/// <summary>
/// Network download from IOActive server for hosted reloc's
/// </summary>
/// <param name="args"></param>
/// <returns></returns>
bool Reloc(string[] args)
{
if (args.Length != 4)
{
var done = Task.Run(() =>
{
return(PrintHelp(args));
});
return(done.Result);
}
var Is64 = false;
var time = uint.MinValue;
var Region = string.Empty;
var dt = DateTime.MinValue;
var KnownAsName = string.Empty;
var OrigLoadAddress = ulong.MinValue;
var TimeStr = args[3];
Region = args[2];
if (!bool.TryParse(args[1], out Is64))
{
WriteLine($"Error parsing a Boolean value (True or False) from [{args[1]}], unable to continue.");
return(false);
}
if (string.IsNullOrWhiteSpace(Region) || Region.Contains(Path.GetInvalidFileNameChars().ToString()))
{
WriteLine($"Must provide a value for the DLL/EXE name to search for (region), provided value [{Region}], unable to continue.");
return(false);
}
if (!uint.TryParse(TimeStr, NumberStyles.AllowHexSpecifier, CultureInfo.InvariantCulture, out time)
&&
!uint.TryParse(TimeStr, NumberStyles.HexNumber, CultureInfo.InvariantCulture, out time)
&&
!DateTime.TryParse(TimeStr, out dt)
)
{
WriteLine($"Error parsing a TimeDateStamp value (numeric (hex allowed) or in text form e.g. (8/18/2010 1:30:30 PM - 1/1/2010 8:00:15 AM = 229.05:30:15) from [{TimeStr}], unable to continue.");
return(false);
}
// if the argument was not a number or string value for date
// maybe it's a filename to use as a reference? ;)??
if (dt == DateTime.MinValue && time == uint.MinValue)
{
time = PETimeDateStamp(TimeStr);
}
// The FinalFileName is only known after the server responds with additional metadata
var DestName = $"{Region}-?####?-{time:X}.reloc.7z";
WriteLine($"Contacting, dest file [{DestName}]: 64bit:{Is64}, Region(dll):{Region}, TimeDateStamp:{time:X}.");
InterWeb = new Net(@"http://blockwatch.ioactive.com:8888/");
InterWeb.UserName = "******";
InterWeb.PassWord = "******";
//
// Sending the "Online" packet doesn't really matter since the cred's are sent always.
// It's more of an application ping/test that you're good to go.
//
// Aside from the downloaded .reloc file. You will also get the preferred load address
// which can sometimes be missing or altered by due to loader artifacts ? :(
//
var FinalFileName =
Task.Factory.StartNew(() => InterWeb.Online())
.ContinueWith((isOn) =>
{
Task <byte[]> data = null;
if (isOn.Result)
{
data = Task.Factory.StartNew(() => InterWeb.NetRelocCheck(Region, time, Is64, ref OrigLoadAddress, ref KnownAsName));
}
return(data);
}).Unwrap().ContinueWith((bytez) =>
{
var FinalName = $"{KnownAsName}-{OrigLoadAddress:X}-{time:X}.reloc.7z";
File.WriteAllBytes(FinalName, bytez.Result);
return(FinalName);
});
if (OrigLoadAddress == ulong.MaxValue)
{
Write("An error reported from server: ");
}
if (!File.Exists(FinalFileName.Result))
{
WriteLine("No .reloc available, request an import of the reloc data you need, we will expand the table based on feedback.");
return(false);
}
WriteLine($"Downloaded to {FinalFileName.Result}, size {new FileInfo(FinalFileName.Result).Length}.");
return(true);
#if FALSE
var LC = new LoginCredsText()
{
username = InterWeb.UserName, password = InterWeb.PassWord
};
WriteLine("test1...");
IChannelFactory <IRequestChannel> factory = new BasicHttpBinding().BuildChannelFactory <IRequestChannel>(new BindingParameterCollection());
factory.Open();
IRequestChannel channel = factory.CreateChannel(new EndpointAddress("http://blockwatch.ioactive.com:8888/Buffer/Text/wsHttp"));
channel.Open();
Message requestmessage = Message.CreateMessage(MessageVersion.Soap11, "http://tempuri.org/IElmerBuffer/Online", LC, new DataContractSerializer(LC.GetType()));
//send message
Message replymessage = channel.Request(requestmessage);
WriteLine("Reply message received");
WriteLine("Reply action: {0}", replymessage.Headers.Action);
string data = replymessage.GetBody <string>();
WriteLine("Reply content: {0}", data);
//Step5: don't forget to close the message
requestmessage.Close();
replymessage.Close();
//don't forget to close the channel
channel.Close();
//don't forget to close the factory
factory.Close();
#endif
}
public async Task Main(string[] args)
{
if (args.Length != 3)
{
var done = await Task.Run(() =>
{
WriteLine($"{Environment.NewLine} Commands: [Reloc] Is64 Region TimeDateStamp");
WriteLine($"\te.g. running the default Reloc command [dnx run True ntdll 51DA4B7D]");
WriteLine($"\twill result in the 64bit 7zip compressed reloc data to be downloaded to NTDLL.DLL-78E50000-51DA4B7D.reloc.7z");
WriteLine($"\tBy using relocation data during a memory dump extraction, an exact match may be calculated from disk-code<->memory-code.{ Environment.NewLine}");
WriteLine($"\tuser provided {args.Length + 1} arguments (only specify 3), interpreted as;");
WriteLine($"\tIs64[{(args.Length >= 1 ? args[0] : String.Empty)}] Region[{(args.Length >= 2 ? args[1] : String.Empty)}] TimeDateStamp[{(args.Length >= 3 ? args[2] : String.Empty)}] ...");
return false;
});
return;
}
var Is64 = false;
var time = uint.MinValue;
var Region = string.Empty;
var dt = DateTime.MinValue;
var KnownAsName = string.Empty;
var OrigLoadAddress = ulong.MinValue;
if (!bool.TryParse(args[0], out Is64))
{
WriteLine($"Error parsing a booliean value (True or False) from [{args[0]}], unable to continue.");
return;
}
Region = args[1];
if (string.IsNullOrWhiteSpace(Region) || Region.Contains(Path.GetInvalidFileNameChars().ToString()))
{
WriteLine($"Must provide a value for the DLL/EXE name to search for (region), provided value [{args[1]}], unable to continue.");
return;
}
if (!uint.TryParse(args[2], NumberStyles.AllowHexSpecifier, CultureInfo.InvariantCulture, out time)
&&
!uint.TryParse(args[2], NumberStyles.HexNumber, CultureInfo.InvariantCulture, out time)
&&
!DateTime.TryParse(args[2], out dt)
)
{
WriteLine($"Error parsing a TimeDateStamp value (numeric (hex allowed) or in text form e.g. (8/18/2010 1:30:30 PM - 1/1/2010 8:00:15 AM = 229.05:30:15) from [{args[2]}], unable to continue.");
return;
}
// if the argument was not a number or string value for date
// maybe it's a filename to use as a reference? ;)??
if (dt == DateTime.MinValue && time == uint.MinValue)
time = PETimeDateStamp(args[2]);
// The FinalFileName is only known after the server responds with additional metadata
var DestName = $"{Region}-?####?-{time:X}.reloc.7z";
WriteLine($"Contacting, dest file [{DestName}]: 64bit:{Is64}, Region(dll):{Region}, TimeDateStamp:{time:X}.");
InterWeb = new Net("http://blockwatch.ioactive.com:8888/");
InterWeb.UserName = "******";
InterWeb.PassWord = "******";
//
// Sending the "Online" packet dosent really matter since the cred's are sent always.
// It's more of an application ping/test that you're good to go.
//
// Aside from the downloaded .reloc file. You will also get the preferred load address
// which can sometimes be missing or altered by due to loader artifacts ? :(
//
var FinalFileName =
await Task.Factory.StartNew(() => InterWeb.Online())
.ContinueWith((isOn) =>
{
Task<byte[]> data = null;
if (isOn.Result)
data = Task.Factory.StartNew(() => InterWeb.NetRelocCheck(Region, time, Is64, ref OrigLoadAddress, ref KnownAsName));
return data;
}).Unwrap().ContinueWith((bytez) =>
{
var FinalName = $"{KnownAsName}-{OrigLoadAddress:X}-{time:X}.reloc.7z";
File.WriteAllBytes(FinalName, bytez.Result);
return FinalName;
});
if (OrigLoadAddress == ulong.MaxValue)
Write("An error reported from server: ");
if (File.Exists(FinalFileName))
WriteLine($"Downloaded to {FinalFileName}, size {new FileInfo(FinalFileName).Length}.");
else
WriteLine("No .reloc available, request an import of the reloc data you need, we will expand the table based on feedback.");
return;
#if FALSE
var LC = new LoginCredsText() { username = InterWeb.UserName, password = InterWeb.PassWord };
WriteLine("test1...");
IChannelFactory<IRequestChannel> factory = new BasicHttpBinding().BuildChannelFactory<IRequestChannel>(new BindingParameterCollection());
factory.Open();
IRequestChannel channel = factory.CreateChannel(new EndpointAddress("http://blockwatch.ioactive.com:8888/Buffer/Text/wsHttp"));
channel.Open();
Message requestmessage = Message.CreateMessage(MessageVersion.Soap11, "http://tempuri.org/IElmerBuffer/Online", LC, new DataContractSerializer(LC.GetType()));
//send message
Message replymessage = channel.Request(requestmessage);
WriteLine("Reply message received");
WriteLine("Reply action: {0}", replymessage.Headers.Action);
string data = replymessage.GetBody<string>();
WriteLine("Reply content: {0}", data);
//Step5: don't forget to close the message
requestmessage.Close();
replymessage.Close();
//don't forget to close the channel
channel.Close();
//don't forget to close the factory
factory.Close();
#endif
}
