public List <DriverObject> Run() { FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\driverscan.gz"); if (cachedFile.Exists && !_dataProvider.IsLive) { OffsetMap cachedMap = RetrieveOffsetMap(cachedFile); if (cachedMap != null) { return(DoIt(cachedMap.OffsetRecords)); } } PoolScan scanner = new PoolScan(_profile, _dataProvider, PoolType.Driver); var results = scanner.Scan(); OffsetMap map = new OffsetMap(); map.OffsetRecords = new HashSet <ulong>(); foreach (ulong item in results) { map.OffsetRecords.Add(item); } if (!_dataProvider.IsLive) { PersistOffsetMap(map, _dataProvider.CacheFolder + "\\driverscan"); } return(DoIt(map.OffsetRecords)); }
public HashSet <ulong> Run() { // first let's see if it already exists FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\pslist_PspCidTable.gz"); if (cachedFile.Exists && !_dataProvider.IsLive) { OffsetMap cachedMap = RetrieveOffsetMap(cachedFile); if (cachedMap != null) { return(cachedMap.OffsetRecords); } } HashSet <ulong> results = new HashSet <ulong>(); uint tableOffset = (uint)_profile.GetConstant("PspCidTable"); ulong vAddr = _profile.KernelBaseAddress + tableOffset; ulong tableAddress = 0; if (_isx64) { var v = _dataProvider.ReadUInt64(vAddr); if (v == null) { return(null); } tableAddress = (ulong)v & 0xffffffffffff; } else { var v = _dataProvider.ReadUInt32(vAddr); if (v == null) { return(null); } tableAddress = (ulong)v; } HandleTable ht = new HandleTable(_profile, _dataProvider, tableAddress); List <HandleTableEntry> records = EnumerateHandles(ht.TableStartAddress, ht.Level); ulong bodyOffset = (ulong)_profile.GetOffset("_OBJECT_HEADER", "Body"); foreach (HandleTableEntry e in records) { try { vAddr = e.ObjectPointer - bodyOffset; ObjectHeader header = new ObjectHeader(_profile, _dataProvider, vAddr); string objectName = GetObjectName(header.TypeInfo); if (objectName == "Process") { results.Add(e.ObjectPointer); } } catch (Exception) { continue; } } return(TrySave(results)); }
public HashSet <ulong> Run() { // first let's see if it already exists FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\pslist_Sessions.gz"); if (cachedFile.Exists && !_dataProvider.IsLive) { OffsetMap cachedMap = RetrieveOffsetMap(cachedFile); if (cachedMap != null) { return(cachedMap.OffsetRecords); } } HashSet <ulong> results = new HashSet <ulong>(); HashSet <ulong> sessionList = new HashSet <ulong>(); // a list of pointers to _MM_SESSION_SPAVE objects if (_processList != null) { foreach (ProcessInfo info in _processList) { if (info.Session != 0) { sessionList.Add(info.Session); } } } ulong sOffset = (ulong)_profile.GetOffset("_EPROCESS", "SessionProcessLinks"); ulong plOffset = (ulong)_profile.GetOffset("_MM_SESSION_SPACE", "ProcessList"); foreach (ulong item in sessionList) { SessionSpace ss = new SessionSpace(_profile, _dataProvider, item); LIST_ENTRY sle = ss.ProcessList; List <LIST_ENTRY> procLists = FindAllLists(_dataProvider, sle); HashSet <ulong> tempList = new HashSet <ulong>(); foreach (LIST_ENTRY entry in procLists) { tempList.Add(entry.Blink); tempList.Add(entry.Flink); } foreach (ulong ul in tempList) { if (ul - plOffset == item) { continue; } if (ul == 0) { continue; } results.Add(ul - sOffset); } } return(TrySave(results)); }
protected bool PersistOffsetMap(OffsetMap source, string fileName) { if (!fileName.EndsWith(".gz")) { fileName += ".gz"; } byte[] bytesToCompress = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(source)); using (FileStream fileToCompress = File.Create(fileName)) using (GZipStream compressionStream = new GZipStream(fileToCompress, CompressionMode.Compress)) { compressionStream.Write(bytesToCompress, 0, bytesToCompress.Length); } return(true); }
private HashSet <ulong> TrySave(HashSet <ulong> results) { if (results.Count == 0) { return(null); } if (_dataProvider.IsLive) { return(results); } OffsetMap map = new OffsetMap(); map.OffsetRecords = results; if (!_dataProvider.IsLive) { PersistOffsetMap(map, _dataProvider.CacheFolder + "\\pslist_PsActiveProcessHead"); } return(results); }
public HashSet <ulong> Run() { // first let's see if it already exists FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\pslist_PsActiveProcessHead.gz"); if (cachedFile.Exists && !_dataProvider.IsLive) { OffsetMap cachedMap = RetrieveOffsetMap(cachedFile); if (cachedMap != null) { return(cachedMap.OffsetRecords); } } HashSet <ulong> results = new HashSet <ulong>(); uint processHeadOffset = (uint)_profile.GetConstant("PsActiveProcessHead"); ulong vAddr = _profile.KernelBaseAddress + processHeadOffset; _dataProvider.ActiveAddressSpace = _profile.KernelAddressSpace; LIST_ENTRY le = new LIST_ENTRY(_dataProvider, vAddr); ulong apl = (ulong)_profile.GetOffset("_EPROCESS", "ActiveProcessLinks"); List <LIST_ENTRY> lists = FindAllLists(_dataProvider, le); foreach (LIST_ENTRY entry in lists) { if (entry.VirtualAddress == vAddr) { continue; } if (entry.VirtualAddress == 0) { continue; } results.Add(entry.VirtualAddress - apl); } return(TrySave(results)); }
public HashSet <ulong> Run() { // first let's see if it already exists FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\pslist_CSRSS.gz"); if (cachedFile.Exists && !_dataProvider.IsLive) { OffsetMap cachedMap = RetrieveOffsetMap(cachedFile); if (cachedMap != null) { return(cachedMap.OffsetRecords); } } HashSet <ulong> results = new HashSet <ulong>(); // check to see if we already have a process list with CSRSS in it if (_processList != null) { foreach (ProcessInfo info in _processList) { try { if (info.ProcessName == "csrss.exe") { ulong handleTableAddress = info.ObjectTableAddress; HandleTable ht = new HandleTable(_profile, _dataProvider, handleTableAddress); List <HandleTableEntry> records = EnumerateHandles(ht.TableStartAddress, ht.Level); foreach (HandleTableEntry e in records) { try { ObjectHeader header = new ObjectHeader(_profile, _dataProvider, e.ObjectPointer); string objectName = GetObjectName(e.TypeInfo); if (objectName == "Process") { results.Add(e.ObjectPointer + (ulong)header.Size); } } catch (Exception) { continue; } } } } catch (Exception ex) { continue; } } if (results.Count > 0) { return(TrySave(results)); } } // either we didn't have a process list, or it didn't contain any CSRSS processes uint processHeadOffset = (uint)_profile.GetConstant("PsActiveProcessHead"); ulong vAddr = _profile.KernelBaseAddress + processHeadOffset; _dataProvider.ActiveAddressSpace = _profile.KernelAddressSpace; LIST_ENTRY le = new LIST_ENTRY(_dataProvider, vAddr); ulong apl = (ulong)_profile.GetOffset("_EPROCESS", "ActiveProcessLinks"); List <LIST_ENTRY> lists = FindAllLists(_dataProvider, le); foreach (LIST_ENTRY entry in lists) { if (entry.VirtualAddress == vAddr) { continue; } if (entry.VirtualAddress == 0) { continue; } EProcess ep = new EProcess(_profile, _dataProvider, entry.VirtualAddress - apl); if (ep.ImageFileName == "csrss.exe") { ulong handleTableAddress = ep.ObjectTable; HandleTable ht = new HandleTable(_profile, _dataProvider, handleTableAddress); List <HandleTableEntry> records = EnumerateHandles(ht.TableStartAddress, ht.Level); foreach (HandleTableEntry e in records) { try { ObjectHeader header = new ObjectHeader(_profile, _dataProvider, e.ObjectPointer); string objectName = GetObjectName(e.TypeInfo); if (objectName == "Process") { results.Add(e.ObjectPointer + (ulong)header.Size); } } catch (Exception) { continue; } } } } return(TrySave(results)); }