private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
{
NktStackTrace stack = hookCallInfo.StackTrace();
NktProcessMemory memory = _spyMgr.ProcessMemoryFromPID(_process.Id);
UInt32 StackOpcodeSize = 50;
byte[] StackOpcode = new byte[StackOpcodeSize];
for (UInt32 n = 0; n < StackOpcodeSize; n++)
{
StackOpcode[n] = (byte)memory.Read((IntPtr)((UInt64)stack.Address(0) - StackOpcodeSize + n), eNktDboFundamentalType.ftUnsignedByte);
}
UInt64 actualAddr = (UInt64)hookCallInfo.get_Register(eNktRegister.asmRegEip);
UInt64 nInstrSize = (UInt64)GetInstrSize(StackOpcode, StackOpcodeSize);
UInt64 callingAddr = (UInt64)stack.Address(0) - nInstrSize;
string str = "From: 0x" + callingAddr.ToString("x") + " To: 0x" + actualAddr.ToString("x") + "\n";
Output(str, false);
actualAddr -= SecStartAddress;
callingAddr -= SecStartAddress;
CROSSREF crossref = new CROSSREF();
crossref.From = callingAddr;
crossref.To = actualAddr;
CrossRefSet.Add(crossref);
}
private void comboBoxModules_SelectedIndexChanged(object sender, EventArgs e)
{
comboBoxModules.Enabled = false;
int selected = comboBoxModules.SelectedIndex;
List <NktModule> ModuleList = (List <NktModule>)comboBoxModules.Tag;
NktModule module = ModuleList.ElementAt(selected);
NktStructPESections sections = module.Sections();
int nSectionCode = 0;
for (int n = 0; n < sections.Count; n++)
{
if (sections.get_Name(n) == ".text")
{
nSectionCode = n;
break;
}
}
SecStartAddress = (UInt64)sections.get_StartAddress(nSectionCode);
SecEndAddress = (UInt64)sections.get_EndAddress(nSectionCode);
ModStartAddress = (UInt64)GetModuleBase(_process.Name);
ModEndAddress = ModStartAddress + (UInt64)GetModuleSize(_process.Name);
NktProcessMemory memory = _spyMgr.ProcessMemoryFromPID(_process.Id);
uint nvtable = 0;
ulong tmpAddress = 0;
VTBL vtbl;
vtbl.Address = 0;
vtbl.ValuesList = null;
for (UInt64 CurAddress = ModStartAddress; CurAddress < ModEndAddress; CurAddress++)
{
progressBar.Value = (int)(CurAddress * 100 / ModEndAddress);
UInt32 CurValue = (UInt32)memory.Read((IntPtr)CurAddress, eNktDboFundamentalType.ftUnsignedDoubleWord);
if (CurValue >= SecStartAddress && CurValue <= SecEndAddress)
{
UInt32 PreOpcodeSize = 50;
byte[] PreOpcode = new byte[PreOpcodeSize];
for (UInt32 n = 0; n < PreOpcodeSize; n++)
{
PreOpcode[n] =
(byte)memory.Read((IntPtr)(CurValue - PreOpcodeSize + n), eNktDboFundamentalType.ftUnsignedByte);
}
UInt32 PostOpcodeSize = 50;
byte[] PostOpcode = new byte[PostOpcodeSize];
for (UInt32 n = 0; n < PostOpcodeSize; n++)
{
PostOpcode[n] =
(byte)memory.Read((IntPtr)(CurValue + n), eNktDboFundamentalType.ftUnsignedByte);
}
if (isValidPreOpCode(PreOpcode, PreOpcodeSize) && isValidPostOpCode(PostOpcode, PostOpcodeSize))
{
if ((CurAddress - tmpAddress) > 500 || tmpAddress == 0) //este valor lo podemos ir adaptando, lo correcto seria (CurAddress - tmpAddress != 4)
{
vtbl = new VTBL();
vtbl.Address = CurAddress;
vtbl.ValuesList = new List <UInt64>();
VTableList.Add(vtbl);
nvtable++;
}
tmpAddress = CurAddress;
vtbl.ValuesList.Add((UInt64)SkipHook((IntPtr)CurValue, _process.Id));
}
}
}
progressBar.Value = 100;
for (int n = 0; n < VTableList.Count; n++)
{
string vtblname = "VTBL_" + n.ToString("X") + "_" + VTableList.ElementAt(n).Address.ToString("X") + "_" + VTableList.ElementAt(n).ValuesList.Count;
listBoxVTBL.Items.Add(vtblname);
}
btnHook.Enabled = true;
btnClear.Enabled = true;
}