|
public GetKernelDebuggerData ( |
||
| dp | ||
| ext | Extract | |
| cv_data | ||
| SymbolCache | string | |
| 리턴 | bool | |
public static void DumpDetected(Vtero vtero, DetectedProc p, long VAStart = 0, long VAEnd = 0xffffffff0000)
{
var mods = vtero.ModuleScan(p, VAStart, VAEnd);
// BUGBUG: TODO: Refactor the threadlocal stuff seems were re-entrant unsafe :(
//Parallel.ForEach(mods, (detected) =>
//{
foreach (var detected in mods)
{
var cv_data = vtero.ExtractCVDebug(p, detected.Value, detected.Key);
if (cv_data != null)
{
var sympath = Environment.GetEnvironmentVariable("_NT_SYMBOL_PATH");
if (string.IsNullOrWhiteSpace(sympath))
{
sympath = "SRV*http://msdl.microsoft.com/download/symbols";
}
if (vtero.TryLoadSymbols(p, detected.Value, cv_data, detected.Key, sympath))
{
vtero.GetKernelDebuggerData(p, detected.Value, cv_data, sympath);
}
}
}
//});
}
public static void DumpIt(Vtero vtero, ConfigOptions co, DumpOptions dmpo)
{
var Version = vtero.Version;
Mem.InitMem(co.FileName, vtero.MRD);
// Extract Address Spaces verifies the linkages between
// process<->CR3<->EPTP(if there is one)
// and that they are functional
var vetted = vtero.ExtrtactAddressSpaces(null, null, Version);
// leaving this in as an example maybe? ;)
//WriteLine("enter a group ID: ");
//input = ReadLine();
//int Grp = int.Parse(input);
//WriteLine("enter a process ID: ");
//input = ReadLine();
//long procID = long.Parse(input, NumberStyles.HexNumber);
//var proc = (from procz in vtero.ASGroups[Grp]
// where procz.CR3Value == procID
// select procz).First();
//int i = 1;
//DetectedProc dp = proc;
//while(dp == null)
// dp = vtero.GetKernelRangeFromGroup(i++);
// Scan for kernel
// NT kernel may be in 0xFFFFF80000000 to 0xFFFFF8800000 range
long KernVAStart = 0xF80000000000;
long KernVAEnd = KernVAStart + (0x8000000000 - 0x1000);
string input = string.Empty;
var Detections = new Dictionary <long, Extract>();
DetectedProc LikelyKernel = null;
bool Decoded = false;
// were doing this in nested loops to brute force our way past any errors
// but only need the first set of detections per group
foreach (var grpz in vtero.ASGroups)
{
foreach (var vm in vtero.VMCSs.Values)
{
WriteColor(ConsoleColor.White, $"Group ID: {grpz.Key}");
foreach (var p in grpz.Value)
{
WriteLine($"Proc: {p.CR3Value:X}");
Detections = Detections.Concat(
vtero.ModuleScan(p, KernVAStart, KernVAEnd).Where(x => !Detections.ContainsKey(x.Key)))
.ToDictionary(x => x.Key, x => x.Value);
if (Detections.Count() > 0)
{
LikelyKernel = p;
if (vm.EPTP == 0)
{
p.vmcs = null;
}
else
{
p.vmcs = vm;
}
// scan for kernel
foreach (var detected in Detections)
{
WriteColor(ConsoleColor.Green, $"Attempting to parse detected PE module loaded @ {detected.Key:X}");
WriteColor(ConsoleColor.Cyan, detected.Value.ToString());
if (detected.Value.ToString().Contains("POOLCODE"))
{
WriteColor(ConsoleColor.White, "Likely Kernel analyzing for CV data");
var cv_data = vtero.ExtractCVDebug(LikelyKernel, detected.Value, detected.Key);
if (cv_data != null)
{
var sympath = Environment.GetEnvironmentVariable("_NT_SYMBOL_PATH");
if (string.IsNullOrWhiteSpace(sympath))
{
sympath = "SRV*http://msdl.microsoft.com/download/symbols";
}
if (vtero.TryLoadSymbols(LikelyKernel, detected.Value, cv_data, detected.Key, sympath))
{
Decoded = vtero.GetKernelDebuggerData(LikelyKernel, detected.Value, cv_data, sympath);
}
}
}
}
}
if (Decoded)
{
break;
}
}
if (Decoded)
{
break;
}
}
if (Decoded)
{
break;
}
}
ForegroundColor = ConsoleColor.Green;
WriteLine($"{Environment.NewLine}Final analysis completed, address spaces extracted. {QuickOptions.Timer.Elapsed} {QuickOptions.FormatRate(vtero.FileSize * 3, QuickOptions.Timer.Elapsed)}");
// do a test dump
// extract & dump could be done at the same time
if (!dmpo.ListOnly)
{
vtero.DumpASToFile();
}
//if (Vtero.VerboseOutput)
//vtero.DumpFailList();
return;
}