/// <summary>
/// Opens the process by id. Stores information about the target process.
/// </summary>
/// <param name="pid">The process identifier of the target process.</param>
/// <returns>Returns true on success.</returns>
public bool Open(uint pid)
{
if (!SysInteractor.IsInitialized)
{
SysInteractor.Init();
}
WinApi.ProcessRights flags =
WinApi.ProcessRights.QUERY_INFORMATION |
WinApi.ProcessRights.VM_READ |
WinApi.ProcessRights.VM_WRITE |
WinApi.ProcessRights.VM_OPERATION;
this.ProcHandle = WinApi.OpenProcess(flags, false, pid);
if (this.ProcHandle != null)
{
try
{
this.Proc = Process.GetProcessById((int)pid);
}
catch (ArgumentException)
{
WinApi.CloseHandle(this.ProcHandle);
return(false);
}
bool isWow64;
if (!WinApi.IsWow64Process(this.ProcHandle, out isWow64))
{
this.Status.Log(
"Unable to determine bitness of process: " + this.Proc.ProcessName, Logger.Level.HIGH);
}
// 64-bit process detection.
// Note: This does not take into account for PAE. No plans to support PAE currently exist.
if (isWow64)
{
// For scanning purposes, Wow64 processes will be treated as as 32-bit processes.
this.Is64Bit = false;
this.d.TargetArchitecture = Disassembler.Architecture.x86_32;
}
else
{
// If it is not Wow64, then the process is natively running, so set it according to the OS
// architecture.
this.Is64Bit = SysInteractor.Is64Bit;
this.d.TargetArchitecture =
this.Is64Bit ? Disassembler.Architecture.x86_64 : Disassembler.Architecture.x86_32;
}
return(true);
}
else
{
this.Status.Log("Unable to open the target process.", Logger.Level.HIGH);
return(false);
}
}
/// <summary>
/// Generates a new basic block that starts at the supplied base address.
/// </summary>
/// <param name="p">The process interactor used to read data from the target.</param>
/// <param name="baseAddress">The base address of the basic block.</param>
/// <param name="blocks">
/// A set of basic blocks that relate to the current block through either direct or indirect connections.
/// </param>
/// <param name="maxDepth">
/// The maximum number of code flow indirections to be followed. If set to -1, no maximum indirection count is
/// enforced.
/// </param>
/// <returns>Returns a basic block that starts at the supplied address.</returns>
public static BasicBlock GenerateBlock(
PInteractor p,
IntPtr baseAddress,
out HashSet<BasicBlock> blocks,
long maxDepth = -1)
{
SysInteractor.Init();
blocks = new HashSet<BasicBlock>();
HashSet<Page> pages = new HashSet<Page>();
BasicBlock block = BasicBlock.GenerateBlock(p, baseAddress, ref blocks, ref pages, maxDepth);
BasicBlock.RemoveDuplicateInstructions(ref blocks);
return block;
}
/// <summary>
/// Initializes a new instance of the Scanner class.
/// </summary>
public Scanner()
{
SysInteractor.Init();
this.Regions = new List <Region>();
this.Matches = new List <IntPtr>();
}
public IntPtr IdentifyFunctionStartAddress(IntPtr address)
{
if (!this.IsOpen)
{
return(IntPtr.Zero);
}
if (!SysInteractor.IsInitialized)
{
SysInteractor.Init();
}
Page p = null;
IntPtr baseAddress = new IntPtr((address.ToInt64() / SysInteractor.PageSize) * SysInteractor.PageSize);
foreach (Page cachedPage in this.pageCache)
{
if (cachedPage.Address.ToInt64() == baseAddress.ToInt64())
{
p = cachedPage;
break;
}
}
if (p == null)
{
p = new Page();
p.Address = baseAddress;
if (!this.Read(p.Address, p.Data))
{
return(IntPtr.Zero);
}
}
if (p.InstructionsDecomposed.Length == 0 || p.InstructionsDisassembled.Count == 0)
{
if (this.Is64Bit)
{
if (!p.Disassemble(Distorm.DecodeType.Decode64Bits))
{
return(IntPtr.Zero);
}
}
else
{
if (!p.Disassemble(Distorm.DecodeType.Decode32Bits))
{
return(IntPtr.Zero);
}
}
}
long targetInstIndex = -1;
for (long i = 0; i < p.Data.Length; ++i)
{
if (p.InstructionsDecomposed[i].addr == (ulong)address.ToInt64())
{
targetInstIndex = i;
}
}
if (targetInstIndex == -1)
{
return(IntPtr.Zero);
}
for (long i = targetInstIndex; i >= 0; --i)
{
//if (p.InstructionsDecomposed[i].InstructionType == Distorm.InstructionType.)
}
return(IntPtr.Zero);
}
