private static void ProcessStep(Object sender, IProcessContainer process)
{
var text = "";// Utility.formatCurrentInstruction(process);
Console.WriteLine(text);
if (_enableDebugger)
{
PrintRegisters(process);
}
var ip = process.ProgramCounter.ToInt32();
if (ip == _decryptFunctionEndAddress)
{
// read registers value
var decryptedBufferAddress = process.Cpu.GetRegister("EDI").ToUInt64();
var bufferLength = process.Cpu.GetRegister("EAX").ToInt32();
// read decrypted string
var decryptedBuffer = process.Memory.ReadMemory(decryptedBufferAddress, bufferLength);
var decryptedString = Encoding.UTF8.GetString(decryptedBuffer);
Console.WriteLine("[+] {0}", decryptedString);
}
}
public String Decrypt(IProcessContainer process)
{
var buffer = process.Memory.ReadMemory(this.Buffer, this.StringLength);
var stringContent = new StringBuilder();
foreach (var b in buffer)
{
stringContent.Append((Char)(b ^ this.EncryptionKey));
}
return(stringContent.ToString());
}
private static void ProcessStep(Object sender, IProcessContainer process)
{
var ip = process.GetProgramCounter().ToInt32();
if (ip == _decryptFunctionEndAddress)
{
// read registers value
var decryptedBufferAddress = process.GetRegister("EDI").ToUInt64();
var bufferLength = process.GetRegister("EAX").ToInt32();
// read decrypted string
var decryptedBuffer = process.Memory.ReadMemory(decryptedBufferAddress, bufferLength);
var decryptedString = Encoding.UTF8.GetString(decryptedBuffer);
Console.WriteLine("[+] {0}", decryptedString);
}
}
private static void PrintRegisters(IProcessContainer proc)
{
var registers = new [] { "EAX" };
foreach (var register in registers)
{
var addr = proc.Cpu.GetRegister(register).ToUInt64();
var region = 0UL;
if (proc.Memory.IsAddressMapped(addr))
{
region = proc.Memory.GetMemoryRegion(addr).BaseAddress;
}
Console.WriteLine("{0}=[{1}]:{2}", register, region, addr);
}
Console.ReadLine();
}
private static void DecryptStrings(IProcessContainer process)
{
Console.WriteLine("-=[ Start Dump All Strings ]=-");
// encrypted strings
var encryptedStringsStartAddress = 0x00401288UL;
var encryptedStringsEndAddress = 0x00401838UL;
var currentOffset = encryptedStringsStartAddress;
while (currentOffset < encryptedStringsEndAddress)
{
var encryptedString = process.Memory.ReadMemory <EncryptedString>(currentOffset);
var decryptedString = encryptedString.Decrypt(process);
Console.WriteLine("[+] {0}", decryptedString);
// go to the next strings
currentOffset += 8UL;
}
Console.WriteLine("-=[ Dump All Strings Completed ]=-");
}
public CreateProcessAppService(IProcessContainer processContainer, IConverter <Process, ProcessDto> processConverter)
{
this.processContainer = processContainer;
this.processConverter = processConverter;
}
public DeleteProcessAppService(IProcessContainer processContainer)
{
this.processContainer = processContainer;
}
