public List <HookAnalysisResult> AnalyzeModule(ProcessAnalyzer analyzer, CopiedProcessModule module) { var results = new List <HookAnalysisResult>(); foreach (var importThunk in module.Image.Imports) { foreach (var symbol in importThunk.Symbols.Where(s => s.IsImportByName)) { if (!analyzer.EMapper.TryGetEntry(importThunk.Name, symbol.Name, out var expected)) { continue; } var expectedAbs = (ulong)expected.Module.BaseAddress.ToInt64() + expected.Symbol.Address.Rva; if (symbol.Address != expectedAbs) { results.Add(new HookAnalysisResult($"{importThunk.Name}!{symbol.Name}", "IAT") { ModuleName = module.ModuleName, OriginalData = expectedAbs.ToString("X8"), PatchedData = symbol.Address.ToString("X8"), AdditionalInfo = "" }); } } } return(results); }
static void Main() { ProcessAnalyzer.SetupAnalyses(); Application.EnableVisualStyles(); Application.SetCompatibleTextRenderingDefault(false); Application.Run(new MainWindow()); }
public List <HookAnalysisResult> AnalyzeModule(ProcessAnalyzer analyzer, CopiedProcessModule module) { var results = new List <HookAnalysisResult>(); if (module.Image.Exports == null || module.ImageOnDisk.Exports == null) { return(results); } for (int i = 0; i < module.Image.Exports.Entries.Count; i++) { var export = module.Image.Exports.Entries[i]; if (module.ImageOnDisk.Exports.Entries.Count <= i) { break; } var exportOnDisk = module.ImageOnDisk.Exports.Entries[i]; if (exportOnDisk.Address.Rva != export.Address.Rva) { results.Add(new HookAnalysisResult($"{export.Name}", "EAT") { ModuleName = module.ModuleName, OriginalData = $"[RVA] - {exportOnDisk.Address.Rva:X8}", PatchedData = $"[RVA] - {export.Address.Rva:X8}", AdditionalInfo = "" }); } } return(results); }
private void analyzeButton_Click(object sender, EventArgs e) { analysisGrid.Rows.Clear(); var targetProcess = Processes[processList.SelectedIndex]; var analysisEngine = new ProcessAnalyzer(targetProcess); foreach (var entry in analysisEngine.AnalyzeFull()) { analysisGrid.Rows.Add(entry.Location, entry.ModuleName, entry.Type, entry.OriginalData, entry.PatchedData, entry.AdditionalInfo); } }
static void Main(string[] args) { ProcessReader pr = new ProcessReader(); pr.LoadProcessesFromFile("../../../input.txt"); ProcessAnalyzer pa = new ProcessAnalyzer(pr.ResultProcesses, pr.ResultTests); pa.AnalyzeProcesses(); pa.DisplayProcessesWithThreeOrMore(); pa.SetNamesToOPCodes(); pa.RunTestingProgram(); }
private void analyzeButton_Click(object sender, EventArgs e) { maintabcontrol.SelectedIndex = 0; //exit disass window analyzelabel.Visible = true; backbutton.Visible = false; analysisGrid.Rows.Clear(); var targetProcess = Processes[IndexMap[processList.SelectedIndex]]; var analysisEngine = new ProcessAnalyzer(targetProcess); var ana = analysisEngine.AnalyzeFull(); _cachedAnalyses[targetProcess.Id] = ana; foreach (var entry in ana) { analysisGrid.Rows.Add(entry.Location, entry.ModuleName, entry.Type, entry.OriginalData, entry.PatchedData, entry.AdditionalInfo); } }
public override bool ScanForKnownGameEmulator() { if (GameProcess != null) { GameProcess.CloseProcess(); } GameProcess = new ProcessManipulation(); List <Tuple <string, string> > namesAndTitle = new List <Tuple <string, string> >(); var cs = BFFManager.CurrentControlSet; namesAndTitle.Add(new Tuple <string, string>(cs.ProcessDescriptor.ProcessName, cs.ProcessDescriptor.MainWindowTitle)); // Scan processes and main windows title var found = ProcessAnalyzer.ScanProcessesForKnownNamesAndTitle(namesAndTitle, true, false); // Store detected profile if (found.Count == 0) { return(false); } // Pick first var proc = found[0].Item1; string gamename = proc.MainWindowTitle; Log("Found " + proc.ProcessName + " main window " + gamename + " matched with current control set " + cs.UniqueName, LogLevels.IMPORTANT); // Known game? if (!DetectGameFromMainWindowTitle(gamename)) { Log("Failed to match a known Raw output windows name for " + gamename, LogLevels.IMPORTANT); return(false); } GameProcess.OpenProcess(ProcessManipulation.ProcessAccess.PROCESS_WM_READ, proc); FillAddressFromGame(); return(true); }
private void analyzeButton_Click(object sender, EventArgs e) { BackToMainview(); analysisGrid.Rows.Clear(); var targetProcess = Processes[IndexMap[processList.SelectedIndex]]; var analysisEngine = new ProcessAnalyzer(targetProcess); var ana = analysisEngine.AnalyzeFull(); _cachedAnalyses[targetProcess.Id] = ana; if (ana.Count == 0) { analysisGrid.Rows.Add("", "", "", "", "", "No Hooks Found"); } foreach (var entry in ana) { analysisGrid.Rows.Add(entry.Location, entry.ModuleName, entry.Type, entry.OriginalData, entry.PatchedData, entry.AdditionalInfo); } }
private void btnOpenvJoyConfig_Click(object sender, EventArgs e) { ProcessAnalyzer.StartProcess(@"C:\Program Files\vJoy\x64\vJoyConf.exe"); }
private void btnOpenJoyCPL_Click(object sender, EventArgs e) { ProcessAnalyzer.StartProcess(@"joy.cpl"); }
public List <HookAnalysisResult> AnalyzeModule(ProcessAnalyzer analyzer, CopiedProcessModule module) { var results = new List <HookAnalysisResult>(); foreach (var section in module.ImageFile.Sections) { if (section.IsMemoryWrite || !section.IsMemoryExecute) { continue; } var onDiskSection = module.ImageFileOnDisk.GetSectionContainingRva(section.Rva); if (onDiskSection.GetPhysicalSize() == 0) { continue; } var inMemoryData = (DataSegment)((VirtualSegment)section.Contents).PhysicalContents; var onDiskData = (DataSegment)((VirtualSegment)onDiskSection.Contents).PhysicalContents; //this is a ghetto reloc fix but whatever var toSkip = new Dictionary <uint, uint>(); foreach (var reloc in module.Image.Relocations) { toSkip[reloc.Location.Rva] = (reloc.Type == AsmResolver.PE.Relocations.RelocationType.Dir64 ? 8U : 4U); } //this is an even more ghetto fix for IAT entries in readonly places foreach (var import in module.Image.Imports) { var dataReader = module.ImageFile.CreateReaderAtRva(import.AddressRva); uint c = 0; while (dataReader.ReadNativeInt(module.Image.PEKind == OptionalHeaderMagic.Pe32) != 0) { var offs = module.Image.PEKind == OptionalHeaderMagic.Pe32 ? 4U : 8U; toSkip[import.AddressRva + c] = offs; c += offs; } } //isolate rvas we want toSkip = toSkip.Where(v => section.ContainsRva(v.Key)).ToDictionary(kvp => kvp.Key - section.Rva, kvp => kvp.Value); //these datatypes make me want to kill myself lol var diffList = new List <Tuple <uint, List <Tuple <byte, byte> > > >(); Tuple <uint, List <Tuple <byte, byte> > > currDiff = null; int tolerance = 0; for (uint i = 0; i < section.GetPhysicalSize();) { //skip delta if (toSkip.TryGetValue(i, out var j)) { // handle overlapping cases while (j != 0) { i++; j--; if (toSkip.TryGetValue(i, out var k)) { j = Math.Max(j, k); } } continue; } if (onDiskData.Data[i] != inMemoryData.Data[i]) { tolerance = 4; if (currDiff == null || currDiff.Item2.Count == 0) { currDiff = Tuple.Create(i, new List <Tuple <byte, byte> >()); } currDiff.Item2.Add(Tuple.Create(onDiskData.Data[i], inMemoryData.Data[i])); } else if (--tolerance < 0) { if (currDiff != null && currDiff.Item2.Count != 0) { diffList.Add(currDiff); currDiff = null; } } else { currDiff.Item2.Add(Tuple.Create(onDiskData.Data[i], inMemoryData.Data[i])); } if (tolerance < 0) { tolerance = 0; } i++; } if (currDiff != null && currDiff.Item2.Count != 0) { diffList.Add(currDiff); } foreach (var diffEntry in diffList) { var originalSb = new StringBuilder(); var modifiedSb = new StringBuilder(); for (int i = 0; i < diffEntry.Item2.Count; i++) { var b = diffEntry.Item2[i]; if (i != 0) { originalSb.Append(' '); modifiedSb.Append(' '); } originalSb.Append(b.Item1.ToString("X2")); modifiedSb.Append(b.Item2.ToString("X2")); } var addr = module.BaseAddress.ToInt64() + section.Rva + diffEntry.Item1; //todo: improve this trash ass logic var closestExport = analyzer.EMapper.Exports .Where(kvp => kvp.Key.ToInt64() <= addr) .OrderByDescending(kvp => kvp.Key.ToInt64()) .FirstOrDefault(); if (closestExport.Key == IntPtr.Zero) { results.Add(new HookAnalysisResult($"{(addr):X8} ({section.Name}!0x{diffEntry.Item1:X})", "Inline") { ModuleName = module.ModuleName, OriginalData = originalSb.ToString(), PatchedData = modifiedSb.ToString(), AdditionalInfo = "" }); } else { var val = closestExport.Value; var k = addr - closestExport.Key.ToInt64(); results.Add(new HookAnalysisResult($"{(addr):X8} ({val.Module.ModuleName}!{val.Symbol.Name}+0x{k:X})", "Inline") { ModuleName = module.ModuleName, OriginalData = originalSb.ToString(), PatchedData = modifiedSb.ToString(), AdditionalInfo = "" }); } } } return(results); }