public static InitMem ( String mFile, AMemoryRunDetector Detector, uint BitmapArray = null ) : |
||
mFile | String | |
Detector | AMemoryRunDetector | |
BitmapArray | uint | |
리턴 |
/// <summary> /// Initial testing/prototype /// Detect/download all binaries in all AS /// </summary> /// <param name="ops"></param> /// <param name="vtero"></param> public void StartAnalyze(AnalyzeOptions ops, Vtero vtero) { long VAStart = 0; long VAEnd = VAStart + (0x8000000000 - 0x1000); string input = string.Empty; var GloalView = new ConcurrentDictionary <DetectedProc, ConcurrentDictionary <long, Extract> >(); vtero.MemAccess = Mem.InitMem(vtero.MemFile, vtero.MRD); if (vtero.VMCSs.Count < 1) { foreach (var p in vtero.FlattenASGroups) { DumpDetected(vtero, p); } // scan bare metal // Parallel.ForEach(vtero.Processes, (p) => //{ // WriteColor(ConsoleColor.Cyan, $"Scanning for modules addressable by: {p}"); // DumpDetected(vtero, p); //}); } else { foreach (var grpz in vtero.ASGroups) { foreach (var vm in vtero.VMCSs.Values) { WriteColor(ConsoleColor.White, $"Group ID: {grpz.Key}"); foreach (var p in grpz.Value) { DumpDetected(vtero, p); } } } } }
public static void DumpIt(Vtero vtero, ConfigOptions co, DumpOptions dmpo) { var Version = vtero.Version; Mem.InitMem(co.FileName, vtero.MRD); // Extract Address Spaces verifies the linkages between // process<->CR3<->EPTP(if there is one) // and that they are functional var vetted = vtero.ExtrtactAddressSpaces(null, null, Version); // leaving this in as an example maybe? ;) //WriteLine("enter a group ID: "); //input = ReadLine(); //int Grp = int.Parse(input); //WriteLine("enter a process ID: "); //input = ReadLine(); //long procID = long.Parse(input, NumberStyles.HexNumber); //var proc = (from procz in vtero.ASGroups[Grp] // where procz.CR3Value == procID // select procz).First(); //int i = 1; //DetectedProc dp = proc; //while(dp == null) // dp = vtero.GetKernelRangeFromGroup(i++); // Scan for kernel // NT kernel may be in 0xFFFFF80000000 to 0xFFFFF8800000 range long KernVAStart = 0xF80000000000; long KernVAEnd = KernVAStart + (0x8000000000 - 0x1000); string input = string.Empty; var Detections = new Dictionary <long, Extract>(); DetectedProc LikelyKernel = null; bool Decoded = false; // were doing this in nested loops to brute force our way past any errors // but only need the first set of detections per group foreach (var grpz in vtero.ASGroups) { foreach (var vm in vtero.VMCSs.Values) { WriteColor(ConsoleColor.White, $"Group ID: {grpz.Key}"); foreach (var p in grpz.Value) { WriteLine($"Proc: {p.CR3Value:X}"); Detections = Detections.Concat( vtero.ModuleScan(p, 3, KernVAStart, KernVAEnd).Where(x => !Detections.ContainsKey(x.Key))) .ToDictionary(x => x.Key, x => x.Value); if (Detections.Count() > 0) { LikelyKernel = p; if (vm.EPTP == 0) { p.vmcs = null; } else { p.vmcs = vm; } // scan for kernel foreach (var detected in Detections) { WriteColor(ConsoleColor.Green, $"Attempting to parse detected PE module loaded @ {detected.Key:X}"); WriteColor(ConsoleColor.Cyan, detected.Value.ToString()); if (detected.Value.ToString().Contains("POOLCODE")) { WriteColor(ConsoleColor.White, "Likely Kernel analyzing for CV data"); /* * var cv_data = vtero.ExtractCVDebug(LikelyKernel, detected.Value, detected.Key); * * if (cv_data != null) * { * var sympath = Environment.GetEnvironmentVariable("_NT_SYMBOL_PATH"); * if (string.IsNullOrWhiteSpace(sympath)) * sympath = "SRV*http://msdl.microsoft.com/download/symbols"; * * if (Vtero.TryLoadSymbols(cv_data, detected.Key, sympath)) * Decoded = vtero.GetKernelDebuggerData(LikelyKernel, detected.Value, cv_data, sympath); * } */ } } } if (Decoded) { break; } } if (Decoded) { break; } } if (Decoded) { break; } } ForegroundColor = ConsoleColor.Green; WriteLine($"{Environment.NewLine}Final analysis completed, address spaces extracted. {QuickOptions.Timer.Elapsed} {QuickOptions.FormatRate(vtero.FileSize * 3, QuickOptions.Timer.Elapsed)}"); // do a test dump // extract & dump could be done at the same time if (!dmpo.ListOnly) { vtero.DumpASToFile(); } //if (Vtero.VerboseOutput) //vtero.DumpFailList(); return; }