/// <summary> /// Opens the process by id. Stores information about the target process. /// </summary> /// <param name="pid">The process identifier of the target process.</param> /// <returns>Returns true on success.</returns> public bool Open(uint pid) { if (!SysInteractor.IsInitialized) { SysInteractor.Init(); } WinApi.ProcessRights flags = WinApi.ProcessRights.QUERY_INFORMATION | WinApi.ProcessRights.VM_READ | WinApi.ProcessRights.VM_WRITE | WinApi.ProcessRights.VM_OPERATION; this.ProcHandle = WinApi.OpenProcess(flags, false, pid); if (this.ProcHandle != null) { try { this.Proc = Process.GetProcessById((int)pid); } catch (ArgumentException) { WinApi.CloseHandle(this.ProcHandle); return(false); } bool isWow64; if (!WinApi.IsWow64Process(this.ProcHandle, out isWow64)) { this.Status.Log( "Unable to determine bitness of process: " + this.Proc.ProcessName, Logger.Level.HIGH); } // 64-bit process detection. // Note: This does not take into account for PAE. No plans to support PAE currently exist. if (isWow64) { // For scanning purposes, Wow64 processes will be treated as as 32-bit processes. this.Is64Bit = false; this.d.TargetArchitecture = Disassembler.Architecture.x86_32; } else { // If it is not Wow64, then the process is natively running, so set it according to the OS // architecture. this.Is64Bit = SysInteractor.Is64Bit; this.d.TargetArchitecture = this.Is64Bit ? Disassembler.Architecture.x86_64 : Disassembler.Architecture.x86_32; } return(true); } else { this.Status.Log("Unable to open the target process.", Logger.Level.HIGH); return(false); } }
/// <summary> /// Generates a new basic block that starts at the supplied base address. /// </summary> /// <param name="p">The process interactor used to read data from the target.</param> /// <param name="baseAddress">The base address of the basic block.</param> /// <param name="blocks"> /// A set of basic blocks that relate to the current block through either direct or indirect connections. /// </param> /// <param name="maxDepth"> /// The maximum number of code flow indirections to be followed. If set to -1, no maximum indirection count is /// enforced. /// </param> /// <returns>Returns a basic block that starts at the supplied address.</returns> public static BasicBlock GenerateBlock( PInteractor p, IntPtr baseAddress, out HashSet<BasicBlock> blocks, long maxDepth = -1) { SysInteractor.Init(); blocks = new HashSet<BasicBlock>(); HashSet<Page> pages = new HashSet<Page>(); BasicBlock block = BasicBlock.GenerateBlock(p, baseAddress, ref blocks, ref pages, maxDepth); BasicBlock.RemoveDuplicateInstructions(ref blocks); return block; }
/// <summary> /// Initializes a new instance of the Scanner class. /// </summary> public Scanner() { SysInteractor.Init(); this.Regions = new List <Region>(); this.Matches = new List <IntPtr>(); }
public IntPtr IdentifyFunctionStartAddress(IntPtr address) { if (!this.IsOpen) { return(IntPtr.Zero); } if (!SysInteractor.IsInitialized) { SysInteractor.Init(); } Page p = null; IntPtr baseAddress = new IntPtr((address.ToInt64() / SysInteractor.PageSize) * SysInteractor.PageSize); foreach (Page cachedPage in this.pageCache) { if (cachedPage.Address.ToInt64() == baseAddress.ToInt64()) { p = cachedPage; break; } } if (p == null) { p = new Page(); p.Address = baseAddress; if (!this.Read(p.Address, p.Data)) { return(IntPtr.Zero); } } if (p.InstructionsDecomposed.Length == 0 || p.InstructionsDisassembled.Count == 0) { if (this.Is64Bit) { if (!p.Disassemble(Distorm.DecodeType.Decode64Bits)) { return(IntPtr.Zero); } } else { if (!p.Disassemble(Distorm.DecodeType.Decode32Bits)) { return(IntPtr.Zero); } } } long targetInstIndex = -1; for (long i = 0; i < p.Data.Length; ++i) { if (p.InstructionsDecomposed[i].addr == (ulong)address.ToInt64()) { targetInstIndex = i; } } if (targetInstIndex == -1) { return(IntPtr.Zero); } for (long i = targetInstIndex; i >= 0; --i) { //if (p.InstructionsDecomposed[i].InstructionType == Distorm.InstructionType.) } return(IntPtr.Zero); }