public DumpServiceWindow(ServiceItem item, MemoryObject serviceMo)
{
InitializeComponent();
this.AddEscapeToClose();
_serviceMo = serviceMo;
this.Text = "Service - " + item.Status.ServiceName;
labelServiceName.Text = item.Status.ServiceName;
labelServiceDisplayName.Text = item.Status.DisplayName;
textServiceType.Text = item.Config.ServiceType.ToString();
if (item.Config.ServiceType == (ServiceType.Win32OwnProcess | ServiceType.InteractiveProcess))
textServiceType.Text = "Win32OwnProcess, InteractiveProcess";
else if (item.Config.ServiceType == (ServiceType.Win32ShareProcess | ServiceType.InteractiveProcess))
textServiceType.Text = "Win32ShareProcess, InteractiveProcess";
textStartType.Text = item.Config.StartType.ToString();
textErrorControl.Text = item.Config.ErrorControl.ToString();
textLoadOrderGroup.Text = item.Config.LoadOrderGroup;
textServiceBinaryPath.Text = item.Config.BinaryPathName;
textUserAccount.Text = item.Config.ServiceStartName;
textServiceDll.Text = item.ServiceDll;
try
{
var dict = Dump.GetDictionary(_serviceMo);
if (dict.ContainsKey("Description"))
textDescription.Text = dict["Description"];
}
catch
{ }
}
public DumpProcessWindow(DumpHackerWindow hw, ProcessItem item, MemoryObject processMo)
{
InitializeComponent();
this.AddEscapeToClose();
_hw = hw;
_item = item;
_processMo = processMo;
if (_item.Pid > 0)
{
this.Text = _item.Name + " (PID " + _item.Pid.ToString() + ")";
}
else
{
this.Text = _item.Name;
}
this.Icon = _item.Icon;
}
public MemoryObject GetChild(string name)
{
MfsCellId cellId;
MfsObjectHeader *obj;
cellId = _obj->ChildFlink;
// Traverse the linked list and find the child with the specified name.
while (true)
{
MfsCellId newCellId;
if (cellId == _cellId)
{
break;
}
obj = _fs.ReferenceObject(cellId);
if (_fs.GetObjectName(obj) == name)
{
MemoryObject mo;
// Create the memory object before dereferencing to avoid re-mapping.
mo = new MemoryObject(_fs, cellId);
_fs.DereferenceObject(cellId);
return(mo);
}
newCellId = obj->Flink;
_fs.DereferenceObject(cellId);
cellId = newCellId;
}
return(null);
}
public MemoryFileSystem(string fileName, MfsOpenMode mode, bool readOnly, MfsParameters createParams)
{
FileCreationDispositionWin32 cdWin32;
if (readOnly && mode != MfsOpenMode.Open)
{
throw new ArgumentException("Invalid mode for read only access.");
}
switch (mode)
{
case MfsOpenMode.Open:
cdWin32 = FileCreationDispositionWin32.OpenExisting;
break;
default:
case MfsOpenMode.OpenIf:
cdWin32 = FileCreationDispositionWin32.OpenAlways;
break;
case MfsOpenMode.OverwriteIf:
cdWin32 = FileCreationDispositionWin32.CreateAlways;
break;
}
using (var fhandle = FileHandle.CreateWin32(
fileName,
FileAccess.GenericRead | (!readOnly ? FileAccess.GenericWrite : 0),
FileShareMode.Read,
cdWin32
))
{
bool justCreated = false;
_readOnly = readOnly;
_protection = !readOnly ? MemoryProtection.ReadWrite : MemoryProtection.ReadOnly;
if (fhandle.GetSize() == 0)
{
if (readOnly)
{
throw new MfsInvalidFileSystemException();
}
else
{
// File is too small. Make it 1 byte large and we'll deal with it
// soon.
fhandle.SetEnd(1);
}
}
_section = new Section(fhandle, _protection);
_blockSize = MfsBlockSizeBase; // fake block size to begin with; we'll fix it up later.
if (fhandle.GetSize() < _blockSize)
{
if (readOnly)
{
throw new MfsInvalidFileSystemException();
}
else
{
// We're creating a new file system. We need the correct block size
// now.
if (createParams != null)
{
_blockSize = createParams.BlockSize;
}
else
{
_blockSize = MfsDefaultBlockSize;
}
_section.Extend(_blockSize);
using (var view = _section.MapView(0, _blockSize, _protection))
this.InitializeFs((MfsFsHeader *)view.Memory, createParams);
justCreated = true;
}
}
_header = (MfsFsHeader *)this.ReferenceBlock(0);
// Check the magic.
if (_header->Magic != MfsMagic)
{
throw new MfsInvalidFileSystemException();
}
// Set up the local constants.
_blockSize = _header->BlockSize;
_cellSize = _header->CellSize;
// Backwards compatibility.
if (_blockSize == 0)
{
_blockSize = MfsDefaultBlockSize;
}
if (_cellSize == 0)
{
_cellSize = MfsDefaultCellSize;
}
// Validate the parameters.
this.ValidateFsParameters(_blockSize, _cellSize);
_blockMask = _blockSize - 1;
_cellCount = _blockSize / _cellSize;
_dataCellDataMaxLength = _cellSize - MfsDataCell.DataOffset;
// Remap block 0 with the correct block size.
this.DereferenceBlock(0);
// If we just created a new file system, fix the section size.
if (justCreated)
{
_section.Extend(_blockSize);
}
_header = (MfsFsHeader *)this.ReferenceBlock(0);
// Set up the root object.
_rootObject = (MfsObjectHeader *)((byte *)_header + _cellSize);
_rootObjectMo = new MemoryObject(this, _rootObjectCellId, true);
if (_header->NextFreeBlock != 1 && !readOnly)
{
ushort lastBlockId = (ushort)(_header->NextFreeBlock - 1);
this.ReferenceBlock(lastBlockId);
_cachedLastBlockView = _views[lastBlockId];
}
}
}
public MemoryFileSystem(string fileName, MfsOpenMode mode, bool readOnly, MfsParameters createParams)
{
FileCreationDispositionWin32 cdWin32;
if (readOnly && mode != MfsOpenMode.Open)
throw new ArgumentException("Invalid mode for read only access.");
switch (mode)
{
case MfsOpenMode.Open:
cdWin32 = FileCreationDispositionWin32.OpenExisting;
break;
default:
case MfsOpenMode.OpenIf:
cdWin32 = FileCreationDispositionWin32.OpenAlways;
break;
case MfsOpenMode.OverwriteIf:
cdWin32 = FileCreationDispositionWin32.CreateAlways;
break;
}
using (FileHandle fhandle = FileHandle.CreateWin32(
fileName,
FileAccess.GenericRead | (!readOnly ? FileAccess.GenericWrite : 0),
FileShareMode.Read,
cdWin32
))
{
bool justCreated = false;
_readOnly = readOnly;
_protection = !readOnly ? MemoryProtection.ReadWrite : MemoryProtection.ReadOnly;
if (fhandle.FileSize == 0)
{
if (readOnly)
{
throw new MfsInvalidFileSystemException();
}
// File is too small. Make it 1 byte large and we'll deal with it soon.
fhandle.SetEnd(1);
}
_section = new Section(fhandle, _protection);
_blockSize = MfsBlockSizeBase; // fake block size to begin with; we'll fix it up later.
if (fhandle.FileSize < _blockSize)
{
if (readOnly)
{
throw new MfsInvalidFileSystemException();
}
// We're creating a new file system. We need the correct block size now.
if (createParams != null)
this._blockSize = createParams.BlockSize;
else
this._blockSize = MfsDefaultBlockSize;
this._section.Extend(this._blockSize);
using (SectionView view = this._section.MapView(0, this._blockSize, this._protection))
{
this.InitializeFs((MfsFsHeader*)view.Memory, createParams);
}
justCreated = true;
}
_header = (MfsFsHeader*)this.ReferenceBlock(0);
// Check the magic.
if (_header->Magic != MfsMagic)
throw new MfsInvalidFileSystemException();
// Set up the local constants.
_blockSize = _header->BlockSize;
_cellSize = _header->CellSize;
// Backwards compatibility.
if (_blockSize == 0)
_blockSize = MfsDefaultBlockSize;
if (_cellSize == 0)
_cellSize = MfsDefaultCellSize;
// Validate the parameters.
this.ValidateFsParameters(_blockSize, _cellSize);
_blockMask = _blockSize - 1;
_cellCount = _blockSize / _cellSize;
_dataCellDataMaxLength = _cellSize - MfsDataCell.DataOffset;
// Remap block 0 with the correct block size.
this.DereferenceBlock(0);
// If we just created a new file system, fix the section size.
if (justCreated)
_section.Extend(_blockSize);
_header = (MfsFsHeader*)this.ReferenceBlock(0);
// Set up the root object.
_rootObjectMo = new MemoryObject(this, _rootObjectCellId, true);
if (_header->NextFreeBlock != 1 && !readOnly)
{
ushort lastBlockId = (ushort)(_header->NextFreeBlock - 1);
this.ReferenceBlock(lastBlockId);
_cachedLastBlockView = _views[lastBlockId];
}
}
}
internal MemoryDataWriteStream(MemoryObject obj, int bufferSize)
{
_obj = obj;
_buffer = new byte[bufferSize];
}
private void LoadService(MemoryObject mo)
{
ServiceItem item = new ServiceItem();
var dict = Dump.GetDictionary(mo);
item.Status.ServiceName = dict["Name"];
item.Status.DisplayName = dict["DisplayName"];
item.Status.ServiceStatusProcess.ControlsAccepted = (ServiceAccept)Dump.ParseInt32(dict["ControlsAccepted"]);
item.Status.ServiceStatusProcess.CurrentState = (ServiceState)Dump.ParseInt32(dict["State"]);
item.Status.ServiceStatusProcess.ProcessID = Dump.ParseInt32(dict["ProcessId"]);
item.Status.ServiceStatusProcess.ServiceFlags = (ServiceFlags)Dump.ParseInt32(dict["Flags"]);
item.Status.ServiceStatusProcess.ServiceType = (ServiceType)Dump.ParseInt32(dict["Type"]);
if (dict.ContainsKey("BinaryPath"))
{
item.Config.BinaryPathName = dict["BinaryPath"];
item.Config.DisplayName = item.Status.DisplayName;
item.Config.ErrorControl = (ServiceErrorControl)Dump.ParseInt32(dict["ErrorControl"]);
item.Config.LoadOrderGroup = dict["Group"];
item.Config.ServiceStartName = dict["UserName"];
item.Config.ServiceType = item.Status.ServiceStatusProcess.ServiceType;
item.Config.StartType = (ServiceStartType)Dump.ParseInt32(dict["StartType"]);
if (dict.ContainsKey("ServiceDll"))
item.ServiceDll = dict["ServiceDll"];
}
_services.Add(item.Status.ServiceName, item);
listServices.AddItem(item);
if (item.Status.ServiceStatusProcess.ProcessID != 0)
{
if (!_processServices.ContainsKey(item.Status.ServiceStatusProcess.ProcessID))
_processServices.Add(item.Status.ServiceStatusProcess.ProcessID, new List<string>());
_processServices[item.Status.ServiceStatusProcess.ProcessID].Add(item.Status.ServiceName);
}
}
private void LoadServices()
{
MemoryObject servicesMo;
servicesMo = _mfs.RootObject.GetChild("Services");
_servicesMo = servicesMo;
if (servicesMo == null)
{
PhUtils.ShowWarning("The dump file does not contain service information. This most likely " +
"means the file is corrupt.");
return;
}
servicesMo.EnumChildren(childMo =>
{
using (childMo)
this.LoadService(childMo);
return true;
});
}
private void LoadProcess(MemoryObject mo)
{
var names = mo.ChildNames;
ProcessItem pitem;
if (!names.Contains("General"))
return;
IDictionary<string, string> generalDict;
using (MemoryObject general = mo.GetChild("General"))
generalDict = Dump.GetDictionary(general);
pitem = new ProcessItem
{
Pid = Dump.ParseInt32(generalDict["ProcessId"]),
Name = generalDict["Name"],
ParentPid = Dump.ParseInt32(generalDict["ParentPid"])
};
if (generalDict.ContainsKey("HasParent"))
pitem.HasParent = Dump.ParseBool(generalDict["HasParent"]);
if (generalDict.ContainsKey("StartTime"))
pitem.CreateTime = Dump.ParseDateTime(generalDict["StartTime"]);
if (generalDict.ContainsKey("SessionId"))
pitem.SessionId = Dump.ParseInt32(generalDict["SessionId"]);
if (generalDict.ContainsKey("FileName"))
pitem.FileName = generalDict["FileName"];
if (generalDict.ContainsKey("FileDescription"))
{
pitem.VersionInfo = new ImageVersionInfo
{
FileDescription = generalDict["FileDescription"],
CompanyName = generalDict["FileCompanyName"],
FileVersion = generalDict["FileVersion"],
FileName = pitem.FileName
};
}
if (generalDict.ContainsKey("CommandLine"))
pitem.CmdLine = generalDict["CommandLine"];
if (generalDict.ContainsKey("IsPosix"))
pitem.IsPosix = Dump.ParseBool(generalDict["IsPosix"]);
if (generalDict.ContainsKey("IsWow64"))
pitem.IsWow64 = Dump.ParseBool(generalDict["IsWow64"]);
if (generalDict.ContainsKey("IsBeingDebugged"))
pitem.IsBeingDebugged = Dump.ParseBool(generalDict["IsBeingDebugged"]);
if (generalDict.ContainsKey("UserName"))
pitem.Username = generalDict["UserName"];
if (generalDict.ContainsKey("ElevationType"))
pitem.ElevationType = (TokenElevationType)Dump.ParseInt32(generalDict["ElevationType"]);
if (generalDict.ContainsKey("CpuUsage"))
pitem.CpuUsage = float.Parse(generalDict["CpuUsage"]);
if (generalDict.ContainsKey("JobName"))
pitem.JobName = generalDict["JobName"];
if (generalDict.ContainsKey("IsInJob"))
pitem.IsInJob = Dump.ParseBool(generalDict["IsInJob"]);
if (generalDict.ContainsKey("IsInSignificantJob"))
pitem.IsInSignificantJob = Dump.ParseBool(generalDict["IsInSignificantJob"]);
if (generalDict.ContainsKey("Integrity"))
pitem.Integrity = generalDict["Integrity"];
if (generalDict.ContainsKey("IntegrityLevel"))
pitem.IntegrityLevel = Dump.ParseInt32(generalDict["IntegrityLevel"]);
if (generalDict.ContainsKey("IsDotNet"))
pitem.IsDotNet = Dump.ParseBool(generalDict["IsDotNet"]);
if (generalDict.ContainsKey("IsPacked"))
pitem.IsPacked = Dump.ParseBool(generalDict["IsPacked"]);
if (generalDict.ContainsKey("VerifyResult"))
pitem.VerifyResult = (VerifyResult)Dump.ParseInt32(generalDict["VerifyResult"]);
if (generalDict.ContainsKey("VerifySignerName"))
pitem.VerifySignerName = generalDict["VerifySignerName"];
if (generalDict.ContainsKey("ImportFunctions"))
pitem.ImportFunctions = Dump.ParseInt32(generalDict["ImportFunctions"]);
if (generalDict.ContainsKey("ImportModules"))
pitem.ImportModules = Dump.ParseInt32(generalDict["ImportModules"]);
if (names.Contains("SmallIcon"))
{
using (var smallIcon = mo.GetChild("SmallIcon"))
pitem.Icon = Dump.GetIcon(smallIcon);
}
if (names.Contains("VmCounters"))
{
using (var vmCounters = mo.GetChild("VmCounters"))
pitem.Process.VirtualMemoryCounters = Dump.GetStruct<VmCountersEx64>(vmCounters).ToVmCountersEx();
}
if (names.Contains("IoCounters"))
{
using (var ioCounters = mo.GetChild("IoCounters"))
pitem.Process.IoCounters = Dump.GetStruct<IoCounters>(ioCounters);
}
_processes.Add(pitem.Pid, pitem);
treeProcesses.AddItem(pitem);
}
private void LoadProcesses()
{
MemoryObject processesMo = this._mfs.RootObject.GetChild("Processes");
_processesMo = processesMo;
if (processesMo == null)
{
PhUtils.ShowWarning("The dump file does not contain process information. This most likely means the file is corrupt.");
return;
}
processesMo.EnumChildren(childMo =>
{
using (childMo)
this.LoadProcess(childMo);
return true;
});
}
private void LoadHandles(MemoryObject mo)
{
var dict = Dump.GetDictionary(mo);
HandleItem item = new HandleItem();
if (!dict.ContainsKey("Handle"))
return;
item.Handle.ProcessId = _item.Pid;
item.Handle.Flags = (HandleFlags)Dump.ParseInt32(dict["Flags"]);
item.Handle.Handle = (short)Dump.ParseInt32(dict["Handle"]);
// Not really needed, just fill it in ignoring 32-bit vs 64-bit
// differences.
item.Handle.Object = (Dump.ParseInt64(dict["Object"]) & 0xffffffff).ToIntPtr();
item.Handle.GrantedAccess = Dump.ParseInt32(dict["GrantedAccess"]);
if (dict.ContainsKey("TypeName"))
{
item.ObjectInfo.TypeName = dict["TypeName"];
item.ObjectInfo.BestName = dict["ObjectName"];
}
if (Settings.Instance.HideHandlesWithNoName)
{
if (string.IsNullOrEmpty(item.ObjectInfo.BestName))
return;
}
listHandles.AddItem(item);
}
private void LoadModule(MemoryObject mo)
{
var dict = Dump.GetDictionary(mo);
ModuleItem item = new ModuleItem();
item.BaseAddress = Dump.ParseUInt64(dict["BaseAddress"]);
item.Size = Dump.ParseInt32(dict["Size"]);
item.Flags = (LdrpDataTableEntryFlags)Dump.ParseInt32(dict["Flags"]);
item.Name = dict["Name"];
item.FileName = dict["FileName"];
if (dict.ContainsKey("FileDescription"))
{
item.FileDescription = dict["FileDescription"];
item.FileCompanyName = dict["FileCompanyName"];
item.FileVersion = dict["FileVersion"];
}
listModules.AddItem(item);
}
public MemoryObject GetChild(string name)
{
MfsCellId cellId;
MfsObjectHeader* obj;
cellId = _obj->ChildFlink;
// Traverse the linked list and find the child with the specified name.
while (true)
{
MfsCellId newCellId;
if (cellId == _cellId)
break;
obj = _fs.ReferenceObject(cellId);
if (_fs.GetObjectName(obj) == name)
{
MemoryObject mo;
// Create the memory object before dereferencing to avoid re-mapping.
mo = new MemoryObject(_fs, cellId);
_fs.DereferenceObject(cellId);
return mo;
}
newCellId = obj->Flink;
_fs.DereferenceObject(cellId);
cellId = newCellId;
}
return null;
}
internal MemoryDataWriteStream(MemoryObject obj, int bufferSize)
{
_obj = obj;
_buffer = new byte[bufferSize];
}