDataType.ReadExtent,
MemoryContentDataType.FunctionPointer,
MemoryContentDataType.CppVirtualTablePointer,
MemoryContentDataType.CppVirtualTable,
};
var regionTypes = new MemoryRegionType[]
{
MemoryRegionType.Heap,
MemoryRegionType.Any
};
foreach (MemoryRegionType regionType in regionTypes)
{
foreach (MemoryContentDataType dataType in dataTypes)
{
MemoryAddress address = new MemoryAddress(dataType, regionType);
simulation.AddRootTransition(
this,
new InitializeDestinationContentPrimitive(
String.Format("heap spray content to init dest {0}", address),
destinationAddress: address,
constraints: (context) =>
(
(context.CanInitializeContentViaHeapSpray() == true)
),
onSuccess: (SimulationContext context, ref Violation v) =>
{
context.Assume(AssumptionName.CanInitializeContentViaHeapSpray);
context.Assume(new Assumption.CanFindAddress(MemoryAddress.AddressOfAttackerControlledData));
}
)
);
simulation.AddRootTransition(
this,
new InitializeSourceContentPrimitive(
String.Format("heap spray content to init src {0}", address),
sourceAddress: address,
constraints: (context) =>
(
(context.CanInitializeContentViaHeapSpray() == true)
),
onSuccess: (SimulationContext context, ref Violation v) =>
{
context.Assume(AssumptionName.CanInitializeContentViaHeapSpray);
context.Assume(new Assumption.CanFindAddress(MemoryAddress.AddressOfAttackerControlledData));
}
)
);
}
}
//
// Heap spraying can also be used to spray code (on systems that don't support or enable
// NX).
//
MemoryAddress codeAddress = new MemoryAddress(MemoryContentDataType.AttackerControlledData);
simulation.AddRootTransition(
this,
new InitializeExecutableContentPrimitive(
String.Format("initialize content with code via heap spray"),
codeAddress,
constraints: (context) =>
(
// no need for this technique if we can already accomplish this via spraying data.
(context.CanExecuteMemoryAtAddress(new MemoryAddress(MemoryContentDataType.AttackerControlledData, null)) == false)
&&
(context.CanInitializeContentViaHeapSpray() == true)
),
onSuccess: (SimulationContext context, ref Violation v) =>
{
context.Assume(AssumptionName.CanInitializeContentViaHeapSpray);
context.Assume(new Assumption.CanFindAddress(MemoryAddress.AddressOfAttackerControlledData));
context.Assume(new Assumption.CanFindAddress(MemoryAddress.AddressOfAttackerControlledCode));
}
)
);
}
