public ulong FindKernelDtbBody()
{
ulong physicalAddress = 0;
bool escape = false;
// check if we already have it (from the live image)
if (_kernelDtb == 0)
{
ulong filenameOffset = _profile.GetOffset("_EPROCESS", "ImageFileName");
StringSearch mySearch = new StringSearch(_dataProvider);
mySearch.AddNeedle("Idle\x00\x00\x00\x00\x00\x00\x00");
foreach (var answer in mySearch.Scan())
{
if (escape)
{
break;
}
try
{
List <ulong> hitList = answer.First().Value;
foreach (ulong hit in hitList)
{
try
{
EProcess ep = new EProcess(_profile, _dataProvider, 0, hit - filenameOffset);
dynamic test = ep.Members;
_kernelDtb = ep.DTB;
if (_kernelDtb > _dataProvider.ImageLength || _kernelDtb == 0)
{
_kernelDtb = 0;
continue;
}
if (ep.Pid != 0 || ep.Ppid != 0)
{
_kernelDtb = 0;
continue;
}
InfoHelper helper = new InfoHelper();
helper.Type = InfoHelperType.InfoDictionary;
helper.Name = "0x" + _kernelDtb.ToString("X08") + " (" + _kernelDtb.ToString() + ")";
helper.Title = "Directory Table Base";
AddToInfoDictionary("Directory Table Base", helper);
//helper = new InfoHelper();
//helper.Type = InfoHelperType.InfoDictionary;
//helper.Name = ep.Pid.ToString();
//helper.Title = "PID";
//AddToInfoDictionary("PID", helper);
//helper = new InfoHelper();
//helper.Type = InfoHelperType.InfoDictionary;
//helper.Name = ep.Ppid.ToString();
//helper.Title = "Parent PID";
//AddToInfoDictionary("Parent PID", helper);
physicalAddress = (ulong)ep.PhysicalAddress;
escape = true;
break;
}
catch (Exception ex)
{
continue;
}
}
}
catch (Exception)
{
}
}
}
return(physicalAddress);
}
public void FindKernelImageBody(AddressBase kernelAddress = null)
{
if (kernelAddress != null)
{
_kernelAddressSpace = kernelAddress;
}
try
{
uint buildOffset = (uint)_profile.GetConstant("NtBuildLab");
// first check that we haven't already got it - the live info grab will have got it!
if (_kernelBaseAddress != 0)
{
ulong pAddr = _kernelAddressSpace.vtop(_kernelBaseAddress + buildOffset, true);
if (pAddr == 0)
{
return;
}
byte[] buffer2 = _dataProvider.ReadMemory(pAddr & 0xfffffffff000, 2);
string build = ReadString(buffer2, (uint)(pAddr & 0xfff));
InfoHelper helper = new InfoHelper();
helper.Type = InfoHelperType.InfoDictionary;
helper.Name = build;
helper.Title = "Build String";
AddToInfoDictionary("Build String", helper);
try
{
uint buildOffset2 = (uint)_profile.GetConstant("NtBuildLabEx");
pAddr = _kernelAddressSpace.vtop(_kernelBaseAddress + buildOffset2, true);
if (pAddr == 0)
{
return;
}
buffer2 = _dataProvider.ReadMemory(pAddr & 0xfffffffff000, 2);
build = ReadString(buffer2, (uint)(pAddr & 0xfff));
helper = new InfoHelper();
helper.Type = InfoHelperType.InfoDictionary;
helper.Name = build;
helper.Title = "Build String Ex";
AddToInfoDictionary("Build String Ex", helper);
}
catch { }
return;
}
StringSearch mySearch = new StringSearch(_dataProvider);
mySearch.AddNeedle("INITKDBG");
mySearch.AddNeedle("MISYSPTE");
mySearch.AddNeedle("PAGEKD");
byte[] buffer = null;
foreach (var answer in mySearch.Scan())
{
foreach (var kvp in answer)
{
List <ulong> hitList = kvp.Value;
foreach (ulong hit in hitList)
{
// the physical address must exist in the kernel address space space
ulong vAddr = _kernelAddressSpace.ptov(hit);
if (vAddr == 0)
{
continue;
}
//// let's grab the PE header while we're here
ulong page = vAddr & 0xfffffffff000;
// remember PE images are page aligned
for (int i = 0; i < 10; i++) // need to think about 10 being enough
{
ulong tryAddress = _kernelAddressSpace.vtop(page, false);
buffer = _dataProvider.ReadMemory(tryAddress, 1);
string sig = Encoding.Default.GetString(buffer, 0, 2);
if (sig == "MZ")
{
PE peHeader = new PE(_dataProvider, _kernelAddressSpace, page);
RSDS debugSection = peHeader.DebugSection;
if (IsValidKernel(debugSection.Filename))
{
_kernelBaseAddress = page;
ulong pAddr = _kernelAddressSpace.vtop(_kernelBaseAddress + buildOffset, false);
if (pAddr == 0)
{
continue;
}
buffer = _dataProvider.ReadMemory(pAddr & 0xfffffffff000, 2);
//CurrentHexViewerContentAddress = pAddr & 0xfffffffff000;
//CurrentHexViewerContent = buffer;
string build = ReadString(buffer, (uint)(pAddr & 0xfff));
InfoHelper helper = new InfoHelper();
helper.Type = InfoHelperType.InfoDictionary;
helper.Name = "0x" + _kernelBaseAddress.ToString("X08");
helper.Title = "Kernel Base Address";
helper.VirtualAddress = _kernelBaseAddress;
helper.BufferSize = 4096;
AddToInfoDictionary("Kernel Base Address", helper);
helper = new InfoHelper();
helper.Type = InfoHelperType.InfoDictionary;
helper.Name = build;
helper.Title = "Build String";
AddToInfoDictionary("Build String", helper);
try
{
uint buildOffset2 = (uint)_profile.GetConstant("NtBuildLabEx");
pAddr = _kernelAddressSpace.vtop(_kernelBaseAddress + buildOffset2, true);
if (pAddr == 0)
{
continue;
}
buffer = _dataProvider.ReadMemory(pAddr & 0xfffffffff000, 2);
build = ReadString(buffer, (uint)(pAddr & 0xfff));
helper = new InfoHelper();
helper.Type = InfoHelperType.InfoDictionary;
helper.Name = build;
helper.Title = "Build String Ex";
AddToInfoDictionary("Build String Ex", helper);
}
catch { }
return;
}
}
// move backwards one page at a time
page -= 0x1000;
}
}
}
}
}
catch
{
return;
}
}
public void FindProfileGuidBody()
{
if (_dataProvider.IsLive)
{
try
{
// get the system folder
string systemDirectory = Environment.SystemDirectory;
string kernelLocation = systemDirectory + "\\ntoskrnl.exe";
int matches = 0;
using (FileStream fs = new FileStream(kernelLocation, FileMode.Open, FileAccess.Read))
{
while (true)
{
byte b = (byte)fs.ReadByte();
if (matches == 0 && b == 82) // R
{
matches = 1;
}
else if (matches == 1 && b == 83) // S
{
matches = 2;
}
else if (matches == 2 && b == 68) // D
{
matches = 3;
}
else if (matches == 3 && b == 83) // S
{
byte[] buffer = new byte[16];
int result = fs.Read(buffer, 0, 16);
Guid g = new Guid(buffer);
buffer = new byte[4];
result = fs.Read(buffer, 0, 4);
uint age = BitConverter.ToUInt32(buffer, 0);
buffer = new byte[12];
result = fs.Read(buffer, 0, 12);
string name = Encoding.Default.GetString(buffer);
if (name == "ntkrnlpa.pdb" || name == "ntkrnlmp.pdb" || name == "ntkrpamp.pdb" || name == "ntoskrnl.pdb")
{
string GuidAge = (g.ToString("N") + age.ToString()).ToUpper();
ProfileName = GuidAge + ".gz";
InfoHelper helper = new InfoHelper();
helper.Type = InfoHelperType.InfoDictionary;
helper.Name = ProfileName;
helper.Title = "Profile Name";
AddToInfoDictionary("ProfileName", helper);
_profile = new Profile(ProfileName, @"E:\Forensics\MxProfileCache", _cacheLocation); // TO DO - make this a user option when you get around to writing the settings dialog
Architecture = _profile.Architecture;
Architecture = _profile.Architecture;
helper = new InfoHelper();
helper.Type = InfoHelperType.InfoDictionary;
helper.Name = Architecture;
helper.Title = "Architecture";
AddToInfoDictionary("Architecture", helper);
if (_profile.Architecture == "I386")
{
_kiUserSharedData = 0xFFDF0000;
_profile.PoolAlign = 8;
}
else
{
_kiUserSharedData = 0xFFFFF78000000000;
_profile.PoolAlign = 16;
}
helper = new InfoHelper();
helper.Type = InfoHelperType.InfoDictionary;
helper.Name = "0x" + _kiUserSharedData.ToString("X");
helper.Title = "KiUserSharedData";
AddToInfoDictionary("KiUserSharedData", helper);
return;
}
matches = 0;
}
else
{
matches = 0;
}
}
}
}
catch (Exception)
{
return;
}
}
else
{
StringSearch mySearch = new StringSearch(_dataProvider);
mySearch.AddNeedle("RSDS");
//Dictionary<string, List<ulong>> results = mySearch.Scan();
foreach (var answer in mySearch.Scan())
{
try
{
List <ulong> hitList = answer["RSDS"];
foreach (ulong hit in hitList)
{
try
{
RSDS rsds = new RSDS(_dataProvider, hit);
if (rsds.Signature == "RSDS" && (rsds.Filename == "ntkrnlpa.pdb" || rsds.Filename == "ntkrnlmp.pdb" || rsds.Filename == "ntkrpamp.pdb" || rsds.Filename == "ntoskrnl.pdb"))
{
InfoHelper helper = new InfoHelper();
helper.Type = InfoHelperType.InfoDictionary;
helper.Name = "0x" + hit.ToString("X08") + " (p)";
helper.PhysicalAddress = hit;
helper.BufferSize = 36;
helper.Title = "Debug Symbols (RSDS)";
AddToInfoDictionary("Debug Symbols (RSDS)", helper);
helper = new InfoHelper();
helper.Type = InfoHelperType.InfoDictionary;
helper.Name = rsds.Filename;
helper.Title = "Debug Symbols Filename";
AddToInfoDictionary("Debug Symbols Filename", helper);
ProfileName = rsds.GuidAge + ".gz";
helper = new InfoHelper();
helper.Type = InfoHelperType.InfoDictionary;
helper.Name = ProfileName;
helper.Title = "Profile Name";
AddToInfoDictionary("ProfileName", helper);
_profile = new Profile(ProfileName, @"E:\Forensics\MxProfileCache", _cacheLocation); // TO DO - make this a user option when you get around to writing the settings dialog
Architecture = _profile.Architecture;
helper = new InfoHelper();
helper.Type = InfoHelperType.InfoDictionary;
helper.Name = Architecture;
helper.Title = "Architecture";
AddToInfoDictionary("Architecture", helper);
if (_profile.Architecture == "I386")
{
_kiUserSharedData = 0xFFDF0000;
_profile.PoolAlign = 8;
}
else
{
_kiUserSharedData = 0xFFFFF78000000000;
_profile.PoolAlign = 16;
}
helper = new InfoHelper();
helper.Type = InfoHelperType.InfoDictionary;
helper.Name = "0x" + _kiUserSharedData.ToString("X");
helper.Title = "KiUserSharedData";
helper.VirtualAddress = _kiUserSharedData;
helper.BufferSize = 4096;
AddToInfoDictionary("KiUserSharedData", helper);
return;
}
}
catch (Exception)
{
continue;
}
}
}
catch (Exception)
{
return;
}
}
}
}
