Esempio n. 1
0
        public static long Rva2offset(Program.MiniDump minidump, long virutal_address)
        {
            List <MinidumpMemory.MinidumpMemorySegment> memory_segments = new List <MinidumpMemory.MinidumpMemorySegment>();
            bool is_fulldump;

            if (minidump.sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
            {
                memory_segments = minidump.memory_segments_64.memory_segments;
                is_fulldump     = true;
            }
            else
            {
                memory_segments = minidump.memory_segments.memory_segments;
                is_fulldump     = false;
            }

            foreach (MinidumpMemory.MinidumpMemorySegment ms in memory_segments)
            {
                if (ms.start_virtual_address <= (long)virutal_address && ms.end_virtual_address >= (long)virutal_address)
                {
                    if (ms.start_virtual_address < (long)virutal_address)
                    {
                        int offset = (int)(virutal_address - (long)ms.start_virtual_address);
                        return((long)(ms.start_file_address + (long)offset));
                    }
                    return((long)ms.start_file_address);
                }
            }

            return(0);
        }
Esempio n. 2
0
        public static string ExtractANSIStringString(Program.MiniDump minidump, UNICODE_STRING str)
        {
            if (str.MaximumLength == 0)
            {
                return(null);
            }

            minidump.fileBinaryReader.BaseStream.Seek(Helpers.Rva2offset(minidump, str.Buffer), 0);
            byte[] resultBytes = minidump.fileBinaryReader.ReadBytes(str.MaximumLength);
            var    pinnedArray = GCHandle.Alloc(resultBytes, GCHandleType.Pinned);
            var    tmp_p       = pinnedArray.AddrOfPinnedObject();
            var    result      = Marshal.PtrToStringAnsi(tmp_p);

            pinnedArray.Free();

            return(result);
        }
Esempio n. 3
0
        public static string ExtractSid(Program.MiniDump minidump, long pSid)
        {
            byte nbAuth;
            int  sizeSid;

            var pSidInt = Minidump.Helpers.ReadInt64(minidump.fileBinaryReader, pSid);

            minidump.fileBinaryReader.BaseStream.Seek(Rva2offset(minidump, pSidInt) + 8, 0);
            var nbAuth_b = minidump.fileBinaryReader.ReadBytes(1);

            nbAuth  = nbAuth_b[0];
            sizeSid = 4 * nbAuth + 6 + 1 + 1;

            minidump.fileBinaryReader.BaseStream.Seek(Rva2offset(minidump, pSidInt), 0);
            var sid_b = minidump.fileBinaryReader.ReadBytes(sizeSid);

            ConvertSidToStringSid(sid_b, out IntPtr ptrSid);

            return(Marshal.PtrToStringAuto(ptrSid));
        }
Esempio n. 4
0
        public static string ExtractUnicodeStringString(Program.MiniDump minidump, UNICODE_STRING str)
        {
            if (str.MaximumLength == 0)
            {
                return(null);
            }

            minidump.fileBinaryReader.BaseStream.Seek(Helpers.Rva2offset(minidump, str.Buffer), 0);
            byte[] resultBytes = minidump.fileBinaryReader.ReadBytes(str.MaximumLength);

            var encoder = new UnicodeEncoding(false, false, true);

            try
            {
                return(encoder.GetString(resultBytes));
            }
            catch (Exception)
            {
                return(PrintHexBytes(resultBytes));
            }
        }
Esempio n. 5
0
        //https://github.com/skelsec/minidump/blob/96d6b64dba679df14f5f78c64c3a045be8c4f1f1/minidump/minidumpreader.py#L323
        public static long search_module(Program.MiniDump minidump, string module_name, byte[] pattern, bool find_first = false, bool reverse = false, int chunksize = (10 * 1024))
        {
            long pos = minidump.fileBinaryReader.BaseStream.Position;

            ModuleList.MinidumpModule mod = get_module_by_name(module_name, minidump.modules);
            List <MinidumpMemory.MinidumpMemorySegment> memory_segments = new List <MinidumpMemory.MinidumpMemorySegment>();
            bool is_fulldump;

            if (minidump.sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
            {
                memory_segments = minidump.memory_segments_64.memory_segments;
                is_fulldump     = true;
            }
            else
            {
                memory_segments = minidump.memory_segments.memory_segments;
                is_fulldump     = false;
            }

            byte[] needles = new byte[] { };
            foreach (MinidumpMemory.MinidumpMemorySegment ms in memory_segments)
            {
                if (mod.baseaddress <= ms.start_virtual_address && ms.start_virtual_address <= mod.endaddress)
                {
                    minidump.fileBinaryReader.BaseStream.Seek(ms.start_file_address, 0);
                    byte[] data = minidump.fileBinaryReader.ReadBytes((int)ms.size);
                    minidump.fileBinaryReader.BaseStream.Seek(pos, 0);
                    int offset = PatternAt(data, pattern);
                    if (offset != -1)
                    {
                        return(ms.start_file_address + offset);
                    }
                }
            }

            return(0);
        }
Esempio n. 6
0
 //https://github.com/skelsec/minidump/blob/96d6b64dba679df14f5f78c64c3a045be8c4f1f1/minidump/minidumpreader.py#L268
 public static long find_in_module(Program.MiniDump minidump, string module_name, byte[] pattern, bool find_first = false, bool reverse = false)
 {
     return(search_module(minidump, module_name, pattern, find_first = find_first, reverse = reverse));
 }
Esempio n. 7
0
 //https://github.com/skelsec/pypykatz/blob/bd1054d1aa948133a697a1dfcb57a5c6463be41a/pypykatz/lsadecryptor/package_commons.py#L64
 public static long find_signature(Program.MiniDump minidump, string module_name, byte[] signature)
 {
     return(find_in_module(minidump, module_name, signature));
 }