//Creates a file with the process memory (Does NOT handle deleting, take care of it elsewhere!)
private void getSections()
{
string filename = p.Id.ToString() + ".mca";
BinaryWriter bw = new BinaryWriter(File.Open(filename, FileMode.Create));
//Write each section contents to file
for (int i = 0; i < p.Sections().Count; i++)
{
NktStructPESections n = p.Sections();
//Skip the .text section unless searchDotTextSection is enabled (true)
if (n.Name[i] != ".text" || searchDotTextSection)
{
//Get start/end/size of section
IntPtr sptr = n.StartAddress[i];
int siptr = sptr.ToInt32();
IntPtr eptr = n.EndAddress[i];
int eiptr = eptr.ToInt32();
int sectionsize = eiptr - siptr;
//Alloc buffer to receive memory from API
byte[] buffer = new byte[sectionsize];
GCHandle pinnedArray = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IntPtr pBuffer = pinnedArray.AddrOfPinnedObject();
//Read section
p.Memory().ReadMem(pBuffer, n.StartAddress[i], new IntPtr(sectionsize));
//Free the pointer
pinnedArray.Free();
//Output to file
bw.Write(buffer);
}
}
bw.Close();
}
private void comboBoxModules_SelectedIndexChanged(object sender, EventArgs e)
{
comboBoxModules.Enabled = false;
int selected = comboBoxModules.SelectedIndex;
List <NktModule> ModuleList = (List <NktModule>)comboBoxModules.Tag;
NktModule module = ModuleList.ElementAt(selected);
NktStructPESections sections = module.Sections();
int nSectionCode = 0;
for (int n = 0; n < sections.Count; n++)
{
if (sections.get_Name(n) == ".text")
{
nSectionCode = n;
break;
}
}
SecStartAddress = (UInt64)sections.get_StartAddress(nSectionCode);
SecEndAddress = (UInt64)sections.get_EndAddress(nSectionCode);
ModStartAddress = (UInt64)GetModuleBase(_process.Name);
ModEndAddress = ModStartAddress + (UInt64)GetModuleSize(_process.Name);
NktProcessMemory memory = _spyMgr.ProcessMemoryFromPID(_process.Id);
uint nvtable = 0;
ulong tmpAddress = 0;
VTBL vtbl;
vtbl.Address = 0;
vtbl.ValuesList = null;
for (UInt64 CurAddress = ModStartAddress; CurAddress < ModEndAddress; CurAddress++)
{
progressBar.Value = (int)(CurAddress * 100 / ModEndAddress);
UInt32 CurValue = (UInt32)memory.Read((IntPtr)CurAddress, eNktDboFundamentalType.ftUnsignedDoubleWord);
if (CurValue >= SecStartAddress && CurValue <= SecEndAddress)
{
UInt32 PreOpcodeSize = 50;
byte[] PreOpcode = new byte[PreOpcodeSize];
for (UInt32 n = 0; n < PreOpcodeSize; n++)
{
PreOpcode[n] =
(byte)memory.Read((IntPtr)(CurValue - PreOpcodeSize + n), eNktDboFundamentalType.ftUnsignedByte);
}
UInt32 PostOpcodeSize = 50;
byte[] PostOpcode = new byte[PostOpcodeSize];
for (UInt32 n = 0; n < PostOpcodeSize; n++)
{
PostOpcode[n] =
(byte)memory.Read((IntPtr)(CurValue + n), eNktDboFundamentalType.ftUnsignedByte);
}
if (isValidPreOpCode(PreOpcode, PreOpcodeSize) && isValidPostOpCode(PostOpcode, PostOpcodeSize))
{
if ((CurAddress - tmpAddress) > 500 || tmpAddress == 0) //este valor lo podemos ir adaptando, lo correcto seria (CurAddress - tmpAddress != 4)
{
vtbl = new VTBL();
vtbl.Address = CurAddress;
vtbl.ValuesList = new List <UInt64>();
VTableList.Add(vtbl);
nvtable++;
}
tmpAddress = CurAddress;
vtbl.ValuesList.Add((UInt64)SkipHook((IntPtr)CurValue, _process.Id));
}
}
}
progressBar.Value = 100;
for (int n = 0; n < VTableList.Count; n++)
{
string vtblname = "VTBL_" + n.ToString("X") + "_" + VTableList.ElementAt(n).Address.ToString("X") + "_" + VTableList.ElementAt(n).ValuesList.Count;
listBoxVTBL.Items.Add(vtblname);
}
btnHook.Enabled = true;
btnClear.Enabled = true;
}
