public IntPtr EvaluatePointer(IntPtr address, IEnumerable <Int32> offsets)
{
IntPtr finalAddress = address;
if (!offsets.IsNullOrEmpty())
{
// Add and trace offsets
foreach (Int32 offset in offsets.Take(offsets.Count() - 1))
{
Boolean success;
if (EngineCore.GetInstance().Processes.IsOpenedProcess32Bit())
{
finalAddress = (this.Read <UInt32>(finalAddress + offset, out success).ToInt64()).ToIntPtr();
}
else
{
finalAddress = (this.Read <UInt64>(finalAddress, out success).ToInt64() + offset).ToIntPtr();
}
}
// The last offset is added, but not traced
finalAddress = finalAddress.Add(offsets.Last());
}
return(finalAddress);
}
/// <summary>
/// Determines if a process is 32 bit
/// </summary>
/// <param name="process">The process to check</param>
/// <returns>Returns true if the process is 32 bit, otherwise false</returns>
public Boolean IsProcess32Bit(NormalizedProcess process)
{
Boolean isWow64;
// First do the simple check if seeing if the OS is 32 bit, in which case the process wont be 64 bit
if (EngineCore.GetInstance().OperatingSystemAdapter.IsOperatingSystem32Bit())
{
return(true);
}
// No process provided, assume 32 bit
if (process == null)
{
return(true);
}
try
{
if (this.SystemProcess == null || !Native.NativeMethods.IsWow64Process(this.SystemProcess.Handle, out isWow64))
{
// Error, assume 32 bit
return(true);
}
}
catch
{
// Error, assume 32 bit
return(true);
}
return(isWow64);
}
/// <summary>
/// Creates a new snapshot of memory in the target process. Will not read any memory.
/// </summary>
/// <returns>The snapshot of memory taken in the target process.</returns>
private Snapshot CreateSnapshotFromSettings()
{
MemoryProtectionEnum requiredPageFlags = SettingsViewModel.GetInstance().GetRequiredProtectionSettings();
MemoryProtectionEnum excludedPageFlags = SettingsViewModel.GetInstance().GetExcludedProtectionSettings();
MemoryTypeEnum allowedTypeFlags = SettingsViewModel.GetInstance().GetAllowedTypeSettings();
IntPtr startAddress, endAddress;
if (SettingsViewModel.GetInstance().IsUserMode)
{
startAddress = IntPtr.Zero;
endAddress = EngineCore.GetInstance().VirtualMemory.GetMaxUsermodeAddress().ToIntPtr();
}
else
{
startAddress = SettingsViewModel.GetInstance().StartAddress.ToIntPtr();
endAddress = SettingsViewModel.GetInstance().EndAddress.ToIntPtr();
}
List <ReadGroup> memoryRegions = new List <ReadGroup>();
IEnumerable <NormalizedRegion> virtualPages = EngineCore.GetInstance().VirtualMemory.GetVirtualPages(
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
// Convert each virtual page to a snapshot region
foreach (NormalizedRegion virtualPage in virtualPages)
{
memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize));
}
return(new Snapshot(null, memoryRegions));
}
/// <summary>
/// Creates a snapshot from modules in the selected process.
/// </summary>
/// <returns>The created snapshot.</returns>
private Snapshot CreateSnapshotFromModules()
{
IEnumerable <ReadGroup> moduleGroups = EngineCore.GetInstance().VirtualMemory.GetModules().Select(region => new ReadGroup(region.BaseAddress, region.RegionSize));
Snapshot moduleSnapshot = new Snapshot(null, moduleGroups);
return(moduleSnapshot);
}
/// <summary>
/// Loads the instructions to display.
/// </summary>
private void LoadInstructions()
{
Byte[] bytes = EngineCore.GetInstance().VirtualMemory.ReadBytes(this.BaseAddress.ToIntPtr(), 200, out _);
if (bytes.IsNullOrEmpty())
{
return;
}
Boolean isProcess32Bit = EngineCore.GetInstance().Processes.IsOpenedProcess32Bit();
// Disassemble instructions
IEnumerable <NormalizedInstruction> disassembledInstructions = this.Disassembler.Disassemble(bytes, isProcess32Bit, this.BaseAddress.ToIntPtr());
IList <InstructionItem> instructions = new List <InstructionItem>();
foreach (NormalizedInstruction disassembledInstruction in disassembledInstructions)
{
String moduleName;
UInt64 address = AddressResolver.GetInstance().AddressToModule(disassembledInstruction.Address, out moduleName);
instructions.Add(new InstructionItem(address.ToIntPtr(), moduleName, disassembledInstruction.Instruction, disassembledInstruction.Bytes));
}
this.Instructions = new FullyObservableCollection <InstructionItem>(instructions);
}
/// <summary>
/// Processes all pages, computing checksums to determine chunks of virtual pages that have changed.
/// </summary>
private void ProcessPages()
{
Boolean isOpenedProcess32Bit = EngineCore.GetInstance().Processes.IsOpenedProcess32Bit();
dynamic invalidPointerMin = isOpenedProcess32Bit ? (UInt32)UInt16.MaxValue : (UInt64)UInt16.MaxValue;
dynamic invalidPointerMax = isOpenedProcess32Bit ? Int32.MaxValue : Int64.MaxValue;
ConcurrentHashSet <IntPtr> foundPointers = new ConcurrentHashSet <IntPtr>();
// Add static bases
List <SnapshotRegion> baseRegions = new List <SnapshotRegion>();
foreach (NormalizedModule normalizedModule in EngineCore.GetInstance().OperatingSystemAdapter.GetModules())
{
baseRegions.Add(new SnapshotRegion(normalizedModule.BaseAddress, normalizedModule.RegionSize));
}
((dynamic)this.PrefilteredSnapshot).AddSnapshotRegions(baseRegions);
lock (this.RegionLock)
{
List <SnapshotRegion> pointerRegions = new List <SnapshotRegion>();
foreach (IntPtr pointer in PointerCollector.GetInstance().GetFoundPointers())
{
pointerRegions.Add(new SnapshotRegion(pointer.Subtract(ShallowPointerPrefilter.PointerRadius), ShallowPointerPrefilter.PointerRadius * 2));
}
((dynamic)this.PrefilteredSnapshot).AddSnapshotRegions(pointerRegions);
this.processedCount = Math.Max(this.processedCount, this.PrefilteredSnapshot.GetRegionCount());
}
}
/// <summary>
/// Resolves the address of an address, pointer, or managed object.
/// </summary>
/// <returns>The base address of this object.</returns>
protected override IntPtr ResolveAddress()
{
IntPtr pointer = AddressResolver.GetInstance().ResolveModule(this.ModuleName);
Boolean successReading = true;
pointer = pointer.Add(this.ModuleOffset);
if (this.PointerOffsets == null || this.PointerOffsets.Count() == 0)
{
return(pointer);
}
foreach (Int32 offset in this.PointerOffsets)
{
if (EngineCore.GetInstance().Processes.IsOpenedProcess32Bit())
{
pointer = EngineCore.GetInstance().VirtualMemory.Read <Int32>(pointer, out successReading).ToIntPtr();
}
else
{
pointer = EngineCore.GetInstance().VirtualMemory.Read <Int64>(pointer, out successReading).ToIntPtr();
}
if (pointer == IntPtr.Zero || !successReading)
{
pointer = IntPtr.Zero;
break;
}
pointer = pointer.Add(offset);
}
return(pointer);
}
/// <summary>
/// Update event for this project item. Resolves addresses and values.
/// </summary>
/// <returns>True if update was made, otherwise false.</returns>
public override Boolean Update()
{
this.CalculatedAddress = this.ResolveAddress();
if (this.IsActivated)
{
// Freeze current value if this entry is activated
Object value = this.AddressValue;
if (value != null && value.GetType() == this.DataType)
{
this.WriteValue(value);
}
}
else
{
// Otherwise we read as normal (bypass value setter and set value directly to avoid a write-back to memory)
Boolean readSuccess;
Object oldValue = addressValue;
this.addressValue = EngineCore.GetInstance()?.VirtualMemory?.Read(this.DataType, this.CalculatedAddress, out readSuccess);
if (this.AddressValue?.ToString() != oldValue?.ToString())
{
this.RaisePropertyChanged(nameof(this.AddressValue));
return(true);
}
}
return(false);
}
/// <summary>
/// Creates a new snapshot of memory in the target process. Will not read any memory.
/// </summary>
/// <returns>The snapshot of memory taken in the target process.</returns>
public Snapshot CreateSnapshotFromSettings()
{
MemoryProtectionEnum requiredPageFlags = SettingsViewModel.GetInstance().GetRequiredProtectionSettings();
MemoryProtectionEnum excludedPageFlags = SettingsViewModel.GetInstance().GetExcludedProtectionSettings();
MemoryTypeEnum allowedTypeFlags = SettingsViewModel.GetInstance().GetAllowedTypeSettings();
IntPtr startAddress, endAddress;
if (SettingsViewModel.GetInstance().IsUserMode)
{
startAddress = IntPtr.Zero;
endAddress = EngineCore.GetInstance().VirtualMemory.GetUserModeRegion().EndAddress;
}
else
{
startAddress = SettingsViewModel.GetInstance().StartAddress.ToIntPtr();
endAddress = SettingsViewModel.GetInstance().EndAddress.ToIntPtr();
}
List <SnapshotRegion> memoryRegions = new List <SnapshotRegion>();
IEnumerable <NormalizedRegion> virtualPages = EngineCore.GetInstance().VirtualMemory.GetVirtualPages(
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
// Convert each virtual page to a snapshot region (a more condensed representation of the information)
foreach (NormalizedRegion virtualPage in virtualPages)
{
memoryRegions.Add(new SnapshotRegion(virtualPage.BaseAddress, virtualPage.RegionSize));
}
return(new Snapshot(memoryRegions));
}
private IntPtr ResolvePointer(Tuple <IntPtr, List <Int32> > fullPointer)
{
IntPtr pointer = fullPointer.Item1;
List <Int32> offsets = fullPointer.Item2;
if (offsets == null || offsets.Count == 0)
{
return(pointer);
}
Boolean successReading = true;
foreach (Int32 offset in offsets)
{
pointer = EngineCore.GetInstance().OperatingSystemAdapter.Read <IntPtr>(pointer, out successReading);
pointer = pointer.Add(offset);
if (!successReading)
{
break;
}
}
return(pointer);
}
/// <summary>
/// Injects instructions at the specified location, overwriting following instructions. This will nop-fill.
/// </summary>
/// <param name="address">The injection address.</param>
/// <param name="assembly">The assembly code to disassemble and inject into the code cave.</param>
/// <returns>The address of the code cave.</returns>
public UInt64 InjectCode(UInt64 address, String assembly)
{
this.PrintDebugTag();
assembly = this.ResolveKeywords(assembly);
Int32 assemblySize = this.GetAssemblySize(assembly, address);
Byte[] originalBytes = this.CollectOriginalBytes(address, assemblySize);
if (originalBytes == null)
{
throw new Exception("Could not gather original bytes");
}
// Determine number of no-ops to fill dangling bytes
String noOps = (originalBytes.Length - assemblySize > 0 ? "db " : String.Empty) + String.Join(" ", Enumerable.Repeat("0x90,", originalBytes.Length - assemblySize)).TrimEnd(',');
Byte[] injectionBytes = this.GetAssemblyBytes(assembly + "\n" + noOps, address);
EngineCore.GetInstance().VirtualMemory.WriteBytes(address.ToIntPtr(), injectionBytes);
CodeCave codeCave = new CodeCave(address, 0, originalBytes);
this.CodeCaves.Add(codeCave);
return(address);
}
/// <summary>
/// Update event for this project item. Resolves addresses and values.
/// </summary>
public override void Update()
{
this.CalculatedAddress = this.ResolveAddress();
// Freeze current value if this entry is activated
if (this.IsActivated)
{
Object value = this.AddressValue;
if (value != null && value.GetType() == this.DataType)
{
this.WriteValue(value);
}
}
else
{
Object previousValue = this.AddressValue;
// Otherwise we read as normal (bypass assigning setter and set value directly to avoid a write-back to memory)
this.addressValue = EngineCore.GetInstance()?.VirtualMemory?.Read(this.DataType, this.CalculatedAddress, out _);
if (!(this.AddressValue?.Equals(previousValue) ?? false))
{
this.RaisePropertyChanged(nameof(this.AddressValue));
this.RaisePropertyChanged(nameof(this.DisplayValue));
}
}
}
/// <summary>
/// Reads the value at the given address.
/// </summary>
/// <typeparam name="T">The data type to read.</typeparam>
/// <param name="address">The address of the read.</param>
/// <returns>The value read from memory.</returns>
public T Read <T>(UInt64 address)
{
this.PrintDebugTag(address.ToString("x"));
Boolean readSuccess;
return(EngineCore.GetInstance().OperatingSystemAdapter.Read <T>(address.ToIntPtr(), out readSuccess));
}
public void OnDeserialized(StreamingContext streamingContext)
{
this.LastActivated = DateTime.MinValue;
this.ActivationDelay = KeyboardHotkey.DefaultActivationDelay;
this.AccessLock = new object();
this.Subscription = EngineCore.GetInstance().Input?.GetKeyboardCapture().WeakSubscribe(this);
}
/// <summary>
/// Reads the value at the given address.
/// </summary>
/// <typeparam name="T">The data type to read.</typeparam>
/// <param name="address">The address of the read.</param>
/// <returns>The value read from memory.</returns>
public T Read <T>(UInt64 address)
{
this.PrintDebugTag(address.ToString("x"));
Boolean readSuccess;
return(EngineCore.GetInstance().VirtualMemory.Read <T>(address.ToIntPtr(), out readSuccess));
}
private void CleanUp()
{
this.Snapshot = null;
EngineCore.GetInstance().Input?.GetKeyboardCapture().Unsubscribe(this);
EngineCore.GetInstance().Input?.GetControllerCapture().Unsubscribe(this);
EngineCore.GetInstance().Input?.GetMouseCapture().Unsubscribe(this);
}
/// <summary>
/// Reads the array of bytes of the specified count at the given address.
/// </summary>
/// <param name="address">The address of the read.</param>
/// <param name="count">The number of bytes to read.</param>
/// <returns>The bytes read at the address.</returns>
public Byte[] Read(UInt64 address, Int32 count)
{
this.PrintDebugTag(address.ToString("x"), count.ToString());
Boolean readSuccess;
return(EngineCore.GetInstance().VirtualMemory.ReadBytes(address.ToIntPtr(), count, out readSuccess));
}
public UInt64 EvaluatePointer(UInt64 address, IEnumerable <Int32> offsets)
{
this.PrintDebugTag();
UInt64 finalAddress = EngineCore.GetInstance().VirtualMemory.EvaluatePointer(address.ToIntPtr(), offsets).ToUInt64();
return(finalAddress);
}
/// <summary>
/// Searches for the first address that matches the array of bytes.
/// </summary>
/// <param name="bytes">The array of bytes to search for.</param>
/// <returns>The address of the first first array of byte match.</returns>
public UInt64 SearchAob(Byte[] bytes)
{
this.PrintDebugTag();
UInt64 address = EngineCore.GetInstance().OperatingSystemAdapter.SearchAob(bytes).ToUInt64();
return(address);
}
/// <summary>
/// Searches for the first address that matches the array of bytes.
/// </summary>
/// <param name="bytes">The array of bytes to search for.</param>
/// <returns>The address of the first first array of byte match.</returns>
public UInt64 SearchAob(Byte[] bytes)
{
this.PrintDebugTag();
UInt64 address = EngineCore.GetInstance().VirtualMemory.SearchAob(bytes).ToUInt64();
return(address);
}
/// <summary>
/// Searches for all addresses that match the given array of byte pattern.
/// </summary>
/// <param name="pattern">The array of bytes to search for.</param>
/// <returns>The addresses of all matches.</returns>
public UInt64[] SearchAllAob(String pattern)
{
this.PrintDebugTag(pattern);
List <IntPtr> aobResults = new List <IntPtr>(EngineCore.GetInstance().VirtualMemory.SearchllAob(pattern));
List <UInt64> convertedAobs = new List <UInt64>();
aobResults.ForEach(x => convertedAobs.Add(x.ToUInt64()));
return(convertedAobs.ToArray());
}
/// <summary>
/// Writes a value to the computed address of this item.
/// </summary>
/// <param name="newValue">The value to write.</param>
private void WriteValue(dynamic newValue)
{
if (newValue == null)
{
return;
}
EngineCore.GetInstance()?.OperatingSystemAdapter?.Write(this.ElementType, this.EffectiveAddress, newValue);
}
/// <summary>
/// Writes a value to the computed address of this item.
/// </summary>
/// <param name="newValue">The value to write.</param>
protected virtual void WriteValue(Object newValue)
{
if (newValue == null)
{
return;
}
EngineCore.GetInstance()?.VirtualMemory?.Write(this.DataType, this.CalculatedAddress, newValue);
}
public void Update(NormalizedProcess process)
{
if (process != null)
{
this.BaseAddress = EngineCore.GetInstance().VirtualMemory.GetModules().FirstOrDefault()?.BaseAddress.ToUInt64() ?? 0UL;
this.LoadInstructions();
}
}
/// <summary>
/// Prevents a default instance of the <see cref="ChunkLinkedListPrefilter" /> class from being created.
/// </summary>
private ChunkLinkedListPrefilter() : base("Prefilter", isRepeated: true, trackProgress: true)
{
this.ChunkList = new LinkedList <RegionProperties>();
this.ChunkLock = new Object();
this.ElementLock = new Object();
// Subscribe to process events (async call as to avoid locking on GetInstance() if engine is being constructed)
Task.Run(() => { EngineCore.GetInstance().Processes.Subscribe(this); });
}
/// <summary>
/// Initializes a new instance of the <see cref="KeyboardHotkey" /> class.
/// </summary>
/// <param name="callBackFunction">The callback function for this hotkey.</param>
/// <param name="activationKeys">Initial activation keys.</param>
public KeyboardHotkey(Action callBackFunction = null, params Key[] activationKeys) : base(callBackFunction)
{
this.ActivationKeys = new HashSet <Key>(activationKeys);
this.LastActivated = DateTime.MinValue;
this.ActivationDelay = KeyboardHotkey.DefaultActivationDelay;
this.AccessLock = new object();
this.Subscription = EngineCore.GetInstance().Input?.GetKeyboardCapture().WeakSubscribe(this);
}
/// <summary>
/// Makes the target process selection.
/// </summary>
/// <param name="process">The process being selected.</param>
private void SelectProcess(NormalizedProcess process)
{
if (process == null)
{
return;
}
EngineCore.GetInstance().Processes.OpenProcess(process);
this.IsVisible = false;
}
/// <summary>
/// Determines if the opened process is 32 bit
/// </summary>
/// <returns>Returns true if the opened process is 32 bit, otherwise false</returns>
public Boolean IsOpenedProcess32Bit()
{
// First do the simple check if seeing if the OS is 32 bit, in which case the process wont be 64 bit
if (EngineCore.GetInstance().OperatingSystemAdapter.IsOperatingSystem32Bit())
{
return(true);
}
return(EngineCore.GetInstance().OperatingSystemAdapter.IsProcess32Bit(this.OpenedProcess));
}
/// <summary>
/// Allocates memory in the target process, and returns the address of the new memory.
/// </summary>
/// <param name="size">The size of the allocation.</param>
/// <returns>The address of the allocated memory.</returns>
public UInt64 Allocate(Int32 size)
{
this.PrintDebugTag();
UInt64 address = EngineCore.GetInstance().OperatingSystemAdapter.AllocateMemory(size).ToUInt64();
this.RemoteAllocations.Add(address);
return(address);
}
/// <summary>
/// Allocates memory in the target process, and returns the address of the new memory.
/// </summary>
/// <param name="size">The size of the allocation.</param>
/// <param name="allocAddress">The rough address of where the allocation should take place.</param>
/// <returns>The address of the allocated memory.</returns>
public UInt64 Allocate(Int32 size, UInt64 allocAddress)
{
this.PrintDebugTag();
UInt64 address = EngineCore.GetInstance().VirtualMemory.AllocateMemory(size, allocAddress.ToIntPtr()).ToUInt64();
this.RemoteAllocations.Add(address);
return(address);
}
