/// <summary>
/// Saves the settings to the config.
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
private void SaveButton_Click(object sender, EventArgs e)
{
//
// Save the settings
//
Config.SetValue("dump_location", dumpLocation.Text);
Config.SetValue("file_name", fileName.Text);
Config.SetValue("custom_dump_location", customDumpLocationToggle.Text);
Config.SetValue("create_process_folder", createFolderToggle.Text);
Config.SetValue("create_timestamp_folder", createTimestampFolderToggle.Text);
Config.SetValue("ask_for_location", askForLocationToggle.Text);
Config.SetValue("theme", themeComboBox.Text);
Config.SetValue("style", colorComboBox.Text);
Config.SetValue("memory_source", memoryComboBox.Text);
Config.SetValue("save_base_addresses", saveOffsetsToggle.Text);
Config.SetValue("manual_module_list", manualModuleList.Text);
Config.SetValue("read_header_from_file", headerFromFile.Text);
Config.SetValue("memory_source", memoryComboBox.Text);
//
// Set the nemesis config
//
NemesisApi.SetConfigValue("read_header_from_file", headerFromFile.Text);
NemesisApi.SetConfigValue("memory_source", memoryComboBox.Text);
Close();
}
/// <summary>
/// Loads and sets the config data.
/// </summary>
public Settings()
{
InitializeComponent();
//
// Set the styles
//
components.SetStyle(this);
//
// Set default values the first time
//
if (Config.GetValue("first_time_started") == null)
{
Config.SetValue("file_name", "_dump");
Config.SetValue("ask_for_location", "On");
Config.SetValue("first_time_started", ".");
Config.SetValue("theme", "Default");
Config.SetValue("style", "Default");
Config.SetValue("memory_source", "user_mode");
Config.SetValue("save_base_addresses", "Off");
Config.SetValue("manual_module_list", "Off");
}
//
// TextFields
//
dumpLocation.Text = Config.GetValue("dump_location");
fileName.Text = Config.GetValue("file_name");
//
// Toggles
//
customDumpLocationToggle.Checked = Config.GetValue("custom_dump_location") == "On";
createFolderToggle.Checked = Config.GetValue("create_process_folder") == "On";
createTimestampFolderToggle.Checked = Config.GetValue("create_timestamp_folder") == "On";
askForLocationToggle.Checked = Config.GetValue("ask_for_location") == "On";
saveOffsetsToggle.Checked = Config.GetValue("save_base_addresses") == "On";
manualModuleList.Checked = Config.GetValue("manual_module_list") == "On";
headerFromFile.Checked = Config.GetValue("read_header_from_file") == "On";
//
// Fill the combo boxes
//
themeComboBox.Items.AddRange(new object[] { "Dark", "Light" });
colorComboBox.Items.AddRange(new object[]
{ "Default", "Black", "White", "Silver", "Blue", "Green", "Lime", "Teal", "Orange", "Brown", "Pink", "Magenta", "Purple", "Red", "Yellow" });
memoryComboBox.Items.AddRange(NemesisApi.GetMemorySources().ToArray());
themeComboBox.SelectedIndex = GetItemIndex(themeComboBox, Config.GetValue("theme"));
colorComboBox.SelectedIndex = GetItemIndex(colorComboBox, Config.GetValue("style"));
memoryComboBox.SelectedIndex = GetItemIndex(memoryComboBox, Config.GetValue("memory_source"));
}
/// <summary>
/// Loads the modules and adds them to the list.
/// </summary>
/// <returns>True if successful</returns>
public bool LoadModules(int processId)
{
var modules = Config.GetValue("manual_module_list") == "On" ? NemesisApi.GetManualModuleList(processId) : NemesisApi.GetModuleList(processId);
//
// Check if empty
//
if (modules.Count == 0)
{
return(false);
}
//
// Remove all previous processes
//
Items.Clear();
//
// Loop through all processes
//
foreach (var module in modules)
{
//
// Create a new ProcessListItem
//
var processListItem = new ModuleListItem(module.ImageBase, module.ImageSize, module.ModuleName, module.ModulePath);
//
// Add it to the ListView
//
Items.Add(processListItem.GetListViewItem());
}
//
// Auto resize the columns
//
AutoResizeColumns(ColumnHeaderAutoResizeStyle.None);
//
// Sort the list
//
ListViewItemSorter = new ModuleSorter(_sortColumnIndex, Sorting);
return(true);
}
/// <summary>
/// Loads the memory regions and adds them to the list.
/// </summary>
/// <returns>True if successful</returns>
public bool LoadMemory(int processId)
{
var memory = NemesisApi.GetMemoryList(processId);
//
// Check if empty
//
if (memory.Count == 0)
{
return(false);
}
//
// Remove all previous processes
//
Items.Clear();
//
// Loop through all processes
//
foreach (var item in memory)
{
//
// Create a new ProcessListItem
//
var memoryListItem = new MemoryListItem(item.BaseAddress, item.RegionSize, item.State, item.Type);
//
// Add it to the ListView
//
Items.Add(memoryListItem.GetListViewItem());
}
//
// Auto resize the columns
//
AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
//
// Sort the list
//
ListViewItemSorter = new MemorySorter(_sortColumnIndex, Sorting);
return(true);
}
/// <summary>
/// Loads the drivers and adds them to the list.
/// </summary>
/// <returns>True if successful</returns>
public bool LoadDrivers()
{
var drivers = NemesisApi.GetDriverList();
//
// Remove all previous drivers
//
Items.Clear();
//
// Loop through all drivers
//
foreach (var item in drivers)
{
//
// Create a new DriverListItem
//
var driverListItem = new DriverListItem(item.ImageBase, item.ImageSize, item.OffsetToFileName, item.FullPathName);
//
// Add it to the ListView
//
Items.Add(driverListItem.GetListViewItem());
}
//
// Auto resize the columns
//
AutoResizeColumns(ColumnHeaderAutoResizeStyle.None);
//
// Sort the list
//
ListViewItemSorter = new DriverSorter(_sortColumnIndex, Sorting);
return(true);
}
/// <summary>
/// Dumps the specified memory.
/// </summary>
/// <param name="memory">The memory of a process.</param>
private void DumpMemory(MemoryListItem memory)
{
//
// Get the destination path
//
string path;
var saveFile = new SaveFileDialog
{
FileName = $@"MEM_{memory.BaseAddress:X8}_{memory.RegionSize}.bin",
Filter = @"Executable File (.bin)|*.bin"
};
//
// Show the dialog
//
if (saveFile.ShowDialog() == DialogResult.OK)
{
path = saveFile.FileName;
}
else
{
return;
}
//
// Dump module
//
if (!NemesisApi.DumpMemory(_processId, (IntPtr)memory.BaseAddress, (uint)memory.RegionSize, path))
{
MessageBox.Show("Failed to dump module.");
}
else
{
MessageBox.Show("Successfully dumped the module.");
}
}
/// <summary>
/// Dumps the specified module.
/// </summary>
/// <param name="module">The module of a process</param>
private void DumpModule(ModuleListItem module)
{
//
// Get the destination path
//
string path;
var saveFile = new SaveFileDialog
{
FileName = $@"{Path.GetFileName(module.ModuleName)}",
Filter = @"Executable File (.dll)|*.dll"
};
//
// Show the dialog
//
if (saveFile.ShowDialog() == DialogResult.OK)
{
path = saveFile.FileName;
}
else
{
return;
}
//
// Dump module
//
if (!NemesisApi.DumpModule(_processId, (IntPtr)module.ImageBase, path))
{
MessageBox.Show("Failed to dump module.");
}
else
{
MessageBox.Show("Successfully dumped the module.");
}
}
/// <summary>
/// Dumps the selected process.
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
private void DumpButton_Click(object sender, EventArgs e)
{
if (processListView.SelectedItems.Count <= 0 && driverListView.SelectedItems.Count <= 0)
{
return;
}
//
// Set the variables
//
var extension = tabControl.SelectedIndex == 0 ? ".exe" : ".sys";
var filter = tabControl.SelectedIndex == 0 ? "Executable File (.exe)|*.exe" : "System file (.sys)|*.sys";
var name = tabControl.SelectedIndex == 0
? processListView.SelectedItems[0].SubItems[1].Text
: Path.GetFileNameWithoutExtension(driverListView.SelectedItems[0].SubItems[0].Text);
var path = "";
//
// Ask for location
//
if (Config.GetValue("ask_for_location") == "On")
{
//
// Open the dialog
//
var saveFile = new SaveFileDialog
{
//
// Set the default name
//
FileName = $@"{name}{Config.GetValue("file_name")}{extension}",
//
// Set the filters
//
Filter = filter
};
//
// Show the dialog
//
if (saveFile.ShowDialog() == DialogResult.OK)
{
path = saveFile.FileName;
}
else
{
return;
}
}
//
// Use custom dump location
//
if ((Config.GetValue("custom_dump_location")) == "On")
{
var dumpLocation = Path.GetFullPath(Config.GetValue("dump_location"));
//
// Absolute path
//
if (Path.IsPathRooted(path))
{
path = dumpLocation;
}
//
// Relative path
//
if (!Path.IsPathRooted(path))
{
path = $@"{Path.Combine(Path.GetDirectoryName(Application.ExecutablePath) ?? throw new InvalidOperationException(), dumpLocation)}";
}
//
// Create process folder
//
if (Config.GetValue("create_process_folder") == "On" && name != null)
{
path = Path.Combine(path, name);
}
//
// Create timestamp folder
//
if (Config.GetValue("create_timestamp_folder") == "On")
{
path = Path.Combine(path, $@"{DateTime.Now:dd-MM-yyyy HH-mm-ss}");
}
//
// Create the directories (in case they are not existing)
//
try
{
Directory.CreateDirectory(path);
path = Path.Combine(path, $@"{name}{Config.GetValue("file_name")}{extension}");
}
catch (Exception exception)
{
MessageBox.Show($@"{exception.Message}", @"Warning");
return;
}
}
try
{
//
// Dump it
//
var status = false;
if (tabControl.SelectedIndex == 0)
{
//
// Process
//
if (processListView.SelectedItems[0].Tag is ProcessListItem process)
{
var processId = int.Parse(process.Id);
status = NemesisApi.DumpProcess(processId, path);
}
}
else
{
//
// Driver
//
if (driverListView.SelectedItems[0].Tag is DriverListItem driver)
{
status = NemesisApi.DumpDriver((IntPtr)driver.ImageBase, path);
}
//
// Save base addresses
//
if (Config.GetValue("save_base_addresses") == "On")
{
NemesisApi.SaveDriverInformation(Path.Combine(Path.GetDirectoryName(path) ?? throw new InvalidOperationException(), "driver_list.txt"));
}
}
//
// Check status
//
var type = tabControl.SelectedIndex == 0 ? "process" : "driver";
if (status)
{
MessageBox.Show($@"Successfully dumped the {type}.", @"Success");
}
else
{
MessageBox.Show($@"Failed to dump the {type}.", @"Warning");
}
}
catch (Exception)
{
MessageBox.Show(@"Nemesis threw an exception.", @"Warning");
}
}