ExtrtactAddressSpaces() public method

This routine is fairly expensive, maybe unnecessary as well but it demo's walking the page table + EPT. You can connect an address space dumper really easily TODO: Remake this. Instead of just pre-buffering everything. Ensure the GroupAS detections are appropriate and if not, reassign the VMCS/EPTP page to bare metal or a different HVLayer item.
public ExtrtactAddressSpaces ( IOrderedEnumerable MemSpace = null, ConcurrentBag Procs = null, PTType pTypes = PTType.UNCONFIGURED ) : List>.Dictionary
MemSpace IOrderedEnumerable The list of VMCS/EPTP configurations which will alter the page table use
Procs ConcurrentBag Detected procs to query
pTypes PTType Type bitmask to interpret
return List>.Dictionary
コード例 #1
0
ファイル: Dump.cs プロジェクト: olivierh59500/inVtero.net
        public static void DumpIt(Vtero vtero, ConfigOptions co, DumpOptions dmpo)
        {
            var Version = vtero.Version;

            Mem.InitMem(co.FileName, vtero.MRD);

            // Extract Address Spaces verifies the linkages between
            // process<->CR3<->EPTP(if there is one)
            // and that they are functional

            var vetted = vtero.ExtrtactAddressSpaces(null, null, Version);

            // leaving this in as an example maybe? ;)

            //WriteLine("enter a group ID: ");
            //input = ReadLine();
            //int Grp = int.Parse(input);
            //WriteLine("enter a process ID: ");
            //input = ReadLine();
            //long procID = long.Parse(input, NumberStyles.HexNumber);
            //var proc = (from procz in vtero.ASGroups[Grp]
            //            where procz.CR3Value == procID
            //            select procz).First();
            //int i = 1;
            //DetectedProc dp = proc;
            //while(dp == null)
            //    dp = vtero.GetKernelRangeFromGroup(i++);


            // Scan for kernel
            // NT kernel may be in 0xFFFFF80000000 to 0xFFFFF8800000 range
            long         KernVAStart  = 0xF80000000000;
            long         KernVAEnd    = KernVAStart + (0x8000000000 - 0x1000);
            string       input        = string.Empty;
            var          Detections   = new Dictionary <long, Extract>();
            DetectedProc LikelyKernel = null;
            bool         Decoded      = false;

            // were doing this in nested loops to brute force our way past any errors
            // but only need the first set of detections per group

            foreach (var grpz in vtero.ASGroups)
            {
                foreach (var vm in vtero.VMCSs.Values)
                {
                    WriteColor(ConsoleColor.White, $"Group ID: {grpz.Key}");
                    foreach (var p in grpz.Value)
                    {
                        WriteLine($"Proc: {p.CR3Value:X}");
                        Detections = Detections.Concat(
                            vtero.ModuleScan(p, 3, KernVAStart, KernVAEnd).Where(x => !Detections.ContainsKey(x.Key)))
                                     .ToDictionary(x => x.Key, x => x.Value);

                        if (Detections.Count() > 0)
                        {
                            LikelyKernel = p;

                            if (vm.EPTP == 0)
                            {
                                p.vmcs = null;
                            }
                            else
                            {
                                p.vmcs = vm;
                            }

                            // scan for kernel
                            foreach (var detected in Detections)
                            {
                                WriteColor(ConsoleColor.Green, $"Attempting to parse detected PE module loaded @ {detected.Key:X}");
                                WriteColor(ConsoleColor.Cyan, detected.Value.ToString());

                                if (detected.Value.ToString().Contains("POOLCODE"))
                                {
                                    WriteColor(ConsoleColor.White, "Likely Kernel analyzing for CV data");

                                    /*
                                     * var cv_data = vtero.ExtractCVDebug(LikelyKernel, detected.Value, detected.Key);
                                     *
                                     * if (cv_data != null)
                                     * {
                                     *  var sympath = Environment.GetEnvironmentVariable("_NT_SYMBOL_PATH");
                                     *  if (string.IsNullOrWhiteSpace(sympath))
                                     *      sympath = "SRV*http://msdl.microsoft.com/download/symbols";
                                     *
                                     *  if (Vtero.TryLoadSymbols(cv_data, detected.Key, sympath))
                                     *      Decoded = vtero.GetKernelDebuggerData(LikelyKernel, detected.Value, cv_data, sympath);
                                     * }
                                     */
                                }
                            }
                        }
                        if (Decoded)
                        {
                            break;
                        }
                    }
                    if (Decoded)
                    {
                        break;
                    }
                }
                if (Decoded)
                {
                    break;
                }
            }
            ForegroundColor = ConsoleColor.Green;
            WriteLine($"{Environment.NewLine}Final analysis completed, address spaces extracted. {QuickOptions.Timer.Elapsed} {QuickOptions.FormatRate(vtero.FileSize * 3, QuickOptions.Timer.Elapsed)}");

            // do a test dump
            // extract & dump could be done at the same time

            if (!dmpo.ListOnly)
            {
                vtero.DumpASToFile();
            }

            //if (Vtero.VerboseOutput)
            //vtero.DumpFailList();

            return;
        }
コード例 #2
0
ファイル: Dump.cs プロジェクト: ShaneK2/inVtero.net
        public static void DumpIt(Vtero vtero, ConfigOptions co, DumpOptions dmpo)
        {
            var Version = vtero.Version;

            Mem.InitMem(co.FileName, vtero.MRD);

            // Extract Address Spaces verifies the linkages between
            // process<->CR3<->EPTP(if there is one)
            // and that they are functional

            var vetted = vtero.ExtrtactAddressSpaces(null, null, Version);

            // leaving this in as an example maybe? ;)

            //WriteLine("enter a group ID: ");
            //input = ReadLine();
            //int Grp = int.Parse(input);
            //WriteLine("enter a process ID: ");
            //input = ReadLine();
            //long procID = long.Parse(input, NumberStyles.HexNumber);
            //var proc = (from procz in vtero.ASGroups[Grp]
            //            where procz.CR3Value == procID
            //            select procz).First();
            //int i = 1;
            //DetectedProc dp = proc;
            //while(dp == null)
            //    dp = vtero.GetKernelRangeFromGroup(i++);


            // Scan for kernel 
            // NT kernel may be in 0xFFFFF80000000 to 0xFFFFF8800000 range
            long KernVAStart = 0xF80000000000;
            long KernVAEnd = KernVAStart + (0x8000000000 - 0x1000);
            string input = string.Empty;
            var Detections = new Dictionary<long, Extract>();
            DetectedProc LikelyKernel = null;
            bool Decoded = false;
            // were doing this in nested loops to brute force our way past any errors
            // but only need the first set of detections per group

            foreach (var grpz in vtero.ASGroups)
            {
                foreach (var vm in vtero.VMCSs.Values)
                {
                    WriteColor(ConsoleColor.White, $"Group ID: {grpz.Key}");
                    foreach (var p in grpz.Value)
                    {
                        WriteLine($"Proc: {p.CR3Value:X}");
                        Detections = Detections.Concat(
                            vtero.ModuleScan(p, KernVAStart, KernVAEnd).Where(x => !Detections.ContainsKey(x.Key)))
                            .ToDictionary(x => x.Key, x => x.Value);

                        if (Detections.Count() > 0)
                        {
                            LikelyKernel = p;

                            if (vm.EPTP == 0)
                                p.vmcs = null;
                            else
                                p.vmcs = vm;

                            // scan for kernel
                            foreach (var detected in Detections)
                            {
                                WriteColor(ConsoleColor.Green, $"Attempting to parse detected PE module loaded @ {detected.Key:X}");
                                WriteColor(ConsoleColor.Cyan, detected.Value.ToString());

                                if (detected.Value.ToString().Contains("POOLCODE"))
                                {
                                    WriteColor(ConsoleColor.White, "Likely Kernel analyzing for CV data");

                                    /*
                                     * var cv_data = vtero.ExtractCVDebug(LikelyKernel, detected.Value, detected.Key);

                                    if (cv_data != null)
                                    {
                                        var sympath = Environment.GetEnvironmentVariable("_NT_SYMBOL_PATH");
                                        if (string.IsNullOrWhiteSpace(sympath))
                                            sympath = "SRV*http://msdl.microsoft.com/download/symbols";

                                        if (vtero.TryLoadSymbols(cv_data, detected.Key, sympath))
                                            Decoded = vtero.GetKernelDebuggerData(LikelyKernel, detected.Value, cv_data, sympath);
                                    }
                                    */
                                }
                            }
                        }
                        if (Decoded) break;
                    }
                    if (Decoded) break;
                }
                if (Decoded) break;
            }
            ForegroundColor = ConsoleColor.Green;
            WriteLine($"{Environment.NewLine}Final analysis completed, address spaces extracted. {QuickOptions.Timer.Elapsed} {QuickOptions.FormatRate(vtero.FileSize * 3, QuickOptions.Timer.Elapsed)}");

            // do a test dump
            // extract & dump could be done at the same time

            if(!dmpo.ListOnly)
                vtero.DumpASToFile();

            //if (Vtero.VerboseOutput)
                //vtero.DumpFailList();
            
            return;
        }