public LibraryResultsProcessor(IList<Library> libraries) { this.libraries = libraries; libraries_string_interval = new Dictionary<string, Interval>(); libraries_interval_string = new Dictionary<Interval, string>(); Library nullLibrary = new Library(); nullLibrary.Name = "Select to view only system calls"; nullLibrary.Originaladdress = 0; nullLibrary.PeSupport = null; this.libraries.Add(nullLibrary); foreach (Library l in this.libraries) { if(l.PeSupport != null) AddLibraryRange(l.Name, l.PeSupport.ImageBase, l.PeSupport.ImageBase + l.PeSupport.ImageSize); } }
public LibraryResultsProcessor(string filename) { libraries = new List<Library>(); libraries_string_interval = new Dictionary<string,Interval>(); libraries_interval_string = new Dictionary<Interval, string>(); Library nullLibrary = new Library(); nullLibrary.Name = "Select to view only system calls"; nullLibrary.Originaladdress = 0; nullLibrary.PeSupport = null; libraries.Add(nullLibrary); using (FileStream fs = new FileStream(filename, FileMode.Open, FileAccess.Read, FileShare.ReadWrite)) { using (StreamReader sr = new StreamReader(fs)) { while (!sr.EndOfStream) { string line = sr.ReadLine(); string[] entries = line.Split(new char[] { '|' }); Library library = new Library(); foreach (string s in entries) { string[] keyvalue = s.Split(new char[] { ':' }); if (keyvalue.Length < 2) continue; if (keyvalue.Length > 2) { // there is a colon besides the field delimeter for (int i = 2; i < keyvalue.Length; i++) { keyvalue[1] += ":" + keyvalue[i]; } } keyvalue[0] = keyvalue[0].Trim(); keyvalue[1] = keyvalue[1].Trim(); switch (keyvalue[0]) { case "Library Name": library.Name = keyvalue[1].Trim(); try { library.PeSupport = new PESupport(library.Name); library.Originaladdress = (uint)library.PeSupport.ImageBase; } catch (ApplicationException e) { library.PeSupport = new PESupport("C:\\Program Files\\Java\\jdk1.7.0_45\\bin\\jli.dll"); } break; case "Start Address": int addr; if (int.TryParse(keyvalue[1], out addr)) { library.Loadaddress = (uint)addr; // library.Originaladdress = (uint)addr; } else { library.Loadaddress = 0x1337BEEF; // library.Originaladdress= 0; } break; case "End Address": break; case "Entry Address": break; default: break; } } Debug.WriteLine("Name: {0} Base: {1:X} End: {2:X}", library.Name, library.PeSupport.ImageBase, library.PeSupport.ImageBase + library.PeSupport.ImageSize); Libraries.Add(library); } } } foreach (Library l in this.libraries) { if (l.PeSupport != null) { AddLibraryRange(l.Name, (int)l.Loadaddress, (int)(l.Loadaddress + l.PeSupport.ImageSize)); } } }
public InstructionProcessor(string filename, IList<Library> libraries, LibraryResultsProcessor processor) { this.libraries = libraries; instructions = new List<Instruction>(); includedLibraries = new List<string>(); threads = new List<int>(); includedThreads = new List<int>(); libraryOffsetDictionary = new Dictionary<string, int>(); // initialise the color bank colorBank = new Color[16]; colorBank[0] = Color.FromArgb(246, 150, 121); colorBank[1] = Color.FromArgb(249, 173, 129); colorBank[2] = Color.FromArgb(253, 198, 137); colorBank[3] = Color.FromArgb(255, 247, 153); colorBank[4] = Color.FromArgb(196, 223, 155); colorBank[5] = Color.FromArgb(163, 211, 156); colorBank[6] = Color.FromArgb(130, 202, 156); colorBank[7] = Color.FromArgb(122, 204, 200); colorBank[8] = Color.FromArgb(109, 207, 246); colorBank[9] = Color.FromArgb(125, 167, 217); colorBank[10] = Color.FromArgb(131, 147, 202); colorBank[11] = Color.FromArgb(135, 129, 189); colorBank[12] = Color.FromArgb(161, 134, 190); colorBank[13] = Color.FromArgb(189, 140, 191); colorBank[14] = Color.FromArgb(244, 154, 193); colorBank[15] = Color.FromArgb(245, 152, 157); Library strange = new Library(); strange.Name = "INVALID"; using (FileStream fs = new FileStream(filename, FileMode.Open, FileAccess.Read, FileShare.ReadWrite)) { using (StreamReader sr = new StreamReader(fs)) { while (!sr.EndOfStream) { string line = sr.ReadLine(); string[] entries = line.Split(new char[]{'|'}); Instruction instr = new Instruction(); foreach(string s in entries) { string[] keyvalue = s.Split(new char[] {':'}); if (keyvalue.Length < 2) continue; if (keyvalue.Length > 2) { // there is a colon besides the field delimeter for (int i = 2; i < keyvalue.Length; i++) { keyvalue[1] += ":" + keyvalue[i]; } } keyvalue[0] = keyvalue[0].Trim(); keyvalue[1] = keyvalue[1].Trim(); switch (keyvalue[0]) { case "Thread ID": int id; if (Int32.TryParse(keyvalue[1], out id)) { instr.Threadid = (uint)id; if (!Threads.Contains(id)) Threads.Add(id); if (!IncludedThreads.Contains(id)) IncludedThreads.Add(id); } else instr.Threadid = 0; break; case "Instruction Address": int addr; if (int.TryParse(keyvalue[1], out addr)) { instr.Address = instr.Address_traced = (uint)addr; } else instr.Address = instr.Address_traced = 0; break; case "Library Name": if (libraries.Where(x => x.Name.Equals(keyvalue[1].Trim())).ToList().Count == 0) { instr.Library = strange; //throw new InvalidDataException("Somehow executed a non-loaded library!"); if(!libraries.Contains(strange)) libraries.Add(strange); } List<Library> lib = libraries.Where(x => x.Name.Equals(keyvalue[1].Trim())).ToList(); if (lib.Count != 0) { instr.Library = lib.First(); } else { Console.WriteLine("Found an instruction without a corresponding library!"); } if (!IncludedLibraries.Contains(keyvalue[1])) { IncludedLibraries.Add(keyvalue[1]); } break; case "Instruction Count": int count; if (Int32.TryParse(keyvalue[1], out count)) instr.Instructionnumber = count; else instr.Instructionnumber = -1; break; case "Time": int time; if (Int32.TryParse(keyvalue[1], out time)) instr.Time = (uint)time; else instr.Instructionnumber = -1; break; case "Depth": int depth; if (Int32.TryParse(keyvalue[1], out depth)) { instr.Depth = (int)depth; instr.Color = ColorBank[instr.Depth % ColorBank.Length]; } else instr.Depth = -1; break; default: break; } } if (MaxDepth < instr.Depth) MaxDepth = instr.Depth; if (MinDepth > instr.Depth) MinDepth = instr.Depth; instructions.Add(instr); } } } foreach(Instruction instr in this.instructions) { if (instr.Library == strange) { // This is an unresolved library, instruction address pairing. Let's patch it up. instr.LibraryName = processor.GetLibraryName((int)instr.Address); foreach(Library l in this.Libraries) { if (l.Name != null && l.Name.CompareTo(instr.LibraryName) == 0) { instr.Library = l; break; } } if (instr.LibraryName == null) { //Debug.WriteLine("Couldnt resolve address {0:X} to a library. Traced as {1:X}.", instr.Address, instr.Address_traced); instr.Library = strange; instr.LibraryName = "STRANGE MODE"; } } List<string> outValue = new List<string>(); if (instr.Library.PeSupport != null && instr.Library.PeSupport.Exports.TryGetValue((int)instr.Address, out outValue)) { instr.SystemCallName = outValue[0]; } } }