public MemNavViewModel(Vtero v)
{
vtero.KernelProc.InitSymbolsForVad();
vtero = v;
ProcList = vtero.Processes.ToList();
RenderType = BlockType.Instructions64;
}
public xStructInfoViewModel(Vtero v, dynamic root)
{
vtero = v;
SelectedObject = root;
PropertyChanged += (sender, e) => Command.SelectedObject.RaiseCanExecuteChanged();
}
public Dumper(Vtero vtero, string outDir, DetectedProc dp, MemRangeArgs args)
{
Vtero = vtero;
DP = dp;
OutDir = outDir;
SelectedRegions = args.Regions;
}
public static void ListIt(Vtero vtero, ConfigOptions co)
{
var Version = vtero.Version;
Mem.InitMem(co.FileName, vtero.MRD);
}
public ImLoader(Vtero vtero, byte[] block, long address)
{
Thread t = new Thread(new ThreadStart(() => {
var im = new ImWindow(block, address);
im.RunWindowLoop();
}));
t.SetApartmentState(ApartmentState.STA);
t.IsBackground = true;
t.Start();
}
public override bool IsSupportedFormat(Vtero vtero)
{
// use abstract implementation & scan for internal
LogicalPhysMemDesc = ExtractMemDesc(vtero);
if (LogicalPhysMemDesc != null)
PhysMemDesc = LogicalPhysMemDesc;
// weather or not we find it set true
return true;
}
public override bool IsSupportedFormat(Vtero vtero)
{
// use abstract implementation & scan for internal
LogicalPhysMemDesc = ExtractMemDesc(vtero);
if (LogicalPhysMemDesc != null)
{
PhysMemDesc = LogicalPhysMemDesc;
}
// weather or not we find it set true
return(true);
}
public Loader(Vtero vtero)
{
Thread t = new Thread(new ThreadStart(() => {
var dc = new MemNavViewModel(vtero);
var w = new MemNavWin();
w.DataContext = dc;
w.Show();
Dispatcher.Run();
}));
t.SetApartmentState(ApartmentState.STA);
t.IsBackground = true;
t.Start();
}
public TreeGrid(Vtero vtero, dynamic root)
{
Thread t = new Thread(new ThreadStart(() =>
{
var dc = new xStructInfoViewModel(vtero, root);
var w = new ProcTree();
w.DataContext = dc;
w.PropGrid.SelectedObject = new DictionaryAdapter <string, object>(root);
w.Show();
Dispatcher.Run();
}));
t.SetApartmentState(ApartmentState.STA);
t.IsBackground = true;
t.Start();
}
public void dump(DumpOptions argz)
{
DumpOptions dOptions = argz;
if (argz == null)
{
ArgUsage.GetStyledUsage <DumpOptions>().Write();
return;
}
if (option.IgnoreSaveData)
{
ConsoleString.WriteLine("No save state available or requested to ignore, scan first before dumping.", ConsoleColor.Yellow, ConsoleColor.Black);
return;
}
if (vtero == null)
{
vtero = Scan.Scanit(option);
}
Dump.DumpIt(vtero, option, dOptions);
}
/// <summary>
/// Extract memory extents info from the guest memory
/// </summary>
/// <param name="vtero"></param>
/// <returns></returns>
public MemoryDescriptor ExtractMemDesc(Vtero vtero)
{
MemoryDescriptor MemRunDescriptor = null;
// rarely used pool tag
var off = Scanner.BackwardsValueScan(vtero.MemFile, 0x6c4d6d4d);
using (var dstream = File.OpenRead(vtero.MemFile))
{
var MemSize = dstream.Length;
long totPageCnt = 0;
using (var dbin = new BinaryReader(dstream))
{
foreach (var xoff in off)
{
//WriteLine($"Checking Memory Descriptor @{(xoff + 28):X}");
if (xoff > vtero.FileSize)
{
// WriteLine($"offset {xoff:X} > FileSize {vtero.FileSize:X}");
continue;
}
for (long doff = 4; doff <= 64; doff += 4)
{
dstream.Position = xoff + doff;
MemRunDescriptor = new MemoryDescriptor();
MemRunDescriptor.NumberOfRuns = dbin.ReadInt64();
MemRunDescriptor.NumberOfPages = dbin.ReadInt64();
var RunCnt = MemRunDescriptor.NumberOfRuns;
var PageCnt = MemRunDescriptor.NumberOfPages;
//Console.WriteLine($"Runs: {RunCnt}, Pages: {MemRunDescriptor.NumberOfPages} ");
long lastBasePage = 0;
if (RunCnt > 0 && MemRunDescriptor.NumberOfRuns < 32)
{
MemRunDescriptor.Run = new List <MemoryRun>((int)RunCnt);
for (int i = 0; i < RunCnt; i++)
{
var basePage = dbin.ReadInt64();
// error check range too high/low
if (basePage < lastBasePage || basePage < 0)
{
break;
}
lastBasePage = basePage;
var pageCount = dbin.ReadInt64();
if (pageCount > PageCnt || pageCount <= 0)
{
break;
}
totPageCnt += pageCount;
MemRunDescriptor.Run.Add(new MemoryRun()
{
BasePage = basePage, PageCount = pageCount
});
}
if (totPageCnt > (PageCnt + 1024) || totPageCnt <= 0)
{
continue;
}
// if we have counted more pages than we have in disk
// or
// if we have less than 1/2 the pages we need (this is fudge factor should be precise right!)
if (totPageCnt > (((MemSize - StartOfMem) >> MagicNumbers.PAGE_SHIFT) & 0xffffffff) ||
totPageCnt < (((MemSize - StartOfMem) >> MagicNumbers.PAGE_SHIFT) & 0xffffffff) / 2
)
{
//Console.WriteLine($"odd/bad memory run, skipping");
continue;
}
else
{
return(MemRunDescriptor);
}
}
//WriteLine($"MemoryDescriptor {MemRunDescriptor}");
}
}
}
}
#if OLD_CODE
long aSkipCount = 0;
for (int i = 0; i < MemRunDescriptor.NumberOfRuns; i++)
{
var RunSkip = MemRunDescriptor.Run[i].BasePage - aSkipCount;
MemRunDescriptor.Run[i].SkipCount = RunSkip;
aSkipCount = MemRunDescriptor.Run[i].PageCount;
}
#endif
//WriteLine("Finished VALUE scan.");
return(MemRunDescriptor);
}
public abstract bool IsSupportedFormat(Vtero vtero);
public static void Main(string[] args)
{
#region fluff
var Version = PTType.UNCONFIGURED;
var Filename = string.Empty;
var SkipVMCS = false;
if (args.Length < 1)
{
PrintHelp();
return;
}
try {
Filename = args[0];
if (!File.Exists(Filename))
{
PrintHelp();
return;
}
if (args.Length > 1)
{
var spec = args[1].ToLower();
if (spec.Contains("win"))
{
Version |= PTType.Windows;
}
if (spec.Contains("lin"))
{
Version |= PTType.LinuxS;
}
if (spec.Contains("fbsd"))
{
Version |= PTType.FreeBSD;
}
if (spec.Contains("obsd"))
{
Version |= PTType.OpenBSD;
}
if (spec.Contains("nbsd"))
{
Version |= PTType.NetBSD;
}
if (spec.Contains("gen"))
{
Version |= PTType.GENERIC;
}
if (spec.Contains("!"))
{
Version |= PTType.ALL;
}
if (spec.Contains("-vmcs"))
{
SkipVMCS = true;
}
if (spec.Contains("-obsd"))
{
Version = Version & ~PTType.OpenBSD;
}
if (spec.Contains("-nbsd"))
{
Version = Version & ~PTType.NetBSD;
}
if (spec.Contains("-fbsd"))
{
Version = Version & ~PTType.FreeBSD;
}
if (spec.Contains("-lin"))
{
Version = Version & ~PTType.LinuxS;
}
if (spec.Contains("-win"))
{
Version = Version & ~PTType.Windows;
}
}
else
{
Version = PTType.ALL;
}
Vtero vtero = null;
var saveStateFile = $"{Filename}.inVtero.net";
if (File.Exists(saveStateFile))
{
WriteLine("Found save state, (l)oad or (d)iscard?");
var todo = ReadKey();
if (todo.Key == ConsoleKey.L)
{
vtero = Vtero.CheckpointRestoreState(saveStateFile);
vtero.OverRidePhase = true;
}
else
{
File.Delete(saveStateFile);
}
}
if (vtero == null)
{
vtero = new Vtero(Filename);
}
Vtero.VerboseOutput = true;
CancelKeyPress += Console_CancelKeyPress;
AppDomain.CurrentDomain.ProcessExit += CurrentDomain_ProcessExit;
ForegroundColor = ConsoleColor.Cyan;
#endregion
// basic perf checking
Timer = Stopwatch.StartNew();
var procCount = vtero.ProcDetectScan(Version);
#region page table/CR3 progress report
ForegroundColor = ConsoleColor.Blue;
BackgroundColor = ConsoleColor.Yellow;
var msg = $"{procCount} candiate process page tables. Time so far: {Timer.Elapsed}, second pass starting.";
Write(msg);
WriteLine(FormatRate(vtero.FileSize, Timer.Elapsed));
BackgroundColor = ConsoleColor.Black;
ForegroundColor = ConsoleColor.Cyan;
if (procCount < 3)
{
WriteLine("Seems like a fail. Try generic scanning or implement a state scan like LinuxS");
return;
}
//BackgroundColor = ConsoleColor.White;
#endregion
#region blighering
// second pass
// with the page tables we acquired, locate candidate VMCS pages in the format
// [31-bit revision id][abort indicator]
// the page must also have at least 1 64bit value which is all set (-1)
// Root-HOST CR3 will have uniform diff
// unless an extent based dump image is input, some .DMP variations
// TODO: Add support for extent based inputs
// Guest VMCS will contain host CR3 & guest CR3 (hCR3 & gCR3)
// sometimes CR3 will be found in multiple page tables, e.g. system process or SMP
// if I have more than 1 CR3 from different file_offset, just trim them out for now
// future may have a reason to isolate based on original locationAG
#endregion
if (!SkipVMCS)
{
var VMCSCount = vtero.VMCSScan();
//Timer.Stop();
#region VMCS page detection
ForegroundColor = ConsoleColor.Blue;
BackgroundColor = ConsoleColor.Yellow;
WriteLine($"{VMCSCount} candiate VMCS pages. Time to process: {Timer.Elapsed}");
Write($"Data scanned: {vtero.FileSize:N}");
// second time
WriteLine($"Second pass done. {FormatRate(vtero.FileSize * 2, Timer.Elapsed)}");
BackgroundColor = ConsoleColor.Black;
ForegroundColor = ConsoleColor.Cyan;
#region TEST
// each of these depends on a VMCS scan/pass having been done at the moment
WriteLine("grouping and joining all memory");
vtero.GroupAS();
// sync-save state so restarting is faster
if (!File.Exists(saveStateFile))
{
Write($"Saving checkpoint... ");
saveStateFile = vtero.CheckpointSaveState();
WriteLine(saveStateFile);
}
// Extract Address Spaces verifies the linkages between
// process<->CR3<->EPTP(if there is one)
// and that they are functional
var vetted = vtero.ExtrtactAddressSpaces();
// do a test dump
// extract & dump could be done at the same time
vtero.DumpASToFile(vetted);
if (Vtero.VerboseOutput)
{
vtero.DumpFailList();
}
WriteLine($"Final analysis compleated, address spaces extracted. {Timer.Elapsed} {FormatRate(vtero.FileSize * 3, Timer.Elapsed)}");
}
#endregion
#endregion
} catch (Exception ex)
{
Write("Error in processing, likely need to adjust run/gaps. ");
Write(ex.ToString());
WriteLine((ex.InnerException == null ? "." : ex.InnerException.ToString()));
}
finally {
ResetColor();
}
return;
}
/// <summary>
/// Extract memory extents info from the guest memory
/// </summary>
/// <param name="vtero"></param>
/// <returns></returns>
public MemoryDescriptor ExtractMemDesc(Vtero vtero)
{
MemoryDescriptor MemRunDescriptor = null;
// rarely used pool tag
var off = Scanner.BackwardsValueScan(vtero.MemFile, 0x6c4d6d4d);
using (var dstream = File.OpenRead(vtero.MemFile))
{
var MemSize = dstream.Length;
long totPageCnt = 0;
using (var dbin = new BinaryReader(dstream))
{
foreach (var xoff in off)
{
//WriteLine($"Checking Memory Descriptor @{(xoff + 28):X}");
if (xoff > vtero.FileSize)
{
// WriteLine($"offset {xoff:X} > FileSize {vtero.FileSize:X}");
continue;
}
for (long doff = 4; doff <= 64; doff += 4)
{
dstream.Position = xoff + doff;
MemRunDescriptor = new MemoryDescriptor();
MemRunDescriptor.NumberOfRuns = dbin.ReadInt64();
MemRunDescriptor.NumberOfPages = dbin.ReadInt64();
var RunCnt = MemRunDescriptor.NumberOfRuns;
var PageCnt = MemRunDescriptor.NumberOfPages;
//Console.WriteLine($"Runs: {RunCnt}, Pages: {MemRunDescriptor.NumberOfPages} ");
long lastBasePage = 0;
if (RunCnt > 0 && MemRunDescriptor.NumberOfRuns < 32)
{
MemRunDescriptor.Run = new List<MemoryRun>((int)RunCnt);
for (int i = 0; i < RunCnt; i++)
{
var basePage = dbin.ReadInt64();
// error check range too high/low
if (basePage < lastBasePage || basePage < 0)
break;
lastBasePage = basePage;
var pageCount = dbin.ReadInt64();
if (pageCount > PageCnt || pageCount <= 0)
break;
totPageCnt += pageCount;
MemRunDescriptor.Run.Add(new MemoryRun() { BasePage = basePage, PageCount = pageCount });
}
if (totPageCnt > (PageCnt + 1024) || totPageCnt <= 0)
continue;
// if we have counted more pages than we have in disk
// or
// if we have less than 1/2 the pages we need (this is fudge factor should be precise right!)
if (totPageCnt > (((MemSize - StartOfMem) >> MagicNumbers.PAGE_SHIFT) & 0xffffffff) ||
totPageCnt < (((MemSize - StartOfMem) >> MagicNumbers.PAGE_SHIFT) & 0xffffffff) / 2
)
{
//Console.WriteLine($"odd/bad memory run, skipping");
continue;
}
else
return MemRunDescriptor;
}
//WriteLine($"MemoryDescriptor {MemRunDescriptor}");
}
}
}
}
#if OLD_CODE
long aSkipCount = 0;
for (int i=0; i < MemRunDescriptor.NumberOfRuns; i++)
{
var RunSkip = MemRunDescriptor.Run[i].BasePage - aSkipCount;
MemRunDescriptor.Run[i].SkipCount = RunSkip;
aSkipCount = MemRunDescriptor.Run[i].PageCount;
}
#endif
//WriteLine("Finished VALUE scan.");
return MemRunDescriptor;
}
/// <summary>
/// OK need to double check later but even though there are 64 bits available in the field
/// only 32bits are seemingly being used. Otherwise the values have to be interpreted as
/// physical addresses and not page numbers.
/// </summary>
/// <returns></returns>
public override bool IsSupportedFormat(Vtero vtero)
{
// use abstract implementation & scan for internal
// were actually not going to use this in VMWare since were so good at vmss
// this is sort of meaningless :(
//LogicalPhysMemDesc = ExtractMemDesc(vtero);
bool rv = false;
if (!File.Exists(vDeviceFile) || !File.Exists(MemFile))
{
return(rv);
}
// Let's seee how far we can get w/o being to aggressive here
//using (var dstream = File.OpenRead(vDeviceFile))
//{
// using (var dbin = new BinaryReader(dstream))
// {
// // D2BE is really easy to extract data from
// if (dbin.ReadUInt32() != 0xBED2BED2)
// return rv;
// }
//}
rv = true;
var MemRunDescriptor = new MemoryDescriptor();
// vmem files are contagious starting from 0
MemRunDescriptor.StartOfMemmory = 0;
var inFile = File.OpenRead(vDeviceFile);
// TODO: make this (parsing) more precise for additional versions
var stateData = new byte[0x40000];
inFile.Read(stateData, 0, stateData.Length);
var ToFind = ASCIIEncoding.ASCII.GetBytes("regionsCount");
var rpn = ASCIIEncoding.ASCII.GetBytes("regionPageNum");
var ppn = ASCIIEncoding.ASCII.GetBytes("regionPPN");
var rsiz = ASCIIEncoding.ASCII.GetBytes("regionSize");
int i;
bool Found = false;
for (i = 0; i < stateData.Length - ToFind.Length; i++)
{
int n = 0;
do
{
if (stateData[i + n] != ToFind[n])
{
break;
}
n++;
if (n >= ToFind.Length)
{
Found = true;
}
} while (!Found);
if (Found)
{
break;
}
}
long TotalPages = 0;
i += ToFind.Length;
var Count = BitConverter.ToUInt32(stateData, i);
MemRunDescriptor.NumberOfRuns = Count;
i += 4; i += 2; // 2 bytes looks like a typeID or some sort of magic
// below the >> 20 is/was what seemed to be an adjustment for 64-44 bits of
// physical address range
// however the additional >> 12 is physical address into physical pages
// but it seemingly was supposed to be pages to begin with so who knows, but this works
// maybe it is pages and I needed +4 on the index and then everything works with a .ToUInt32
// but that now seems short of the physical limits, anyhow, this works ;)
for (int r = 0; r < Count; r++)
{
i += rpn.Length;
var basePage = BitConverter.ToInt64(stateData, i) >> 20 >> 12;
i += 8; i += 2;
i += ppn.Length;
var ppnVal = BitConverter.ToInt64(stateData, i) >> 20 >> 12;
i += 8; i += 2;
i += rsiz.Length;
var regionSize = BitConverter.ToInt64(stateData, i) >> 20 >> 12;
i += 8; i += 2;
TotalPages += regionSize;
MemRunDescriptor.Run.Add(new MemoryRun()
{
BasePage = ppnVal, PageCount = regionSize, regionPPN = basePage
});
}
MemRunDescriptor.NumberOfPages = TotalPages;
PhysMemDesc = MemRunDescriptor;
// adjust start of memory to
if (vDeviceFile == MemFile)
{
var x = (int)(Math.Ceiling((decimal)i / 0x10000) * 0x10000);
StartOfMem = x;
}
if (TotalPages == 0)
{
MemRunDescriptor.NumberOfPages = new FileInfo(MemFile).Length >> MagicNumbers.PAGE_SHIFT;
PhysMemDesc = MemRunDescriptor;
LogicalPhysMemDesc = ExtractMemDesc(vtero);
}
return(rv);
}
public static Vtero Scanit(ConfigOptions co)
{
bool SkipVMCS = (co.VersionsToEnable & PTType.VMCS) != PTType.VMCS;
var Filename = co.FileName;
co.VersionsToEnable = co.VersionsToEnable & ~PTType.VMCS;
// allocate now so that we can un-serialize or keep an instance
Vtero vtero = new Vtero();
// this instance is temporally used for loading state
// i.e. don't set properties or fields here
if (!co.IgnoreSaveData)
{
vtero = vtero.CheckpointRestoreState(Filename);
if (vtero == null)
{
vtero = new Vtero();
}
else
{
vtero.OverRidePhase = true;
}
}
if (vtero.Phase < 2)
{
if (!co.ForceSingleFlatMemRun)
{
vtero = new Vtero(Filename);
}
else
{
var siz = new FileInfo(co.FileName).Length;
vtero.MRD = new BasicRunDetector();
vtero.MRD.MemFile = co.FileName;
vtero.MRD.vDeviceFile = co.FileName;
vtero.MRD.PhysMemDesc = new MemoryDescriptor(siz);
vtero = new Vtero(Filename, vtero.MRD);
}
}
if (!vtero.OverRidePhase)
{
Mem.InitMem(co.FileName, vtero.MRD);
//ProgressBarz.BaseMessage = new ConsoleString("First pass, looking for processes");
ForegroundColor = ConsoleColor.Cyan;
#if TESTING
Timer = Stopwatch.StartNew();
if ((Version & PTType.VALUE) == PTType.VALUE)
{
var off = vtero.ScanValue(Is64Scan, valuL, 0);
WriteLine(FormatRate(vtero.FileSize, Timer.Elapsed));
using (var dstream = File.OpenRead(vtero.MemFile))
{
using (var dbin = new BinaryReader(dstream))
{
foreach (var xoff in off)
{
WriteLine($"Checking Memory Descriptor @{(xoff + 28):X}");
if (xoff > vtero.FileSize)
{
WriteLine($"offset {xoff:X} > FileSize {vtero.FileSize:X}");
continue;
}
dstream.Position = xoff + 28;
var MemRunDescriptor = new MemoryDescriptor();
MemRunDescriptor.NumberOfRuns = dbin.ReadInt64();
MemRunDescriptor.NumberOfPages = dbin.ReadInt64();
Console.WriteLine($"Runs: {MemRunDescriptor.NumberOfRuns}, Pages: {MemRunDescriptor.NumberOfPages} ");
if (MemRunDescriptor.NumberOfRuns < 0 || MemRunDescriptor.NumberOfRuns > 32)
{
continue;
}
for (int i = 0; i < MemRunDescriptor.NumberOfRuns; i++)
{
var basePage = dbin.ReadInt64();
var pageCount = dbin.ReadInt64();
MemRunDescriptor.Run.Add(new MemoryRun()
{
BasePage = basePage, PageCount = pageCount
});
}
WriteLine($"MemoryDescriptor {MemRunDescriptor}");
}
}
}
WriteLine("Finished VALUE scan.");
return;
}
if ((Version & PTType.VALUE) == PTType.VALUE)
{
return;
}
#endif
}
// basic perf checking
//QuickOptions.Timer = Stopwatch.StartNew();
var procCount = vtero.ProcDetectScan(co.VersionsToEnable);
// second pass
// with the page tables we acquired, locate candidate VMCS pages in the format
// [31-bit revision id][abort indicator]
// the page must also have at least 1 64bit value which is all set (-1)
// Root-HOST CR3 will have uniform diff
// unless an extent based dump image is input, some .DMP variations
// TODO: Add support for extent based inputs
// Guest VMCS will contain host CR3 & guest CR3 (hCR3 & gCR3)
// sometimes CR3 will be found in multiple page tables, e.g. system process or SMP
// if I have more than 1 CR3 from different file_offset, just trim them out for now
// future may have a reason to isolate based on original locationAG
if (SkipVMCS)
{
if (!vtero.OverRidePhase)
{
vtero.GroupAS();
}
if (co.VerboseLevel > 1)
{
WriteColor(ConsoleColor.Yellow, "Skipping VMCS scan (as requested).");
}
}
else
{
//ProgressBarz.BaseMessage = new ConsoleString("Second pass, correlating for VMCS pages");
var VMCSCount = vtero.VMCSScan();
//Timer.Stop();
if (!vtero.OverRidePhase)
{
//WriteColor(ConsoleColor.Blue, ConsoleColor.Yellow, $"{VMCSCount} candidate VMCS pages. Time to process: {QuickOptions.Timer.Elapsed}, Data scanned: {vtero.FileSize:N}");
// second time
//WriteColor(ConsoleColor.Blue, ConsoleColor.Yellow, $"Second pass done. {QuickOptions.FormatRate(vtero.FileSize * 2, QuickOptions.Timer.Elapsed)}");
// each of these depends on a VMCS scan/pass having been done at the moment
WriteColor(ConsoleColor.Cyan, ConsoleColor.Black, "grouping and joining all memory");
}
// After this point were fairly functional
vtero.GroupAS();
}
// sync-save state so restarting is faster
if (!co.IgnoreSaveData)
{
if (Vtero.VerboseLevel > 0)
{
Write($"Saving checkpoint... ");
}
var saveStateFile = vtero.CheckpointSaveState();
WriteColor(ConsoleColor.White, saveStateFile);
}
Console.CursorVisible = true;
return(vtero);
}
public void scan()
{
vtero = Scan.Scanit(option);
}
public override bool IsSupportedFormat(Vtero vtero)
{
bool rv = false;
if (!File.Exists(DumpFile))
{
return(rv);
}
// use abstract implementation & scan for internal
LogicalPhysMemDesc = ExtractMemDesc(vtero);
using (var dstream = File.OpenRead(DumpFile))
{
MemSize = dstream.Length;
using (var dbin = new BinaryReader(dstream))
{
// start with a easy to handle format of DMP
if (ASCIIEncoding.ASCII.GetString(dbin.ReadBytes(8)) != "PAGEDU64")
{
return(rv);
}
dbin.BaseStream.Position = 0x2020;
StartOfMem = dbin.ReadUInt32();
// Find the RUN info
dbin.BaseStream.Position = 0x88;
var MemRunDescriptor = new MemoryDescriptor();
MemRunDescriptor.StartOfMemmory = StartOfMem;
MemRunDescriptor.NumberOfRuns = dbin.ReadInt64();
MemRunDescriptor.NumberOfPages = dbin.ReadInt64();
// this struct has to fit in the header which is only 0x2000 in total size
if (MemRunDescriptor.NumberOfRuns > 32 || MemRunDescriptor.NumberOfRuns < 0)
{
// TODO: in this case we have to de-patchguard the KDDEBUGGER_DATA block
// before resulting to that... implemented a memory scanning mode to extract the runs out via struct detection
PhysMemDesc = LogicalPhysMemDesc;
PhysMemDesc.StartOfMemmory = StartOfMem;
// physmem is preferred place to load from so if we have only 1 run move it to phys.
LogicalPhysMemDesc = null;
}
else
{
// in this case StartOfMem is 0x2000
MemRunDescriptor.StartOfMemmory = 0x2000;
// we have an embedded RUN in the DMP file that appears to conform to the rules we know
for (int i = 0; i < MemRunDescriptor.NumberOfRuns; i++)
{
var basePage = dbin.ReadInt64();
var pageCount = dbin.ReadInt64();
MemRunDescriptor.Run.Add(new MemoryRun()
{
BasePage = basePage, PageCount = pageCount
});
}
PhysMemDesc = MemRunDescriptor;
}
rv = true;
}
}
#if OLD_CODE
long aSkipCount = 0;
for (int i = 0; i < PhysMemDesc.NumberOfRuns; i++)
{
var RunSkip = PhysMemDesc.Run[i].BasePage - aSkipCount;
PhysMemDesc.Run[i].SkipCount = RunSkip;
aSkipCount = PhysMemDesc.Run[i].BasePage + PhysMemDesc.Run[i].PageCount;
}
#endif
return(rv);
}
/// <summary>
/// OK need to double check later but even though there are 64 bits available in the field
/// only 32bits are seemingly being used. Otherwise the values have to be interpreted as
/// physical addresses and not page numbers.
/// </summary>
/// <returns></returns>
public override bool IsSupportedFormat(Vtero vtero)
{
// use abstract implementation & scan for internal
// were actually not going to use this in VMWare since were so good at vmss
// this is sort of meaningless :(
//LogicalPhysMemDesc = ExtractMemDesc(vtero);
bool rv = false;
if (!File.Exists(vDeviceFile) || !File.Exists(MemFile))
return rv;
using (var dstream = File.OpenRead(vDeviceFile))
{
using (var dbin = new BinaryReader(dstream))
{
// D2BE is really easy to extract data from
if (dbin.ReadUInt32() != 0xBED2BED2)
return rv;
}
}
rv = true;
var MemRunDescriptor = new MemoryDescriptor();
// vmem files are contagious starting from 0
MemRunDescriptor.StartOfMemmory = 0;
var stateData = File.ReadAllBytes(vDeviceFile);
var ToFind = ASCIIEncoding.ASCII.GetBytes("regionsCount");
var rpn = ASCIIEncoding.ASCII.GetBytes("regionPageNum");
var ppn = ASCIIEncoding.ASCII.GetBytes("regionPPN");
var rsiz = ASCIIEncoding.ASCII.GetBytes("regionSize");
int i;
for(i=0; i < stateData.Length-ToFind.Length; i++)
{
int n = 0;
bool Found = false;
do
{
if (stateData[i + n] != ToFind[n])
break;
n++;
if (n >= ToFind.Length)
Found = true;
} while (!Found);
if (Found)
break;
}
long TotalPages = 0;
i += ToFind.Length;
var Count = BitConverter.ToUInt32(stateData, i);
MemRunDescriptor.NumberOfRuns = Count;
i += 4; i += 2; // 2 bytes looks like a typeID or some sort of magic
// below the >> 20 is/was what seemed to be an adjustment for 64-44 bits of
// physical address range
// however the additional >> 12 is physical address into physical pages
// but it seemingly was supposed to be pages to begin with so who knows, but this works
// maybe it is pages and I needed +4 on the index and then everything works with a .ToUInt32
// but that now seems short of the physical limits, anyhow, this works ;)
for (int r = 0; r < Count; r++)
{
i += rpn.Length;
var basePage = BitConverter.ToInt64(stateData, i) >> 20 >> 12;
i += 8; i += 2;
i += ppn.Length;
var ppnVal = BitConverter.ToInt64(stateData, i) >> 20 >> 12;
i += 8; i += 2;
i += rsiz.Length;
var regionSize = BitConverter.ToInt64(stateData, i) >> 20 >> 12;
i += 8; i += 2;
TotalPages += regionSize;
MemRunDescriptor.Run.Add(new MemoryRun() { BasePage = ppnVal, PageCount = regionSize, regionPPN = basePage });
}
MemRunDescriptor.NumberOfPages = TotalPages;
PhysMemDesc = MemRunDescriptor;
return rv;
}
public MemNavViewModel(Vtero v)
{
vtero = v;
ProcList = vtero.Processes.ToList();
RenderType = BlockType.Instructions64;
}
/// <summary>
/// This pulls info from the hypervisor areas regarding memory extents
/// </summary>
/// <param name="vtero"></param>
/// <returns></returns>
public override bool IsSupportedFormat(Vtero vtero)
{
long InfoCnt;
long nr_vcpu, nr_pages = 0, page_size = 0, pfn_LAST, pfn_VAL;
// use abstract implementation & scan for internal
LogicalPhysMemDesc = ExtractMemDesc(vtero);
if (Elf == null)
return false;
using (var dstream = File.OpenRead(vtero.MemFile))
{
using (var ebin = new BinaryReader(dstream))
{
ELFInfo = Elf.GetSection(".note.Xen"); // get note stuff and fill in da info
if (ELFInfo != null)
{
ebin.BaseStream.Position = ELFInfo.Offset;
InfoCnt = ebin.ReadInt64();
for (long l = 0; l < InfoCnt; l++)
{
var InfoType = ebin.ReadInt32();
ebin.BaseStream.Position += 12;
switch (InfoType)
{
// header type
case 0x2000001:
nr_vcpu = ebin.ReadInt64();
nr_pages = ebin.ReadInt64();
page_size = ebin.ReadInt64();
break;
// none type
case 0x2:
break;
default:
break;
}
}
ELFPfn = Elf.GetSection(".xen_pfn");
ebin.BaseStream.Position = ELFPfn.Offset;
// base page, length
long CurrBasePage = 0;
long CurrRunLen = 0;
// parse the array
pfn_LAST = ebin.ReadInt64();
for (long pfnx = 0; pfnx < nr_pages; pfnx++)
{
CurrRunLen++;
pfn_VAL = ebin.ReadInt64();
if (pfn_LAST + 1 == pfn_VAL)
{
pfn_LAST = pfn_VAL;
continue;
}
// add run
DetectedRuns.Add(CurrBasePage, CurrRunLen);
// reset counter
// that is adjusted in the value
pfn_LAST = CurrBasePage = pfn_VAL;
CurrRunLen = 0;
if (CurrBasePage >= nr_pages)
break;
}
}
}
}
ELFPages = Elf.GetSection(".xen_pages");
if (ELFPages != null)
StartOfMem = ELFPages.Offset;
PhysMemDesc = new MemoryDescriptor(nr_pages * page_size);
PhysMemDesc.NumberOfRuns = DetectedRuns.Count;
PhysMemDesc.NumberOfPages = nr_pages;
PhysMemDesc.StartOfMemmory = StartOfMem;
PhysMemDesc.Run = new List<MemoryRun>();
foreach (var kvp in DetectedRuns)
PhysMemDesc.Run.Add(new MemoryRun() { BasePage = kvp.Key, PageCount = kvp.Value });
return SupportedStatus;
}
public static void ListIt(Vtero vtero, ConfigOptions co)
{
var Version = vtero.Version;
Mem.InitMem(co.FileName, vtero.MRD);
}
/// <summary>
/// This pulls info from the hypervisor areas regarding memory extents
/// </summary>
/// <param name="vtero"></param>
/// <returns></returns>
public override bool IsSupportedFormat(Vtero vtero)
{
long InfoCnt;
long nr_vcpu, nr_pages = 0, page_size = 0, pfn_LAST, pfn_VAL;
// use abstract implementation & scan for internal
LogicalPhysMemDesc = ExtractMemDesc(vtero);
if (Elf == null)
{
return(false);
}
using (var dstream = File.OpenRead(vtero.MemFile))
{
using (var ebin = new BinaryReader(dstream))
{
ELFInfo = Elf.GetSection(".note.Xen"); // get note stuff and fill in da info
if (ELFInfo != null)
{
ebin.BaseStream.Position = ELFInfo.Offset;
InfoCnt = ebin.ReadInt64();
for (long l = 0; l < InfoCnt; l++)
{
var InfoType = ebin.ReadInt32();
ebin.BaseStream.Position += 12;
switch (InfoType)
{
// header type
case 0x2000001:
nr_vcpu = ebin.ReadInt64();
nr_pages = ebin.ReadInt64();
page_size = ebin.ReadInt64();
break;
// none type
case 0x2:
break;
default:
break;
}
}
ELFPfn = Elf.GetSection(".xen_pfn");
ebin.BaseStream.Position = ELFPfn.Offset;
// base page, length
long CurrBasePage = 0;
long CurrRunLen = 0;
// parse the array
pfn_LAST = ebin.ReadInt64();
for (long pfnx = 0; pfnx < nr_pages; pfnx++)
{
CurrRunLen++;
pfn_VAL = ebin.ReadInt64();
if (pfn_LAST + 1 == pfn_VAL)
{
pfn_LAST = pfn_VAL;
continue;
}
// add run
DetectedRuns.Add(CurrBasePage, CurrRunLen);
// reset counter
// that is adjusted in the value
pfn_LAST = CurrBasePage = pfn_VAL;
CurrRunLen = 0;
if (CurrBasePage >= nr_pages)
{
break;
}
}
}
}
}
ELFPages = Elf.GetSection(".xen_pages");
if (ELFPages != null)
{
StartOfMem = ELFPages.Offset;
}
PhysMemDesc = new MemoryDescriptor(nr_pages * page_size);
PhysMemDesc.NumberOfRuns = DetectedRuns.Count;
PhysMemDesc.NumberOfPages = nr_pages;
PhysMemDesc.StartOfMemmory = StartOfMem;
PhysMemDesc.Run = new List <MemoryRun>();
foreach (var kvp in DetectedRuns)
{
PhysMemDesc.Run.Add(new MemoryRun()
{
BasePage = kvp.Key, PageCount = kvp.Value
});
}
return(SupportedStatus);
}
public abstract bool IsSupportedFormat(Vtero vtero);
