protected List <LIST_ENTRY> FindAllLists(DataProviderBase dataProvider, LIST_ENTRY source)
{
List <LIST_ENTRY> results = new List <LIST_ENTRY>();
List <ulong> seen = new List <ulong>();
List <LIST_ENTRY> stack = new List <LIST_ENTRY>();
AddressBase addressSpace = dataProvider.ActiveAddressSpace;
stack.Add(source);
while (stack.Count > 0)
{
LIST_ENTRY item = stack[0];
stack.RemoveAt(0);
if (!seen.Contains(item.PhysicalAddress))
{
seen.Add(item.PhysicalAddress);
results.Add(item);
ulong Blink = item.Blink;
if (Blink != 0)
{
ulong refr = addressSpace.vtop(Blink);
stack.Add(new LIST_ENTRY(dataProvider, item.Blink));
}
ulong Flink = item.Flink;
if (Flink != 0)
{
ulong refr = addressSpace.vtop(Flink);
stack.Add(new LIST_ENTRY(dataProvider, item.Flink));
}
}
}
return(results);
}
public PE(DataProviderBase dataProvider, AddressBase addressSpace, ulong address)
{
_dataProvider = dataProvider;
_imageBaseVirtualAddress = address;
_kernelAddressSpace = addressSpace;
int marker = 0;
try
{
ulong alignedAddress = _imageBaseVirtualAddress & 0xfffffffff000;
ulong pAddr = _kernelAddressSpace.vtop(alignedAddress);
if (pAddr == 0)
{
throw new ArgumentException("Error mapping virtual address 0x" + alignedAddress.ToString("X08"));
}
byte[] buffer = dataProvider.ReadMemory(pAddr, 1);
GCHandle pinnedPacket = GCHandle.Alloc(buffer, GCHandleType.Pinned);
_dosHeader = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, marker), typeof(IMAGE_DOS_HEADER));
_valid = (_dosHeader.e_magic == 0x5a4d);
marker += (int)_dosHeader.e_lfanew;
UInt32 ntHeadersSignature = BitConverter.ToUInt32(buffer, marker);
if (ntHeadersSignature == 0x4550)
{
marker += 4;
_fileHeader = (IMAGE_FILE_HEADER)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, marker), typeof(IMAGE_FILE_HEADER));
marker += Marshal.SizeOf(_fileHeader);
if (Is32BitHeader)
{
_optionalHeader32 = (IMAGE_OPTIONAL_HEADER32)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, marker), typeof(IMAGE_OPTIONAL_HEADER32));
marker += Marshal.SizeOf(_optionalHeader32);
}
else
{
_optionalHeader64 = (IMAGE_OPTIONAL_HEADER64)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, marker), typeof(IMAGE_OPTIONAL_HEADER64));
marker += Marshal.SizeOf(_optionalHeader64);
}
_imageSectionHeaders = new IMAGE_SECTION_HEADER[_fileHeader.NumberOfSections];
for (int headerNo = 0; headerNo < _imageSectionHeaders.Length; ++headerNo)
{
_imageSectionHeaders[headerNo] = (IMAGE_SECTION_HEADER)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, marker), typeof(IMAGE_SECTION_HEADER));
marker += Marshal.SizeOf(_imageSectionHeaders[0]);
}
ulong debugVAddr = Is32BitHeader ? _optionalHeader32.Debug.VirtualAddress + _imageBaseVirtualAddress : _optionalHeader64.Debug.VirtualAddress + _imageBaseVirtualAddress;
pinnedPacket.Free();
pAddr = _kernelAddressSpace.vtop(debugVAddr, false);
buffer = dataProvider.ReadMemory(pAddr & 0xfffffffff000, 2);
pinnedPacket = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IMAGE_DEBUG_DIRECTORY idd = (IMAGE_DEBUG_DIRECTORY)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, (int)(pAddr & 0xfff)), typeof(IMAGE_DEBUG_DIRECTORY));
_debugSectionOffset = idd.AddressOfRawData + _imageBaseVirtualAddress;
pinnedPacket.Free();
}
else
{
pinnedPacket.Free();
}
}
catch { }
}
// this will fail if the string runs off the end of the page
// remember to set the dataProvider.ActiveAddressSpace before you call
public UnicodeString(Profile profile, DataProviderBase dataProvider, ulong virtualAddress = 0, ulong physicalAddress = 0) : base(profile, dataProvider, virtualAddress)
{
_physicalAddress = physicalAddress;
_is64 = (_profile.Architecture == "AMD64");
_addressSpace = dataProvider.ActiveAddressSpace;
_structureSize = (int)_profile.GetStructureSize("_UNICODE_STRING");
if (_structureSize == -1)
{
throw new ArgumentException("Error - Profile didn't contain a definition for _OBJECT_TYPE");
}
//AddressBase addressSpace = dataProvider.ActiveAddressSpace;
if (virtualAddress == 0)
{
_buffer = _dataProvider.ReadPhysicalMemory(_physicalAddress, (uint)_structureSize);
}
else
{
_physicalAddress = _addressSpace.vtop(_virtualAddress);
_buffer = _dataProvider.ReadMemoryBlock(_virtualAddress, (uint)_structureSize);
}
if (_buffer == null)
{
throw new ArgumentException("Invalid Address: " + virtualAddress.ToString("X08"));
}
_structure = _profile.GetEntries("_UNICODE_STRING");
Structure s = GetStructureMember("Length");
//int realOffset = (int)s.Offset + (int)(_physicalAddress & 0xfff);
_length = BitConverter.ToUInt16(_buffer, (int)s.Offset);
s = GetStructureMember("MaximumLength");
//realOffset = (int)s.Offset + (int)(_physicalAddress & 0xfff);
_maximumLength = BitConverter.ToUInt16(_buffer, (int)s.Offset);
s = GetStructureMember("Buffer");
//realOffset = (int)s.Offset + (int)(_physicalAddress & 0xfff);
if (_is64)
{
_pointerBuffer = BitConverter.ToUInt64(_buffer, (int)s.Offset) & 0xffffffffffff;
}
else
{
_pointerBuffer = BitConverter.ToUInt32(_buffer, (int)s.Offset) & 0xffffffff;
}
ulong pAddress = _addressSpace.vtop(_pointerBuffer);
if (pAddress != 0)
{
byte[] nameBuffer = _dataProvider.ReadMemory(pAddress & 0xfffffffff000, 1);
_name = Encoding.Unicode.GetString(nameBuffer, (int)(pAddress & 0xfff), (int)_length);
}
}
protected void Overlay(string name)
{
string shorterVersion = name.TrimStart(new char[] { '_' });
_is64 = (_profile.Architecture == "AMD64");
_addressSpace = _dataProvider.ActiveAddressSpace;
_structureSize = (int)_profile.GetStructureSize(name);
if (_structureSize == -1)
{
throw new ArgumentException("Error: Profile didn't contain a definition for " + name);
}
if (_virtualAddress == 0)
{
_buffer = _dataProvider.ReadPhysicalMemory(_physicalAddress, (uint)_structureSize);
}
else
{
_physicalAddress = _addressSpace.vtop(_virtualAddress);
_buffer = _dataProvider.ReadMemoryBlock(_virtualAddress, (uint)_structureSize);
}
if (_buffer == null)
{
throw new ArgumentException("Invallid address " + _virtualAddress.ToString("x12"));
}
var dll = _profile.GetStructureAssembly(name);
Type t = dll.GetType("liveforensics." + shorterVersion);
GCHandle pinedPacket = GCHandle.Alloc(_buffer, GCHandleType.Pinned);
_members = Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(_buffer, 0), t);
pinedPacket.Free();
}
public HeaderNameInfo(Profile profile, DataProviderBase dataProvider, ulong virtualAddress = 0, ulong physicalAddress = 0) : base(profile, dataProvider, virtualAddress)
{
_physicalAddress = physicalAddress;
_is64 = (_profile.Architecture == "AMD64");
_structureSize = _profile.GetStructureSize("_OBJECT_HEADER_NAME_INFO");
if (_structureSize == -1)
{
throw new ArgumentException("Error - Profile didn't contain a definition for _OBJECT_HEADER_NAME_INFO");
}
AddressBase addressSpace = dataProvider.ActiveAddressSpace;
if (virtualAddress == 0)
{
_buffer = _dataProvider.ReadPhysicalMemory(_physicalAddress, (uint)_structureSize);
}
else
{
_physicalAddress = addressSpace.vtop(_virtualAddress);
_buffer = _dataProvider.ReadMemoryBlock(_virtualAddress, (uint)_structureSize);
}
_structure = _profile.GetEntries("_OBJECT_HEADER_NAME_INFO");
Structure s = GetStructureMember("ReferenceCount");
_referenceCount = BitConverter.ToUInt32(_buffer, (int)s.Offset);
s = GetStructureMember("Name");
if (s.EntryType == "_UNICODE_STRING")
{
UnicodeString us = new UnicodeString(_profile, _dataProvider, physicalAddress: _physicalAddress + s.Offset);
_name = us.Name;
}
// TO DO Parse the Directory member of structure
}
/// <summary>
/// You should normally be using the virtual address
/// But when you do pool scans you'll only have a physical address
/// So in that case expect a VA=0 and a valid PA
/// </summary>
/// <param name="profile"></param>
/// <param name="dataProvider"></param>
/// <param name="virtualAddress"></param>
/// <param name="physicalAddress"></param>
public ObjectHeader(Profile profile, DataProviderBase dataProvider, ulong virtualAddress = 0, ulong physicalAddress = 0) : base(profile, dataProvider, virtualAddress)
{
_physicalAddress = physicalAddress;
if (virtualAddress == 0 && physicalAddress == 0)
{
throw new ArgumentException("Error - Offset is ZERO for _OBJECT_HEADER");
}
_is64 = (_profile.Architecture == "AMD64");
_structureSize = (uint)_profile.GetStructureSize("_OBJECT_HEADER");
if (_structureSize == -1)
{
throw new ArgumentException("Error - Profile didn't contain a definition for _OBJECT_HEADER");
}
AddressBase addressSpace = dataProvider.ActiveAddressSpace;
if (virtualAddress == 0)
{
_buffer = _dataProvider.ReadPhysicalMemory(_physicalAddress, (uint)_structureSize);
}
else
{
_physicalAddress = addressSpace.vtop(_virtualAddress);
_buffer = _dataProvider.ReadMemoryBlock(_virtualAddress, (uint)_structureSize);
}
//Debug.WriteLine("PADDR: " + _physicalAddress.ToString("X08"));
Initialise();
}
public DriverExtension(Profile profile, DataProviderBase dataProvider, ulong virtualAddress = 0, ulong physicalAddress = 0) : base(profile, dataProvider, virtualAddress)
{
_physicalAddress = physicalAddress;
_is64 = (_profile.Architecture == "AMD64");
AddressBase addressSpace = dataProvider.ActiveAddressSpace;
if (virtualAddress != 0)
{
_physicalAddress = addressSpace.vtop(_virtualAddress);
}
if (_physicalAddress == 0)
{
throw new ArgumentException("Error - Address is ZERO for _DRIVER_EXTENSION");
}
_structureSize = (uint)_profile.GetStructureSize("_DRIVER_EXTENSION");
if (_structureSize == -1)
{
throw new ArgumentException("Error - Profile didn't contain a definition for _DRIVER_EXTENSION");
}
// _physicalAddress = _dataProvider.ActiveAddressSpace.vtop(_virtualAddress, _dataProvider.IsLive);
if (_virtualAddress == 0)
{
_buffer = _dataProvider.ReadPhysicalMemory(_physicalAddress, (uint)_structureSize);
}
else
{
_buffer = _dataProvider.ReadMemoryBlock(_virtualAddress, (uint)_structureSize);
}
_structure = _profile.GetEntries("_DRIVER_EXTENSION");
}
private void Initialise()
{
_is64 = (_profile.Architecture == "AMD64");
AddressBase addressSpace = _dataProvider.ActiveAddressSpace;
if (_virtualAddress != 0)
{
_physicalAddress = addressSpace.vtop(_virtualAddress);
}
if (_physicalAddress == 0)
{
throw new ArgumentException("Error - Address is ZERO for _CM_KEY_BODY");
}
_structureSize = (uint)_profile.GetStructureSize("_CM_KEY_BODY");
if (_structureSize == -1)
{
throw new ArgumentException("Error - Profile didn't contain a definition for _CM_KEY_BODY");
}
if (_virtualAddress == 0)
{
_buffer = _dataProvider.ReadPhysicalMemory(_physicalAddress, (uint)_structureSize);
}
else
{
_buffer = _dataProvider.ReadMemoryBlock(_virtualAddress, (uint)_structureSize);
}
if (_buffer == null)
{
return;
}
_structure = _profile.GetEntries("_CM_KEY_BODY");
Structure s = GetStructureMember("KeyControlBlock");
if (s.PointerType != "_CM_KEY_CONTROL_BLOCK")
{
return;
}
if (_is64)
{
ulong addr = BitConverter.ToUInt64(_buffer, (int)s.Offset) & 0xffffffffffff;
_kcb = new KeyControlBlock(_profile, _dataProvider, addr);
KeyControlBlock temp = _kcb;
string name = "";
while (temp != null)
{
name = temp.NameControlBlock.Name + "\\" + name;
temp = temp.Parent;
}
_name = name.TrimEnd(new char[] { '\\' });
}
else
{
}
}
public KeyControlBlock(Profile profile, DataProviderBase dataProvider, ulong virtualAddress = 0) : base(profile, dataProvider, virtualAddress)
{
_is64 = (_profile.Architecture == "AMD64");
AddressBase addressSpace = _dataProvider.ActiveAddressSpace;
if (_virtualAddress != 0)
{
_physicalAddress = addressSpace.vtop(_virtualAddress);
}
if (_physicalAddress == 0)
{
throw new ArgumentException("Error - Address is ZERO for _CM_KEY_CONTROL_BLOCK");
}
_structureSize = (uint)_profile.GetStructureSize("_CM_KEY_CONTROL_BLOCK");
if (_structureSize == -1)
{
throw new ArgumentException("Error - Profile didn't contain a definition for _CM_KEY_CONTROL_BLOCK");
}
if (_virtualAddress == 0)
{
_buffer = _dataProvider.ReadPhysicalMemory(_physicalAddress, (uint)_structureSize);
}
else
{
_buffer = _dataProvider.ReadMemoryBlock(_virtualAddress, (uint)_structureSize);
}
_structure = _profile.GetEntries("_CM_KEY_CONTROL_BLOCK");
Structure s = GetStructureMember("NameBlock");
if (s == null)
{
return;
}
if (_is64)
{
ulong addr = BitConverter.ToUInt64(_buffer, (int)s.Offset) & 0xffffffffffff;
_nameControlBlock = new CmNameControlBlock(_profile, _dataProvider, addr);
s = GetStructureMember("ParentKcb");
addr = BitConverter.ToUInt64(_buffer, (int)s.Offset) & 0xffffffffffff;
if (addr != 0)
{
_parent = new KeyControlBlock(_profile, _dataProvider, addr);
}
}
else
{
}
}
public LIST_ENTRY(DataProviderBase dataProvider, ulong vAddress)
{
try
{
AddressBase addressSpace = dataProvider.ActiveAddressSpace;
_virtualAddress = vAddress;
_physicalAddress = addressSpace.vtop(vAddress, dataProvider.IsLive);
_x64 = addressSpace.Is64;
if (_x64)
{
var checkFirst = dataProvider.ReadUInt64(_virtualAddress);
if (checkFirst == null)
{
throw new ArgumentException("Invalid Address");
}
_blink = (ulong)checkFirst;
checkFirst = dataProvider.ReadUInt64(_virtualAddress + 8);
if (checkFirst == null)
{
throw new ArgumentException("Invalid Address");
}
_flink = (ulong)checkFirst;
}
else
{
var checkFirst = dataProvider.ReadUInt32(_virtualAddress);
if (checkFirst == null)
{
throw new ArgumentException("Invalid Address");
}
_blink = (ulong)checkFirst;
checkFirst = dataProvider.ReadUInt32(_virtualAddress + 4);
if (checkFirst == null)
{
throw new ArgumentException("Invalid Address");
}
_flink = (ulong)checkFirst;
}
}
catch (Exception ex)
{
throw new ArgumentException("Error: " + ex.Message);
}
}
private void Initialise()
{
_is64 = (_profile.Architecture == "AMD64");
AddressBase addressSpace = _dataProvider.ActiveAddressSpace;
if (_virtualAddress != 0)
{
_physicalAddress = addressSpace.vtop(_virtualAddress);
}
if (_physicalAddress == 0)
{
throw new ArgumentException("Error - Address is ZERO for _DRIVER_OBJECT");
}
//_physicalAddress = _dataProvider.ActiveAddressSpace.vtop(_virtualAddress, _dataProvider.IsLive);
_structureSize = (uint)_profile.GetStructureSize("_DRIVER_OBJECT");
if (_structureSize == -1)
{
throw new ArgumentException("Error - Profile didn't contain a definition for _DRIVER_OBJECT");
}
if (_virtualAddress == 0)
{
_buffer = _dataProvider.ReadPhysicalMemory(_physicalAddress, (uint)_structureSize);
}
else
{
_buffer = _dataProvider.ReadMemoryBlock(_virtualAddress, (uint)_structureSize);
}
_structure = _profile.GetEntries("_DRIVER_OBJECT");
Structure s = GetStructureMember("DriverName");
if (s.EntryType == "_UNICODE_STRING")
{
UnicodeString us = new UnicodeString(_profile, _dataProvider, physicalAddress: _physicalAddress + s.Offset);
_driverName = us.Name;
}
// get the driver extension
if (DriverExtensionVirtualAddress != 0)
{
_driverExtension = new DriverExtension(_profile, _dataProvider, physicalAddress: _physicalAddress + (ulong)_structureSize);
}
}
public CmNameControlBlock(Profile profile, DataProviderBase dataProvider, ulong virtualAddress = 0) : base(profile, dataProvider, virtualAddress)
{
_is64 = (_profile.Architecture == "AMD64");
AddressBase addressSpace = _dataProvider.ActiveAddressSpace;
if (_virtualAddress != 0)
{
_physicalAddress = addressSpace.vtop(_virtualAddress);
}
if (_physicalAddress == 0)
{
throw new ArgumentException("Error - Address is ZERO for _CM_NAME_CONTROL_BLOCK");
}
_structureSize = (uint)_profile.GetStructureSize("_CM_NAME_CONTROL_BLOCK");
if (_structureSize == -1)
{
throw new ArgumentException("Error - Profile didn't contain a definition for _CM_NAME_CONTROL_BLOCK");
}
if (_virtualAddress == 0)
{
_buffer = _dataProvider.ReadPhysicalMemory(_physicalAddress, (uint)_structureSize);
}
else
{
_buffer = _dataProvider.ReadMemoryBlock(_virtualAddress, (uint)_structureSize);
}
_structure = _profile.GetEntries("_CM_NAME_CONTROL_BLOCK");
Structure s = GetStructureMember("NameLength");
int nameLength = BitConverter.ToInt16(_buffer, (int)s.Offset);
if (_virtualAddress == 0)
{
_buffer = _dataProvider.ReadPhysicalMemory(_physicalAddress, (uint)(_structureSize + nameLength));
}
else
{
_buffer = _dataProvider.ReadMemoryBlock(_virtualAddress, (uint)(_structureSize + nameLength));
}
s = GetStructureMember("Name");
_name = Encoding.UTF8.GetString(_buffer, (int)s.Offset, nameLength);
}
//private HandleTable _hndTable = null;
public EProcess(Profile profile, DataProviderBase dataProvider, ulong virtualAddress = 0, ulong physicalAddress = 0) : base(profile, dataProvider, virtualAddress)
{
ObjectHeader oh = new ObjectHeader(_profile);
if (virtualAddress == 0)
{
_physicalAddress = physicalAddress;
Initialise();
}
else
{
_addressSpace = _dataProvider.ActiveAddressSpace;
_physicalAddress = _addressSpace.vtop(_virtualAddress, _dataProvider.IsLive);
Initialise();
long headerSize = oh.Size;
if (headerSize != -1)
{
_header = new ObjectHeader(_profile, _dataProvider, _virtualAddress - (uint)headerSize);
}
}
}
public byte[] ReadMemoryBlock(ulong startAddress, uint byteCount)
{
byte[] buffer = new byte[byteCount];
ulong startPage;
if (_activeAddressSpace.Is64)
{
startPage = startAddress & 0xfffffffff000;
}
else
{
startPage = startAddress & 0xfffff000;
}
uint pageCount = (uint)(((startAddress + byteCount) - startPage) / 0x1000);
uint pageDiff = (uint)(((startAddress + byteCount) - startPage) % 0x1000);
if (pageDiff > 0)
{
pageCount++;
}
byte[] bigBuffer = new byte[pageCount * 0x1000];
for (int i = 0; i < pageCount; i++)
{
ulong pAddr = _activeAddressSpace.vtop(startPage + (ulong)(i * 0x1000));
if (pAddr == 0)
{
return(null);
}
byte[] pageBuffer = ReadMemory(pAddr, 1);
if (pageBuffer == null)
{
return(null);
}
Array.Copy(pageBuffer, 0, bigBuffer, (i * 0x1000), 0x1000);
}
Array.Copy(bigBuffer, (int)(startAddress - startPage), buffer, 0, byteCount);
return(buffer);
}
public HeaderHandleInfo(Profile profile, DataProviderBase dataProvider, ulong virtualAddress = 0, ulong physicalAddress = 0) : base(profile, dataProvider, virtualAddress)
{
_physicalAddress = physicalAddress;
_is64 = (_profile.Architecture == "AMD64");
int structureSize = (int)_profile.GetStructureSize("_OBJECT_HEADER_HANDLE_INFO");
if (structureSize == -1)
{
throw new ArgumentException("Error - Profile didn't contain a definition for _OBJECT_HEADER_HANDLE_INFO");
}
AddressBase addressSpace = dataProvider.ActiveAddressSpace;
if (virtualAddress == 0)
{
_buffer = _dataProvider.ReadPhysicalMemory(_physicalAddress, (uint)_structureSize);
}
else
{
_physicalAddress = addressSpace.vtop(_virtualAddress);
_buffer = _dataProvider.ReadMemoryBlock(_virtualAddress, (uint)_structureSize);
}
_structure = _profile.GetEntries("_OBJECT_HEADER_HANDLE_INFO");
}