//Creates a file with the process memory (Does NOT handle deleting, take care of it elsewhere!) private void getSections() { string filename = p.Id.ToString() + ".mca"; BinaryWriter bw = new BinaryWriter(File.Open(filename, FileMode.Create)); //Write each section contents to file for (int i = 0; i < p.Sections().Count; i++) { NktStructPESections n = p.Sections(); //Skip the .text section unless searchDotTextSection is enabled (true) if (n.Name[i] != ".text" || searchDotTextSection) { //Get start/end/size of section IntPtr sptr = n.StartAddress[i]; int siptr = sptr.ToInt32(); IntPtr eptr = n.EndAddress[i]; int eiptr = eptr.ToInt32(); int sectionsize = eiptr - siptr; //Alloc buffer to receive memory from API byte[] buffer = new byte[sectionsize]; GCHandle pinnedArray = GCHandle.Alloc(buffer, GCHandleType.Pinned); IntPtr pBuffer = pinnedArray.AddrOfPinnedObject(); //Read section p.Memory().ReadMem(pBuffer, n.StartAddress[i], new IntPtr(sectionsize)); //Free the pointer pinnedArray.Free(); //Output to file bw.Write(buffer); } } bw.Close(); }
private void comboBoxModules_SelectedIndexChanged(object sender, EventArgs e) { comboBoxModules.Enabled = false; int selected = comboBoxModules.SelectedIndex; List <NktModule> ModuleList = (List <NktModule>)comboBoxModules.Tag; NktModule module = ModuleList.ElementAt(selected); NktStructPESections sections = module.Sections(); int nSectionCode = 0; for (int n = 0; n < sections.Count; n++) { if (sections.get_Name(n) == ".text") { nSectionCode = n; break; } } SecStartAddress = (UInt64)sections.get_StartAddress(nSectionCode); SecEndAddress = (UInt64)sections.get_EndAddress(nSectionCode); ModStartAddress = (UInt64)GetModuleBase(_process.Name); ModEndAddress = ModStartAddress + (UInt64)GetModuleSize(_process.Name); NktProcessMemory memory = _spyMgr.ProcessMemoryFromPID(_process.Id); uint nvtable = 0; ulong tmpAddress = 0; VTBL vtbl; vtbl.Address = 0; vtbl.ValuesList = null; for (UInt64 CurAddress = ModStartAddress; CurAddress < ModEndAddress; CurAddress++) { progressBar.Value = (int)(CurAddress * 100 / ModEndAddress); UInt32 CurValue = (UInt32)memory.Read((IntPtr)CurAddress, eNktDboFundamentalType.ftUnsignedDoubleWord); if (CurValue >= SecStartAddress && CurValue <= SecEndAddress) { UInt32 PreOpcodeSize = 50; byte[] PreOpcode = new byte[PreOpcodeSize]; for (UInt32 n = 0; n < PreOpcodeSize; n++) { PreOpcode[n] = (byte)memory.Read((IntPtr)(CurValue - PreOpcodeSize + n), eNktDboFundamentalType.ftUnsignedByte); } UInt32 PostOpcodeSize = 50; byte[] PostOpcode = new byte[PostOpcodeSize]; for (UInt32 n = 0; n < PostOpcodeSize; n++) { PostOpcode[n] = (byte)memory.Read((IntPtr)(CurValue + n), eNktDboFundamentalType.ftUnsignedByte); } if (isValidPreOpCode(PreOpcode, PreOpcodeSize) && isValidPostOpCode(PostOpcode, PostOpcodeSize)) { if ((CurAddress - tmpAddress) > 500 || tmpAddress == 0) //este valor lo podemos ir adaptando, lo correcto seria (CurAddress - tmpAddress != 4) { vtbl = new VTBL(); vtbl.Address = CurAddress; vtbl.ValuesList = new List <UInt64>(); VTableList.Add(vtbl); nvtable++; } tmpAddress = CurAddress; vtbl.ValuesList.Add((UInt64)SkipHook((IntPtr)CurValue, _process.Id)); } } } progressBar.Value = 100; for (int n = 0; n < VTableList.Count; n++) { string vtblname = "VTBL_" + n.ToString("X") + "_" + VTableList.ElementAt(n).Address.ToString("X") + "_" + VTableList.ElementAt(n).ValuesList.Count; listBoxVTBL.Items.Add(vtblname); } btnHook.Enabled = true; btnClear.Enabled = true; }