public List <DriverObject> Run()
{
FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\driverscan.gz");
if (cachedFile.Exists && !_dataProvider.IsLive)
{
OffsetMap cachedMap = RetrieveOffsetMap(cachedFile);
if (cachedMap != null)
{
return(DoIt(cachedMap.OffsetRecords));
}
}
PoolScan scanner = new PoolScan(_profile, _dataProvider, PoolType.Driver);
var results = scanner.Scan();
OffsetMap map = new OffsetMap();
map.OffsetRecords = new HashSet <ulong>();
foreach (ulong item in results)
{
map.OffsetRecords.Add(item);
}
if (!_dataProvider.IsLive)
{
PersistOffsetMap(map, _dataProvider.CacheFolder + "\\driverscan");
}
return(DoIt(map.OffsetRecords));
}
public HashSet <ulong> Run()
{
// first let's see if it already exists
FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\pslist_PspCidTable.gz");
if (cachedFile.Exists && !_dataProvider.IsLive)
{
OffsetMap cachedMap = RetrieveOffsetMap(cachedFile);
if (cachedMap != null)
{
return(cachedMap.OffsetRecords);
}
}
HashSet <ulong> results = new HashSet <ulong>();
uint tableOffset = (uint)_profile.GetConstant("PspCidTable");
ulong vAddr = _profile.KernelBaseAddress + tableOffset;
ulong tableAddress = 0;
if (_isx64)
{
var v = _dataProvider.ReadUInt64(vAddr);
if (v == null)
{
return(null);
}
tableAddress = (ulong)v & 0xffffffffffff;
}
else
{
var v = _dataProvider.ReadUInt32(vAddr);
if (v == null)
{
return(null);
}
tableAddress = (ulong)v;
}
HandleTable ht = new HandleTable(_profile, _dataProvider, tableAddress);
List <HandleTableEntry> records = EnumerateHandles(ht.TableStartAddress, ht.Level);
ulong bodyOffset = (ulong)_profile.GetOffset("_OBJECT_HEADER", "Body");
foreach (HandleTableEntry e in records)
{
try
{
vAddr = e.ObjectPointer - bodyOffset;
ObjectHeader header = new ObjectHeader(_profile, _dataProvider, vAddr);
string objectName = GetObjectName(header.TypeInfo);
if (objectName == "Process")
{
results.Add(e.ObjectPointer);
}
}
catch (Exception)
{
continue;
}
}
return(TrySave(results));
}
public HashSet <ulong> Run()
{
// first let's see if it already exists
FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\pslist_Sessions.gz");
if (cachedFile.Exists && !_dataProvider.IsLive)
{
OffsetMap cachedMap = RetrieveOffsetMap(cachedFile);
if (cachedMap != null)
{
return(cachedMap.OffsetRecords);
}
}
HashSet <ulong> results = new HashSet <ulong>();
HashSet <ulong> sessionList = new HashSet <ulong>(); // a list of pointers to _MM_SESSION_SPAVE objects
if (_processList != null)
{
foreach (ProcessInfo info in _processList)
{
if (info.Session != 0)
{
sessionList.Add(info.Session);
}
}
}
ulong sOffset = (ulong)_profile.GetOffset("_EPROCESS", "SessionProcessLinks");
ulong plOffset = (ulong)_profile.GetOffset("_MM_SESSION_SPACE", "ProcessList");
foreach (ulong item in sessionList)
{
SessionSpace ss = new SessionSpace(_profile, _dataProvider, item);
LIST_ENTRY sle = ss.ProcessList;
List <LIST_ENTRY> procLists = FindAllLists(_dataProvider, sle);
HashSet <ulong> tempList = new HashSet <ulong>();
foreach (LIST_ENTRY entry in procLists)
{
tempList.Add(entry.Blink);
tempList.Add(entry.Flink);
}
foreach (ulong ul in tempList)
{
if (ul - plOffset == item)
{
continue;
}
if (ul == 0)
{
continue;
}
results.Add(ul - sOffset);
}
}
return(TrySave(results));
}
protected bool PersistOffsetMap(OffsetMap source, string fileName)
{
if (!fileName.EndsWith(".gz"))
{
fileName += ".gz";
}
byte[] bytesToCompress = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(source));
using (FileStream fileToCompress = File.Create(fileName))
using (GZipStream compressionStream = new GZipStream(fileToCompress, CompressionMode.Compress))
{
compressionStream.Write(bytesToCompress, 0, bytesToCompress.Length);
}
return(true);
}
private HashSet <ulong> TrySave(HashSet <ulong> results)
{
if (results.Count == 0)
{
return(null);
}
if (_dataProvider.IsLive)
{
return(results);
}
OffsetMap map = new OffsetMap();
map.OffsetRecords = results;
if (!_dataProvider.IsLive)
{
PersistOffsetMap(map, _dataProvider.CacheFolder + "\\pslist_PsActiveProcessHead");
}
return(results);
}
public HashSet <ulong> Run()
{
// first let's see if it already exists
FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\pslist_PsActiveProcessHead.gz");
if (cachedFile.Exists && !_dataProvider.IsLive)
{
OffsetMap cachedMap = RetrieveOffsetMap(cachedFile);
if (cachedMap != null)
{
return(cachedMap.OffsetRecords);
}
}
HashSet <ulong> results = new HashSet <ulong>();
uint processHeadOffset = (uint)_profile.GetConstant("PsActiveProcessHead");
ulong vAddr = _profile.KernelBaseAddress + processHeadOffset;
_dataProvider.ActiveAddressSpace = _profile.KernelAddressSpace;
LIST_ENTRY le = new LIST_ENTRY(_dataProvider, vAddr);
ulong apl = (ulong)_profile.GetOffset("_EPROCESS", "ActiveProcessLinks");
List <LIST_ENTRY> lists = FindAllLists(_dataProvider, le);
foreach (LIST_ENTRY entry in lists)
{
if (entry.VirtualAddress == vAddr)
{
continue;
}
if (entry.VirtualAddress == 0)
{
continue;
}
results.Add(entry.VirtualAddress - apl);
}
return(TrySave(results));
}
public HashSet <ulong> Run()
{
// first let's see if it already exists
FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\pslist_CSRSS.gz");
if (cachedFile.Exists && !_dataProvider.IsLive)
{
OffsetMap cachedMap = RetrieveOffsetMap(cachedFile);
if (cachedMap != null)
{
return(cachedMap.OffsetRecords);
}
}
HashSet <ulong> results = new HashSet <ulong>();
// check to see if we already have a process list with CSRSS in it
if (_processList != null)
{
foreach (ProcessInfo info in _processList)
{
try
{
if (info.ProcessName == "csrss.exe")
{
ulong handleTableAddress = info.ObjectTableAddress;
HandleTable ht = new HandleTable(_profile, _dataProvider, handleTableAddress);
List <HandleTableEntry> records = EnumerateHandles(ht.TableStartAddress, ht.Level);
foreach (HandleTableEntry e in records)
{
try
{
ObjectHeader header = new ObjectHeader(_profile, _dataProvider, e.ObjectPointer);
string objectName = GetObjectName(e.TypeInfo);
if (objectName == "Process")
{
results.Add(e.ObjectPointer + (ulong)header.Size);
}
}
catch (Exception)
{
continue;
}
}
}
}
catch (Exception ex)
{
continue;
}
}
if (results.Count > 0)
{
return(TrySave(results));
}
}
// either we didn't have a process list, or it didn't contain any CSRSS processes
uint processHeadOffset = (uint)_profile.GetConstant("PsActiveProcessHead");
ulong vAddr = _profile.KernelBaseAddress + processHeadOffset;
_dataProvider.ActiveAddressSpace = _profile.KernelAddressSpace;
LIST_ENTRY le = new LIST_ENTRY(_dataProvider, vAddr);
ulong apl = (ulong)_profile.GetOffset("_EPROCESS", "ActiveProcessLinks");
List <LIST_ENTRY> lists = FindAllLists(_dataProvider, le);
foreach (LIST_ENTRY entry in lists)
{
if (entry.VirtualAddress == vAddr)
{
continue;
}
if (entry.VirtualAddress == 0)
{
continue;
}
EProcess ep = new EProcess(_profile, _dataProvider, entry.VirtualAddress - apl);
if (ep.ImageFileName == "csrss.exe")
{
ulong handleTableAddress = ep.ObjectTable;
HandleTable ht = new HandleTable(_profile, _dataProvider, handleTableAddress);
List <HandleTableEntry> records = EnumerateHandles(ht.TableStartAddress, ht.Level);
foreach (HandleTableEntry e in records)
{
try
{
ObjectHeader header = new ObjectHeader(_profile, _dataProvider, e.ObjectPointer);
string objectName = GetObjectName(e.TypeInfo);
if (objectName == "Process")
{
results.Add(e.ObjectPointer + (ulong)header.Size);
}
}
catch (Exception)
{
continue;
}
}
}
}
return(TrySave(results));
}
