public static long Rva2offset(Program.MiniDump minidump, long virutal_address)
{
List <MinidumpMemory.MinidumpMemorySegment> memory_segments = new List <MinidumpMemory.MinidumpMemorySegment>();
bool is_fulldump;
if (minidump.sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
{
memory_segments = minidump.memory_segments_64.memory_segments;
is_fulldump = true;
}
else
{
memory_segments = minidump.memory_segments.memory_segments;
is_fulldump = false;
}
foreach (MinidumpMemory.MinidumpMemorySegment ms in memory_segments)
{
if (ms.start_virtual_address <= (long)virutal_address && ms.end_virtual_address >= (long)virutal_address)
{
if (ms.start_virtual_address < (long)virutal_address)
{
int offset = (int)(virutal_address - (long)ms.start_virtual_address);
return((long)(ms.start_file_address + (long)offset));
}
return((long)ms.start_file_address);
}
}
return(0);
}
public static string ExtractANSIStringString(Program.MiniDump minidump, UNICODE_STRING str)
{
if (str.MaximumLength == 0)
{
return(null);
}
minidump.fileBinaryReader.BaseStream.Seek(Helpers.Rva2offset(minidump, str.Buffer), 0);
byte[] resultBytes = minidump.fileBinaryReader.ReadBytes(str.MaximumLength);
var pinnedArray = GCHandle.Alloc(resultBytes, GCHandleType.Pinned);
var tmp_p = pinnedArray.AddrOfPinnedObject();
var result = Marshal.PtrToStringAnsi(tmp_p);
pinnedArray.Free();
return(result);
}
public static string ExtractSid(Program.MiniDump minidump, long pSid)
{
byte nbAuth;
int sizeSid;
var pSidInt = Minidump.Helpers.ReadInt64(minidump.fileBinaryReader, pSid);
minidump.fileBinaryReader.BaseStream.Seek(Rva2offset(minidump, pSidInt) + 8, 0);
var nbAuth_b = minidump.fileBinaryReader.ReadBytes(1);
nbAuth = nbAuth_b[0];
sizeSid = 4 * nbAuth + 6 + 1 + 1;
minidump.fileBinaryReader.BaseStream.Seek(Rva2offset(minidump, pSidInt), 0);
var sid_b = minidump.fileBinaryReader.ReadBytes(sizeSid);
ConvertSidToStringSid(sid_b, out IntPtr ptrSid);
return(Marshal.PtrToStringAuto(ptrSid));
}
public static string ExtractUnicodeStringString(Program.MiniDump minidump, UNICODE_STRING str)
{
if (str.MaximumLength == 0)
{
return(null);
}
minidump.fileBinaryReader.BaseStream.Seek(Helpers.Rva2offset(minidump, str.Buffer), 0);
byte[] resultBytes = minidump.fileBinaryReader.ReadBytes(str.MaximumLength);
var encoder = new UnicodeEncoding(false, false, true);
try
{
return(encoder.GetString(resultBytes));
}
catch (Exception)
{
return(PrintHexBytes(resultBytes));
}
}
//https://github.com/skelsec/minidump/blob/96d6b64dba679df14f5f78c64c3a045be8c4f1f1/minidump/minidumpreader.py#L323
public static long search_module(Program.MiniDump minidump, string module_name, byte[] pattern, bool find_first = false, bool reverse = false, int chunksize = (10 * 1024))
{
long pos = minidump.fileBinaryReader.BaseStream.Position;
ModuleList.MinidumpModule mod = get_module_by_name(module_name, minidump.modules);
List <MinidumpMemory.MinidumpMemorySegment> memory_segments = new List <MinidumpMemory.MinidumpMemorySegment>();
bool is_fulldump;
if (minidump.sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
{
memory_segments = minidump.memory_segments_64.memory_segments;
is_fulldump = true;
}
else
{
memory_segments = minidump.memory_segments.memory_segments;
is_fulldump = false;
}
byte[] needles = new byte[] { };
foreach (MinidumpMemory.MinidumpMemorySegment ms in memory_segments)
{
if (mod.baseaddress <= ms.start_virtual_address && ms.start_virtual_address <= mod.endaddress)
{
minidump.fileBinaryReader.BaseStream.Seek(ms.start_file_address, 0);
byte[] data = minidump.fileBinaryReader.ReadBytes((int)ms.size);
minidump.fileBinaryReader.BaseStream.Seek(pos, 0);
int offset = PatternAt(data, pattern);
if (offset != -1)
{
return(ms.start_file_address + offset);
}
}
}
return(0);
}
//https://github.com/skelsec/minidump/blob/96d6b64dba679df14f5f78c64c3a045be8c4f1f1/minidump/minidumpreader.py#L268
public static long find_in_module(Program.MiniDump minidump, string module_name, byte[] pattern, bool find_first = false, bool reverse = false)
{
return(search_module(minidump, module_name, pattern, find_first = find_first, reverse = reverse));
}
//https://github.com/skelsec/pypykatz/blob/bd1054d1aa948133a697a1dfcb57a5c6463be41a/pypykatz/lsadecryptor/package_commons.py#L64
public static long find_signature(Program.MiniDump minidump, string module_name, byte[] signature)
{
return(find_in_module(minidump, module_name, signature));
}
