private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
{
List <string> paths = new List <string>();
if (Path != null)
{
paths.AddRange(Path);
}
if (Win32Path != null)
{
paths.AddRange(Win32Path.Select(p => ConvertWin32Path(p)));
}
foreach (string path in paths)
{
if (!path.StartsWith(@"\"))
{
WriteWarning($"Path '{path}' doesn't start with \\. Perhaps you want to specify -Win32Path instead?");
}
try
{
RunAccessCheckPath(tokens, path);
}
catch (NtException ex)
{
WriteError(new ErrorRecord(ex, "NtException", ErrorCategory.DeviceError, this));
}
}
}
void DumpUnpackedFiles()
{
foreach (var unpackedFile in unpackedFiles)
{
DeobfuscatedFile.CreateAssemblyFile(unpackedFile.data,
Win32Path.GetFileNameWithoutExtension(unpackedFile.filename),
Win32Path.GetExtension(unpackedFile.filename));
}
}
UnpackedFile unpackEmbeddedFile(int index, ApplicationModeDecrypter decrypter)
{
uint offset = 0;
for (int i = 0; i < index + 1; i++)
{
offset += sizes[i];
}
string filename = Win32Path.GetFileName(filenames[index]);
var data = peImage.offsetReadBytes(offset, (int)sizes[index + 1]);
data = DeobUtils.aesDecrypt(data, decrypter.AssemblyKey, decrypter.AssemblyIv);
data = decompress(data);
return(new UnpackedFile(filename, data));
}
public override int GetHashCode()
{
return(Version.GetSafeHashCode() ^ Name.GetSafeHashCode() ^ Win32Path.GetSafeHashCode() ^ Win64Path.GetSafeHashCode());
}
