public static void DumpIt(Vtero vtero, ConfigOptions co, DumpOptions dmpo) { var Version = vtero.Version; Mem.InitMem(co.FileName, vtero.MRD); // Extract Address Spaces verifies the linkages between // process<->CR3<->EPTP(if there is one) // and that they are functional var vetted = vtero.ExtrtactAddressSpaces(null, null, Version); // leaving this in as an example maybe? ;) //WriteLine("enter a group ID: "); //input = ReadLine(); //int Grp = int.Parse(input); //WriteLine("enter a process ID: "); //input = ReadLine(); //long procID = long.Parse(input, NumberStyles.HexNumber); //var proc = (from procz in vtero.ASGroups[Grp] // where procz.CR3Value == procID // select procz).First(); //int i = 1; //DetectedProc dp = proc; //while(dp == null) // dp = vtero.GetKernelRangeFromGroup(i++); // Scan for kernel // NT kernel may be in 0xFFFFF80000000 to 0xFFFFF8800000 range long KernVAStart = 0xF80000000000; long KernVAEnd = KernVAStart + (0x8000000000 - 0x1000); string input = string.Empty; var Detections = new Dictionary <long, Extract>(); DetectedProc LikelyKernel = null; bool Decoded = false; // were doing this in nested loops to brute force our way past any errors // but only need the first set of detections per group foreach (var grpz in vtero.ASGroups) { foreach (var vm in vtero.VMCSs.Values) { WriteColor(ConsoleColor.White, $"Group ID: {grpz.Key}"); foreach (var p in grpz.Value) { WriteLine($"Proc: {p.CR3Value:X}"); Detections = Detections.Concat( vtero.ModuleScan(p, 3, KernVAStart, KernVAEnd).Where(x => !Detections.ContainsKey(x.Key))) .ToDictionary(x => x.Key, x => x.Value); if (Detections.Count() > 0) { LikelyKernel = p; if (vm.EPTP == 0) { p.vmcs = null; } else { p.vmcs = vm; } // scan for kernel foreach (var detected in Detections) { WriteColor(ConsoleColor.Green, $"Attempting to parse detected PE module loaded @ {detected.Key:X}"); WriteColor(ConsoleColor.Cyan, detected.Value.ToString()); if (detected.Value.ToString().Contains("POOLCODE")) { WriteColor(ConsoleColor.White, "Likely Kernel analyzing for CV data"); /* * var cv_data = vtero.ExtractCVDebug(LikelyKernel, detected.Value, detected.Key); * * if (cv_data != null) * { * var sympath = Environment.GetEnvironmentVariable("_NT_SYMBOL_PATH"); * if (string.IsNullOrWhiteSpace(sympath)) * sympath = "SRV*http://msdl.microsoft.com/download/symbols"; * * if (Vtero.TryLoadSymbols(cv_data, detected.Key, sympath)) * Decoded = vtero.GetKernelDebuggerData(LikelyKernel, detected.Value, cv_data, sympath); * } */ } } } if (Decoded) { break; } } if (Decoded) { break; } } if (Decoded) { break; } } ForegroundColor = ConsoleColor.Green; WriteLine($"{Environment.NewLine}Final analysis completed, address spaces extracted. {QuickOptions.Timer.Elapsed} {QuickOptions.FormatRate(vtero.FileSize * 3, QuickOptions.Timer.Elapsed)}"); // do a test dump // extract & dump could be done at the same time if (!dmpo.ListOnly) { vtero.DumpASToFile(); } //if (Vtero.VerboseOutput) //vtero.DumpFailList(); return; }
public Vtero Scanit(ScanOptions op) { bool SkipVMCS = false; #if TESTING foreach (var sx in op.DisabledScans) { var spec = sx.ToLower(); if (spec.Contains("vmcs")) { SkipVMCS = true; } if (spec.Contains("obsd")) { Version = Version & ~PTType.OpenBSD; } if (spec.Contains("nbsd")) { Version = Version & ~PTType.NetBSD; } if (spec.Contains("fbsd")) { Version = Version & ~PTType.FreeBSD; } if (spec.Contains("lin")) { Version = Version & ~PTType.LinuxS; } if (spec.Contains("hv")) { Version = Version & ~PTType.HyperV; } if (spec.Contains("gen")) { Version = Version & ~PTType.GENERIC; } if (spec.Contains("win")) { Version = Version & ~PTType.Windows; } } if ((Version & PTType.VALUE) == PTType.VALUE) { bool Parsed = false; do { if (args.Length < 2) { WriteLine($"Specify value"); return; } Parsed = uint.TryParse(args[2], NumberStyles.HexNumber, CultureInfo.CurrentCulture, out valuI); if (!Parsed) { Parsed = ulong.TryParse(args[2], NumberStyles.HexNumber, CultureInfo.CurrentCulture, out valuL); if (Parsed) { Is64Scan = true; } else { WriteLine($"Unable to parse input {args[2]}"); return; } } else { valuL = (ulong)valuI; } } while (!Parsed); } #endif string Filename = null; Vtero vtero = null; PTType Version = PTType.Windows; // this instance is temporally used for loading state // i.e. don't set properties or fields here var saveStateFile = $"{Filename}.inVtero.net"; if (File.Exists(saveStateFile)) { if (todo.Key != ConsoleKey.D) { vtero = vtero.CheckpointRestoreState(saveStateFile); vtero.OverRidePhase = true; } else { File.Delete(saveStateFile); } } if (vtero.Phase < 2) { vtero = new Vtero(Filename); } //Mem.InitMem(parsed.FileName, null, vtero.DetectedDesc); ProgressBarz.Bar.Message = "First pass, looking for processes"; ForegroundColor = ConsoleColor.Cyan; #if TESTING Timer = Stopwatch.StartNew(); if ((Version & PTType.VALUE) == PTType.VALUE) { var off = vtero.ScanValue(Is64Scan, valuL, 0); WriteLine(FormatRate(vtero.FileSize, Timer.Elapsed)); using (var dstream = File.OpenRead(vtero.MemFile)) { using (var dbin = new BinaryReader(dstream)) { foreach (var xoff in off) { WriteLine($"Checking Memory Descriptor @{(xoff + 28):X}"); if (xoff > vtero.FileSize) { WriteLine($"offset {xoff:X} > FileSize {vtero.FileSize:X}"); continue; } dstream.Position = xoff + 28; var MemRunDescriptor = new MemoryDescriptor(); MemRunDescriptor.NumberOfRuns = dbin.ReadInt64(); MemRunDescriptor.NumberOfPages = dbin.ReadInt64(); Console.WriteLine($"Runs: {MemRunDescriptor.NumberOfRuns}, Pages: {MemRunDescriptor.NumberOfPages} "); if (MemRunDescriptor.NumberOfRuns < 0 || MemRunDescriptor.NumberOfRuns > 32) { continue; } for (int i = 0; i < MemRunDescriptor.NumberOfRuns; i++) { var basePage = dbin.ReadInt64(); var pageCount = dbin.ReadInt64(); MemRunDescriptor.Run.Add(new MemoryRun() { BasePage = basePage, PageCount = pageCount }); } WriteLine($"MemoryDescriptor {MemRunDescriptor}"); } } } WriteLine("Finished VALUE scan."); return; } if ((Version & PTType.VALUE) == PTType.VALUE) { return; } #endif // basic perf checking QuickOptions.Timer = Stopwatch.StartNew(); var procCount = vtero.ProcDetectScan(Version); WriteColor(ConsoleColor.Blue, ConsoleColor.Yellow, $"{procCount} candidate process page tables. Time so far: {QuickOptions.Timer.Elapsed}, second pass starting. {QuickOptions.FormatRate(vtero.FileSize, QuickOptions.Timer.Elapsed)}"); //BackgroundColor = ConsoleColor.Black; //ForegroundColor = ConsoleColor.Cyan; if (procCount < 3) { WriteColor(ConsoleColor.Red, "Seems like a fail. Try generic scanning or implement a state scan like LinuxS"); return(null); } // second pass // with the page tables we acquired, locate candidate VMCS pages in the format // [31-bit revision id][abort indicator] // the page must also have at least 1 64bit value which is all set (-1) // Root-HOST CR3 will have uniform diff // unless an extent based dump image is input, some .DMP variations // TODO: Add support for extent based inputs // Guest VMCS will contain host CR3 & guest CR3 (hCR3 & gCR3) // sometimes CR3 will be found in multiple page tables, e.g. system process or SMP // if I have more than 1 CR3 from different file_offset, just trim them out for now // future may have a reason to isolate based on original locationAG if (SkipVMCS) { return(vtero); } ProgressBarz.Bar.Message = "Second pass, correlating for VMCS pages"; var VMCSCount = vtero.VMCSScan(); //Timer.Stop(); WriteColor(ConsoleColor.Blue, ConsoleColor.Yellow, $"{VMCSCount} candidate VMCS pages. Time to process: {QuickOptions.Timer.Elapsed}, Data scanned: {vtero.FileSize:N}"); // second time WriteColor(ConsoleColor.Blue, ConsoleColor.Yellow, $"Second pass done. {QuickOptions.FormatRate(vtero.FileSize * 2, QuickOptions.Timer.Elapsed)}"); // each of these depends on a VMCS scan/pass having been done at the moment WriteColor(ConsoleColor.Cyan, ConsoleColor.Black, "grouping and joining all memory"); // After this point were fairly functional vtero.GroupAS(); // sync-save state so restarting is faster if (!File.Exists(saveStateFile)) { Write($"Saving checkpoint... "); saveStateFile = vtero.CheckpointSaveState(); WriteColor(ConsoleColor.White, saveStateFile); } return(vtero); }
public static Vtero Scanit(ConfigOptions co) { bool SkipVMCS = (co.VersionsToEnable & PTType.VMCS) != PTType.VMCS; var Filename = co.FileName; co.VersionsToEnable = co.VersionsToEnable & ~PTType.VMCS; // allocate now so that we can un-serialize or keep an instance Vtero vtero = new Vtero(); // this instance is temporally used for loading state // i.e. don't set properties or fields here var saveStateFile = $"{Filename}.inVtero.net"; if (File.Exists(saveStateFile)) { if (!co.IgnoreSaveData) { vtero = vtero.CheckpointRestoreState(saveStateFile); vtero.OverRidePhase = true; } else { File.Delete(saveStateFile); } } if (vtero.Phase < 2) { vtero = new Vtero(Filename); } if (!vtero.OverRidePhase) { Mem.InitMem(co.FileName, vtero.MRD); ProgressBarz.BaseMessage = new ConsoleString("First pass, looking for processes"); ForegroundColor = ConsoleColor.Cyan; #if TESTING Timer = Stopwatch.StartNew(); if ((Version & PTType.VALUE) == PTType.VALUE) { var off = vtero.ScanValue(Is64Scan, valuL, 0); WriteLine(FormatRate(vtero.FileSize, Timer.Elapsed)); using (var dstream = File.OpenRead(vtero.MemFile)) { using (var dbin = new BinaryReader(dstream)) { foreach (var xoff in off) { WriteLine($"Checking Memory Descriptor @{(xoff + 28):X}"); if (xoff > vtero.FileSize) { WriteLine($"offset {xoff:X} > FileSize {vtero.FileSize:X}"); continue; } dstream.Position = xoff + 28; var MemRunDescriptor = new MemoryDescriptor(); MemRunDescriptor.NumberOfRuns = dbin.ReadInt64(); MemRunDescriptor.NumberOfPages = dbin.ReadInt64(); Console.WriteLine($"Runs: {MemRunDescriptor.NumberOfRuns}, Pages: {MemRunDescriptor.NumberOfPages} "); if (MemRunDescriptor.NumberOfRuns < 0 || MemRunDescriptor.NumberOfRuns > 32) { continue; } for (int i = 0; i < MemRunDescriptor.NumberOfRuns; i++) { var basePage = dbin.ReadInt64(); var pageCount = dbin.ReadInt64(); MemRunDescriptor.Run.Add(new MemoryRun() { BasePage = basePage, PageCount = pageCount }); } WriteLine($"MemoryDescriptor {MemRunDescriptor}"); } } } WriteLine("Finished VALUE scan."); return; } if ((Version & PTType.VALUE) == PTType.VALUE) { return; } #endif } // basic perf checking QuickOptions.Timer = Stopwatch.StartNew(); var procCount = vtero.ProcDetectScan(co.VersionsToEnable); if (!vtero.OverRidePhase) { WriteColor(ConsoleColor.Blue, ConsoleColor.Yellow, $"{procCount} candidate process page tables. Time so far: {QuickOptions.Timer.Elapsed}, second pass starting. {QuickOptions.FormatRate(vtero.FileSize, QuickOptions.Timer.Elapsed)}"); if (procCount < 3) { WriteColor(ConsoleColor.Red, "Seems like a fail. Try generic scanning or implement a state scan like LinuxS"); return(null); } } // second pass // with the page tables we acquired, locate candidate VMCS pages in the format // [31-bit revision id][abort indicator] // the page must also have at least 1 64bit value which is all set (-1) // Root-HOST CR3 will have uniform diff // unless an extent based dump image is input, some .DMP variations // TODO: Add support for extent based inputs // Guest VMCS will contain host CR3 & guest CR3 (hCR3 & gCR3) // sometimes CR3 will be found in multiple page tables, e.g. system process or SMP // if I have more than 1 CR3 from different file_offset, just trim them out for now // future may have a reason to isolate based on original locationAG if (SkipVMCS) { if (!vtero.OverRidePhase) { vtero.GroupAS(); } if (co.VerboseLevel > 1) { WriteColor(ConsoleColor.Yellow, "Skipping VMCS scan (as requested)."); } } else { ProgressBarz.BaseMessage = new ConsoleString("Second pass, correlating for VMCS pages"); var VMCSCount = vtero.VMCSScan(); //Timer.Stop(); if (!vtero.OverRidePhase) { WriteColor(ConsoleColor.Blue, ConsoleColor.Yellow, $"{VMCSCount} candidate VMCS pages. Time to process: {QuickOptions.Timer.Elapsed}, Data scanned: {vtero.FileSize:N}"); // second time WriteColor(ConsoleColor.Blue, ConsoleColor.Yellow, $"Second pass done. {QuickOptions.FormatRate(vtero.FileSize * 2, QuickOptions.Timer.Elapsed)}"); // each of these depends on a VMCS scan/pass having been done at the moment WriteColor(ConsoleColor.Cyan, ConsoleColor.Black, "grouping and joining all memory"); } // After this point were fairly functional vtero.GroupAS(); } // sync-save state so restarting is faster if (!File.Exists(saveStateFile)) { Write($"Saving checkpoint... "); saveStateFile = vtero.CheckpointSaveState(); WriteColor(ConsoleColor.White, saveStateFile); } Console.CursorVisible = true; return(vtero); }