public bool NewLiveInvestigation()
{
BigCleanUp();
if (_driverManager == null)
{
try
{
_driverManager = new DriverManager();
bool result = _driverManager.LoadDriver();
AddDebugMessage("Loaded Driver: " + result.ToString());
if (!result)
{
System.Windows.Forms.MessageBox.Show("Unable to perform live analysis.\nThere was a proble loading the driver", "DriverProblem", MessageBoxButtons.OK, MessageBoxIcon.Error);
return(false);
}
}
catch (Exception ex)
{
System.Windows.MessageBox.Show("Error: Loading Driver. (DataModel:NewLiveInvestigation): " + ex.Message, "Fatal Error", MessageBoxButton.OK, MessageBoxImage.Error);
return(false);
}
}
_liveCapture = true;
MemoryImageFilename = "Live";
_dataProvider = new LiveDataProvider(this);
UpdateDetails(_rootArtifact = AddArtifact(ArtifactType.Root, "Live Capture", true));
InitialSurvey();
//ProcessProcesses();
return(true);
}
public bool NewImageInvestigation(string possibleFilename)
{
FileInfo fi = new FileInfo(possibleFilename);
if (!fi.Exists)
{
return(false);
}
IncrementActiveJobs("Initialising");
BigCleanUp();
_imageMd5 = GetMD5HashFromFile(possibleFilename);
_cacheLocation = fi.Directory.FullName + "\\[" + fi.Name + "]" + _imageMd5;
DirectoryInfo di = new DirectoryInfo(_cacheLocation);
if (!di.Exists)
{
di.Create();
}
_liveCapture = false;
MemoryImageFilename = possibleFilename;
_dataProvider = new ImageDataProvider(this, _cacheLocation);
UpdateDetails(_rootArtifact = AddArtifact(ArtifactType.Root, fi.Name, true));
AddDebugMessage("New Image Loaded: " + possibleFilename);
UpdateMru(MemoryImageFilename);
DecrementActiveJobs();
InitialSurvey();
//ProcessProcesses();
return(true);
}
private dynamic[] SetExpression(IQueryable <IDataItem> query, string filterExpression, string sortExpr, int?itemsToSkip, int?itemsToTake, ref int?totalCount)
{
if (sortExpr == "AsSetManually")
{
query = DataProviderBase.SetExpressions(
query,
filterExpression,
string.Empty,
null,
null,
ref totalCount);
query = query.OfType <ILifecycleDataItemGeneric>()
.Select(x => new
{
item = x,
orderIndex = this.selectedItemsIds.IndexOf(x.OriginalContentId.ToString()) >= 0 ?
this.selectedItemsIds.IndexOf(x.OriginalContentId.ToString()) :
this.selectedItemsIds.IndexOf(x.Id.ToString())
})
.OrderBy(x => x.orderIndex)
.Select(x => x.item);
if (itemsToSkip.HasValue && itemsToSkip.Value > 0)
{
query = query.Skip(itemsToSkip.Value);
}
if (itemsToTake.HasValue && itemsToTake.Value > 0)
{
query = query.Take(itemsToTake.Value);
}
}
else
{
try
{
query = DataProviderBase.SetExpressions(
query,
filterExpression,
sortExpr,
itemsToSkip,
itemsToTake,
ref totalCount);
}
catch (MemberAccessException)
{
this.SortExpression = DefaultSortExpression;
query = DataProviderBase.SetExpressions(
query,
filterExpression,
this.SortExpression,
itemsToSkip,
itemsToTake,
ref totalCount);
}
}
return(query.ToArray <dynamic>());
}
public ObjectType(Profile profile, DataProviderBase dataProvider, ulong virtualAddress) : base(profile, dataProvider, virtualAddress)
{
_is64 = (_profile.Architecture == "AMD64");
int structureSize = (int)_profile.GetStructureSize("_OBJECT_TYPE");
if (structureSize == -1)
{
throw new ArgumentException("Error - Profile didn't contain a definition for _OBJECT_TYPE");
}
_structure = _profile.GetEntries("_OBJECT_TYPE");
_buffer = _dataProvider.ReadMemoryBlock(virtualAddress, (uint)structureSize);
//_buffer = _dataProvider.ReadMemory(virtualAddress & 0xfffffffff000, 1);
//_index = _buffer[(int)s.Offset + (int)(virtualAddress & 0xfff)];
Structure s = GetStructureMember("Index");
_index = _buffer[(int)s.Offset];
s = GetStructureMember("Name");
UnicodeString us = new UnicodeString(_profile, _dataProvider, virtualAddress + s.Offset);
_name = us.Name;
s = GetStructureMember("TotalNumberOfObjects");
_totalNumberOfObjects = BitConverter.ToUInt64(_buffer, (int)s.Offset);
s = GetStructureMember("TotalNumberOfHandles");
_totalNumberOfHandles = BitConverter.ToUInt64(_buffer, (int)s.Offset);
s = GetStructureMember("HighWaterNumberOfHandles");
_highWaterNumberOfHandles = BitConverter.ToUInt64(_buffer, (int)s.Offset);
s = GetStructureMember("HighWaterNumberOfObjects");
_highWaterNumberOfObjects = BitConverter.ToUInt64(_buffer, (int)s.Offset);
}
private void LoginDialog_AfterLogin(LoginDialog.AfterLoginEventArgs args)
{
using (new LogCall(Log, nameof(LoginDialog_AfterLogin), nameof(LoginDialog_AfterLogin)))
{
try
{
DataProvider dataProvider = new DataProvider(args.CookieContainer, args.Uri, ModelGlobal.Instance.DeploymentVersion);
UserInfo userInfo = dataProvider.GetUserInfoCall(AddinTypes.Excel).Result;
if (userInfo.Capabilities.Contains(Capabilities.ExcelAddin))
{
ModelGlobal.Instance.ClientUri = args.Uri;
ModelGlobal.Instance.Cookies = args.CookieContainer;
ModelGlobal.Instance.UserInfo = userInfo;
DataProviderBase.Setinstance(dataProvider);
}
else
{
args.Error = string.Format("No access to addins", AddinTypes.Excel);
}
}
catch (Exception e)
{
Log.Error(e);
args.Error = ErrorMessageUtil.Instance.GetErrorMessage(e).Message;
}
}
}
public AddressSpacex86Pae(DataProviderBase dataProvider, string processName, UInt64 dtb, bool kernel = false)
{
_dataProvider = dataProvider;
_dtb = dtb;
_isKernel = kernel;
_processName = processName;
_is64 = false;
// first check to see if it is already cached
FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\" + _processName + "_memorymap.gz");
if (cachedFile.Exists && !_dataProvider.IsLive)
{
MemoryMap test = RetrieveMemoryMap(cachedFile);
if (test != null)
{
_memoryMap = test;
return;
}
}
// it isn't cached, so generate a new one
//_memoryMap.Md5 = GetMd5(_imageFile);
_memoryMap.StartAddress = _isKernel ? 0x80000000 : 0;
_memoryMap.EndAddress = _isKernel ? 0xffffffff : 0x7fffffff;
_memoryMap.MemoryRecords = BuildMemoryMap(_memoryMap.StartAddress, _memoryMap.EndAddress);
if (!_dataProvider.IsLive)
{
PersistMemoryMap(_memoryMap, _dataProvider.CacheFolder + "\\" + _processName + "_memorymap.gz");
}
}
static ExpressionInfo <T> FindInfo(DataProviderBase dataProvider, MappingSchema mappingSchema, Expression expr)
{
ExpressionInfo <T> prev = null;
var n = 0;
for (var info = _first; info != null; info = info.Next)
{
if (info.Compare(dataProvider, mappingSchema, expr))
{
if (prev != null)
{
lock (_sync)
{
prev.Next = info.Next;
info.Next = _first;
_first = info;
}
}
return(info);
}
if (n++ >= _cacheSize)
{
info.Next = null;
return(null);
}
prev = info;
}
return(null);
}
/// <summary>
/// Saves the specified entity using the specified data provider.
/// </summary>
/// <param name="entity"></param>
/// <param name="provider"></param>
/// <param name="transactionContext"></param>
/// <returns></returns>
public static DataModel <TEntity> Save(TEntity entity, DataProviderBase provider, DbTransaction transactionContext)
{
var model = new DataModel <TEntity>(entity);
provider.SaveModel(model, transactionContext);
return(model);
}
/// <summary>
/// Saves the specified entity using the application default provider.
/// </summary>
/// <param name="entity"></param>
/// <param name="provider"></param>
public static DataModel <TEntity> Save(TEntity entity, DataProviderBase provider)
{
var model = new DataModel <TEntity>(entity);
provider.SaveModel(model);
return(model);
}
public HeaderNameInfo(Profile profile, DataProviderBase dataProvider, ulong virtualAddress = 0, ulong physicalAddress = 0) : base(profile, dataProvider, virtualAddress)
{
_physicalAddress = physicalAddress;
_is64 = (_profile.Architecture == "AMD64");
_structureSize = _profile.GetStructureSize("_OBJECT_HEADER_NAME_INFO");
if (_structureSize == -1)
{
throw new ArgumentException("Error - Profile didn't contain a definition for _OBJECT_HEADER_NAME_INFO");
}
AddressBase addressSpace = dataProvider.ActiveAddressSpace;
if (virtualAddress == 0)
{
_buffer = _dataProvider.ReadPhysicalMemory(_physicalAddress, (uint)_structureSize);
}
else
{
_physicalAddress = addressSpace.vtop(_virtualAddress);
_buffer = _dataProvider.ReadMemoryBlock(_virtualAddress, (uint)_structureSize);
}
_structure = _profile.GetEntries("_OBJECT_HEADER_NAME_INFO");
Structure s = GetStructureMember("ReferenceCount");
_referenceCount = BitConverter.ToUInt32(_buffer, (int)s.Offset);
s = GetStructureMember("Name");
if (s.EntryType == "_UNICODE_STRING")
{
UnicodeString us = new UnicodeString(_profile, _dataProvider, physicalAddress: _physicalAddress + s.Offset);
_name = us.Name;
}
// TO DO Parse the Directory member of structure
}
public PE(DataProviderBase dataProvider, AddressBase addressSpace, ulong address)
{
_dataProvider = dataProvider;
_imageBaseVirtualAddress = address;
_kernelAddressSpace = addressSpace;
int marker = 0;
try
{
ulong alignedAddress = _imageBaseVirtualAddress & 0xfffffffff000;
ulong pAddr = _kernelAddressSpace.vtop(alignedAddress);
if (pAddr == 0)
{
throw new ArgumentException("Error mapping virtual address 0x" + alignedAddress.ToString("X08"));
}
byte[] buffer = dataProvider.ReadMemory(pAddr, 1);
GCHandle pinnedPacket = GCHandle.Alloc(buffer, GCHandleType.Pinned);
_dosHeader = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, marker), typeof(IMAGE_DOS_HEADER));
_valid = (_dosHeader.e_magic == 0x5a4d);
marker += (int)_dosHeader.e_lfanew;
UInt32 ntHeadersSignature = BitConverter.ToUInt32(buffer, marker);
if (ntHeadersSignature == 0x4550)
{
marker += 4;
_fileHeader = (IMAGE_FILE_HEADER)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, marker), typeof(IMAGE_FILE_HEADER));
marker += Marshal.SizeOf(_fileHeader);
if (Is32BitHeader)
{
_optionalHeader32 = (IMAGE_OPTIONAL_HEADER32)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, marker), typeof(IMAGE_OPTIONAL_HEADER32));
marker += Marshal.SizeOf(_optionalHeader32);
}
else
{
_optionalHeader64 = (IMAGE_OPTIONAL_HEADER64)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, marker), typeof(IMAGE_OPTIONAL_HEADER64));
marker += Marshal.SizeOf(_optionalHeader64);
}
_imageSectionHeaders = new IMAGE_SECTION_HEADER[_fileHeader.NumberOfSections];
for (int headerNo = 0; headerNo < _imageSectionHeaders.Length; ++headerNo)
{
_imageSectionHeaders[headerNo] = (IMAGE_SECTION_HEADER)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, marker), typeof(IMAGE_SECTION_HEADER));
marker += Marshal.SizeOf(_imageSectionHeaders[0]);
}
ulong debugVAddr = Is32BitHeader ? _optionalHeader32.Debug.VirtualAddress + _imageBaseVirtualAddress : _optionalHeader64.Debug.VirtualAddress + _imageBaseVirtualAddress;
pinnedPacket.Free();
pAddr = _kernelAddressSpace.vtop(debugVAddr, false);
buffer = dataProvider.ReadMemory(pAddr & 0xfffffffff000, 2);
pinnedPacket = GCHandle.Alloc(buffer, GCHandleType.Pinned);
IMAGE_DEBUG_DIRECTORY idd = (IMAGE_DEBUG_DIRECTORY)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, (int)(pAddr & 0xfff)), typeof(IMAGE_DEBUG_DIRECTORY));
_debugSectionOffset = idd.AddressOfRawData + _imageBaseVirtualAddress;
pinnedPacket.Free();
}
else
{
pinnedPacket.Free();
}
}
catch { }
}
/// <summary>
/// Adds a new data provider.
/// </summary>
/// <remarks>
/// The method can be used to register a new data provider for further use.
/// </remarks>
/// <include file="Examples1.xml" path='examples/db[@name="AddDataProvider(DataProvider.IDataProvider)"]/*' />
/// <seealso cref="AddConnectionString(string)"/>
/// <seealso cref="BLToolkit.Data.DataProvider.DataProviderBase.Name"/>
/// <param name="dataProvider">An instance of the <see cref="BLToolkit.Data.DataProvider.DataProviderBase"/> interface.</param>
public static void AddDataProvider(DataProviderBase dataProvider)
{
if (null == dataProvider)
{
throw new ArgumentNullException("dataProvider");
}
if (string.IsNullOrEmpty(dataProvider.UniqueName))
{
throw new ArgumentException(Resources.DbManager_InvalidDataProviderName, "dataProvider");
}
if (string.IsNullOrEmpty(dataProvider.ProviderName))
{
throw new ArgumentException(Resources.DbManager_InvalidDataProviderProviderName, "dataProvider");
}
if (dataProvider.ConnectionType == null || !typeof(IDbConnection).IsAssignableFrom(dataProvider.ConnectionType))
{
throw new ArgumentException(Resources.DbManager_InvalidDataProviderConnectionType, "dataProvider");
}
lock (_dataProviderListLock)
{
_dataProviderNameList[dataProvider.UniqueName.ToUpper()] = dataProvider;
_dataProviderNameList[dataProvider.ProviderName] = dataProvider;
_dataProviderTypeList[dataProvider.ConnectionType] = dataProvider;
}
}
public DriverExtension(Profile profile, DataProviderBase dataProvider, ulong virtualAddress = 0, ulong physicalAddress = 0) : base(profile, dataProvider, virtualAddress)
{
_physicalAddress = physicalAddress;
Overlay("_DRIVER_EXTENSION");
byte[] sknBuffer = Members.ServiceKeyName;
UnicodeString us = new UnicodeString(_profile, _dataProvider, sknBuffer);
_serviceKeyName = us.Name;
//_is64 = (_profile.Architecture == "AMD64");
//AddressBase addressSpace = dataProvider.ActiveAddressSpace;
//if (virtualAddress != 0)
// _physicalAddress = addressSpace.vtop(_virtualAddress);
//if (_physicalAddress == 0)
// throw new ArgumentException("Error - Address is ZERO for _DRIVER_EXTENSION");
//_structureSize = (uint)_profile.GetStructureSize("_DRIVER_EXTENSION");
//if (_structureSize == -1)
// throw new ArgumentException("Error - Profile didn't contain a definition for _DRIVER_EXTENSION");
//// _physicalAddress = _dataProvider.ActiveAddressSpace.vtop(_virtualAddress, _dataProvider.IsLive);
//if (_virtualAddress == 0)
// _buffer = _dataProvider.ReadPhysicalMemory(_physicalAddress, (uint)_structureSize);
//else
// _buffer = _dataProvider.ReadMemoryBlock(_virtualAddress, (uint)_structureSize);
//_structure = _profile.GetEntries("_DRIVER_EXTENSION");
}
protected override IQueryable <TItem> SetExpression <TItem>(IQueryable <TItem> query, string filterExpression, string sortExpr, int?itemsToSkip, int?itemsToTake, ref int?totalCount)
{
try
{
query = DataProviderBase.SetExpressions(
query,
filterExpression,
sortExpr,
itemsToSkip,
itemsToTake,
ref totalCount);
}
catch (MemberAccessException)
{
query = DataProviderBase.SetExpressions(
query,
filterExpression,
ListsModel.DefaultSortExpression,
itemsToSkip,
itemsToTake,
ref totalCount);
}
return(query);
}
/// <summary>
/// You should normally be using the virtual address
/// But when you do pool scans you'll only have a physical address
/// So in that case expect a VA=0 and a valid PA
/// </summary>
/// <param name="profile"></param>
/// <param name="dataProvider"></param>
/// <param name="virtualAddress"></param>
/// <param name="physicalAddress"></param>
public ObjectHeader(Profile profile, DataProviderBase dataProvider, ulong virtualAddress = 0, ulong physicalAddress = 0) : base(profile, dataProvider, virtualAddress)
{
_physicalAddress = physicalAddress;
if (virtualAddress == 0 && physicalAddress == 0)
{
throw new ArgumentException("Error - Offset is ZERO for _OBJECT_HEADER");
}
_is64 = (_profile.Architecture == "AMD64");
_structureSize = (uint)_profile.GetStructureSize("_OBJECT_HEADER");
if (_structureSize == -1)
{
throw new ArgumentException("Error - Profile didn't contain a definition for _OBJECT_HEADER");
}
AddressBase addressSpace = dataProvider.ActiveAddressSpace;
if (virtualAddress == 0)
{
_buffer = _dataProvider.ReadPhysicalMemory(_physicalAddress, (uint)_structureSize);
}
else
{
_physicalAddress = addressSpace.vtop(_virtualAddress);
_buffer = _dataProvider.ReadMemoryBlock(_virtualAddress, (uint)_structureSize);
}
//Debug.WriteLine("PADDR: " + _physicalAddress.ToString("X08"));
Initialise();
}
public DriverExtension(Profile profile, DataProviderBase dataProvider, ulong virtualAddress = 0, ulong physicalAddress = 0) : base(profile, dataProvider, virtualAddress)
{
_physicalAddress = physicalAddress;
_is64 = (_profile.Architecture == "AMD64");
AddressBase addressSpace = dataProvider.ActiveAddressSpace;
if (virtualAddress != 0)
{
_physicalAddress = addressSpace.vtop(_virtualAddress);
}
if (_physicalAddress == 0)
{
throw new ArgumentException("Error - Address is ZERO for _DRIVER_EXTENSION");
}
_structureSize = (uint)_profile.GetStructureSize("_DRIVER_EXTENSION");
if (_structureSize == -1)
{
throw new ArgumentException("Error - Profile didn't contain a definition for _DRIVER_EXTENSION");
}
// _physicalAddress = _dataProvider.ActiveAddressSpace.vtop(_virtualAddress, _dataProvider.IsLive);
if (_virtualAddress == 0)
{
_buffer = _dataProvider.ReadPhysicalMemory(_physicalAddress, (uint)_structureSize);
}
else
{
_buffer = _dataProvider.ReadMemoryBlock(_virtualAddress, (uint)_structureSize);
}
_structure = _profile.GetEntries("_DRIVER_EXTENSION");
}
/// <summary>
/// Sorts the specified list.
/// </summary>
/// <param name="list">The list.</param>
/// <returns></returns>
protected IQueryable <Taxon> Sort(IQueryable <Taxon> list)
{
int?totalCount = 1;
string sortExp = this.SortExpression;
try
{
if (this.SortExpression == "AsSetManually")
{
sortExp = string.Empty;
}
list = DataProviderBase.SetExpressions(query: list,
filterExpression: null,
orderExpression: sortExp,
skip: null,
take: null,
totalCount: ref totalCount);
}
catch (Exception)
{
list = DataProviderBase.SetExpressions(query: list,
filterExpression: null,
orderExpression: DefaultSortExpression,
skip: null,
take: null,
totalCount: ref totalCount);
}
return(list);
}
public RSDS(DataProviderBase dataProvider, ulong offset)
{
try
{
ulong alignedAddress = offset & 0xfffffffff000;
byte[] buffer = dataProvider.ReadMemory(alignedAddress, 2);
GCHandle pinnedPacket = GCHandle.Alloc(buffer, GCHandleType.Pinned);
RSDS_HEADER rsds = (RSDS_HEADER)Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, (int)(offset - alignedAddress)), typeof(RSDS_HEADER));
pinnedPacket.Free();
_signature = System.Text.Encoding.UTF8.GetString(rsds.Signature);
_guid = new Guid(rsds.Guid);
_age = rsds.Age;
int marker = 24 + (int)(offset - alignedAddress);
char c = (char)buffer[marker];
while (c != 0 && marker < 0x2000)
{
_filename += c;
c = (char)buffer[++marker];
}
}
catch (Exception ex)
{
throw new ArgumentException("Error Creating RSDS: " + ex.Message);
}
}
/// <summary>
/// Loads instances of <typeparamref name="TModel"/>.
/// </summary>
/// <typeparam name="TModel"></typeparam>
/// <param name="query"></param>
/// <param name="provider"></param>
/// <param name="transactionContext"></param>
/// <returns></returns>
public static DataModelCollection <TModel> LoadMany <TModel>(DataModelQuery <TModel> query,
DataProviderBase provider,
DbTransaction transactionContext)
where TModel : DataModel
{
return(LoadMany(query, false, provider, transactionContext));
}
protected List <LIST_ENTRY> FindAllLists(DataProviderBase dataProvider, LIST_ENTRY source)
{
List <LIST_ENTRY> results = new List <LIST_ENTRY>();
List <ulong> seen = new List <ulong>();
List <LIST_ENTRY> stack = new List <LIST_ENTRY>();
AddressBase addressSpace = dataProvider.ActiveAddressSpace;
stack.Add(source);
while (stack.Count > 0)
{
LIST_ENTRY item = stack[0];
stack.RemoveAt(0);
if (!seen.Contains(item.PhysicalAddress))
{
seen.Add(item.PhysicalAddress);
results.Add(item);
ulong Blink = item.Blink;
if (Blink != 0)
{
ulong refr = addressSpace.vtop(Blink);
stack.Add(new LIST_ENTRY(dataProvider, item.Blink));
}
ulong Flink = item.Flink;
if (Flink != 0)
{
ulong refr = addressSpace.vtop(Flink);
stack.Add(new LIST_ENTRY(dataProvider, item.Flink));
}
}
}
return(results);
}
/// <summary>
/// Method 1 to find the Process List uses the PsActiveProcessHead pointer which is embedded in the kernel image
/// This pointer points to a doubly linked list of pointers in a LIST_ENTRY structure whic is itself embedded in
/// each EPROCESS structure in the ActiveProcessLinks member. Thus if you walk the list, you'll step through aa
/// the active EPROCESS structures and thus all the active processes
/// </summary>
/// <prerequisites>
/// Active Profile
/// Profile must contain a valid Architecture
/// Profile must contain a valid KernelBaseAddress
/// Profile must contain a valid KernelAddressSpace
/// </prerequisites>
/// <param name="profile"></param>
public PsList1(Profile profile, DataProviderBase dataProvider) : base(profile, dataProvider)
{
// check pre-reqs
if (_profile == null || _profile.KernelBaseAddress == 0 || _profile.KernelAddressSpace == null)
{
throw new ArgumentException("Missing Prerequisites");
}
}
/// <summary>
/// Loads an instance of <typeparamref name="TModel"/>.
/// </summary>
/// <typeparam name="TModel"></typeparam>
/// <param name="query"></param>
/// <param name="depth"></param>
/// <param name="provider"></param>
/// <param name="transactionContext"></param>
/// <returns></returns>
public static TModel Load <TModel>(DataModelQuery <TModel> query, int?depth, DataProviderBase provider,
DbTransaction transactionContext) where TModel : DataModel
{
TModel ret = depth.HasValue
? provider.DeepLoadModel(query, depth, transactionContext)
: provider.DeepLoadModel(query, transactionContext);
return(ret);
}
public VadInfo(Profile profile, DataProviderBase dataProvider, ulong pid) : base(profile, dataProvider)
{
_pid = pid;
// check pre-reqs
if (_profile == null || _profile.KernelBaseAddress == 0 || _profile.KernelAddressSpace == null)
{
throw new ArgumentException("Missing Prerequisites");
}
}
public Subsection(Profile profile, DataProviderBase dataProvider, byte[] buffer) : base(profile, dataProvider, 0)
{
var dll = _profile.GetStructureAssembly("_SUBSECTION");
Type t = dll.GetType("liveforensics.SUBSECTION");
GCHandle pinedPacket = GCHandle.Alloc(buffer, GCHandleType.Pinned);
_members = Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, 0), t);
pinedPacket.Free();
}
public PfnDatabase(DataProviderBase dataProvider, Profile profile, ulong virtualAddress) : base(profile, dataProvider, virtualAddress)
{
_is64 = (_profile.Architecture == "AMD64");
// there's no point if the system is live
if (_dataProvider.IsLive)
{
return;
}
// first let's see if it already exists
FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\pfn_database_map.gz");
if (cachedFile.Exists && !dataProvider.IsLive)
{
PfnDatabaseMap dbm = RetrievePfnMap(cachedFile);
if (dbm != null)
{
_pfnDatabaseList = dbm.PfnDatabaseRecords;
return;
}
}
int pageCount = (int)(_dataProvider.ImageLength / 0x1000);
int blockTracker = 25600; // this is how many records are on 300 pages
byte[] blockBuffer = null;
for (int i = 0; i < pageCount; i++)
{
ulong startAddress = virtualAddress + (uint)(i * 0x30); // assuming pfn records are always 48 bytes long!
if (blockTracker == 25600)
{
blockTracker = 0;
blockBuffer = _dataProvider.ReadMemoryBlock(startAddress, 300 * 0x1000);
if (blockBuffer == null)
{
break;
}
}
MMPFN entry = new MMPFN(blockBuffer, blockTracker * 48);
PfnRecord record = entry.PfnRecord;
ulong containingPage = record.U4.PteFrame;
record.PtePhysicalLocation = (containingPage << 12) | record.PteAddress & 0xfff;
record.PhysicalAddress = (ulong)(i * 0x1000);
blockTracker++;
if (record.PteAddress == 0)
{
continue;
}
_pfnDatabaseList.Add(record);
}
PfnDatabaseMap map = new PfnDatabaseMap();
map.PfnDatabaseRecords = _pfnDatabaseList;
if (!dataProvider.IsLive)
{
PersistPfnMap(map, _dataProvider.CacheFolder + "\\pfn_database_map.gz");
}
}
public Handles(Profile profile, DataProviderBase dataProvider, ulong pid, ulong handleTableAddress) : base(profile, dataProvider)
{
// check pre-reqs
if (_profile == null || _profile.KernelBaseAddress == 0 || _profile.KernelAddressSpace == null)
{
throw new ArgumentException("Missing Prerequisites");
}
_pid = pid;
_handleTableAddress = handleTableAddress;
}
// this will fail if the string runs off the end of the page
// remember to set the dataProvider.ActiveAddressSpace before you call
public UnicodeString(Profile profile, DataProviderBase dataProvider, ulong virtualAddress = 0, ulong physicalAddress = 0) : base(profile, dataProvider, virtualAddress)
{
try
{
_physicalAddress = physicalAddress;
_is64 = (_profile.Architecture == "AMD64");
_addressSpace = dataProvider.ActiveAddressSpace;
_structureSize = (int)_profile.GetStructureSize("_UNICODE_STRING");
if (_structureSize == -1)
{
throw new ArgumentException("Error - Profile didn't contain a definition for _OBJECT_TYPE");
}
//AddressBase addressSpace = dataProvider.ActiveAddressSpace;
if (virtualAddress == 0)
{
_buffer = _dataProvider.ReadPhysicalMemory(_physicalAddress, (uint)_structureSize);
}
else
{
_physicalAddress = _addressSpace.vtop(_virtualAddress);
_buffer = _dataProvider.ReadMemoryBlock(_virtualAddress, (uint)_structureSize);
}
if (_buffer == null)
{
throw new ArgumentException("Invalid Address: " + virtualAddress.ToString("X08"));
}
_structure = _profile.GetEntries("_UNICODE_STRING");
Structure s = GetStructureMember("Length");
//int realOffset = (int)s.Offset + (int)(_physicalAddress & 0xfff);
_length = BitConverter.ToUInt16(_buffer, (int)s.Offset);
s = GetStructureMember("MaximumLength");
//realOffset = (int)s.Offset + (int)(_physicalAddress & 0xfff);
_maximumLength = BitConverter.ToUInt16(_buffer, (int)s.Offset);
s = GetStructureMember("Buffer");
//realOffset = (int)s.Offset + (int)(_physicalAddress & 0xfff);
if (_is64)
{
_pointerBuffer = BitConverter.ToUInt64(_buffer, (int)s.Offset) & 0xffffffffffff;
}
else
{
_pointerBuffer = BitConverter.ToUInt32(_buffer, (int)s.Offset) & 0xffffffff;
}
ulong pAddress = _addressSpace.vtop(_pointerBuffer);
if (pAddress != 0)
{
byte[] nameBuffer = _dataProvider.ReadMemory(pAddress & 0xfffffffff000, 1);
_name = Encoding.Unicode.GetString(nameBuffer, (int)(pAddress & 0xfff), (int)_length);
}
}
catch (Exception ex)
{
Debug.WriteLine("Unicode error: " + ex.Message);
}
}
public MmVadShort(Profile profile, DataProviderBase dataProvider, byte[] buffer) : base(profile, dataProvider, 0, 0)
{
var dll = _profile.GetStructureAssembly("_MMVAD_SHORT");
Type t = dll.GetType("liveforensics.MMVAD_SHORT");
GCHandle pinedPacket = GCHandle.Alloc(buffer, GCHandleType.Pinned);
_members = Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, 0), t);
pinedPacket.Free();
_flags = Members.u;
_flags1 = Members.u1;
}
/// <summary>
/// Loads instances of <typeparamref name="TModel"/>.
/// </summary>
/// <typeparam name="TModel"></typeparam>
/// <param name="query"></param>
/// <param name="depth"></param>
/// <param name="provider"></param>
/// <param name="transactionContext"></param>
/// <returns></returns>
public static DataModelCollection <TModel> LoadMany <TModel>(DataModelQuery <TModel> query, int?depth,
DataProviderBase provider,
DbTransaction transactionContext)
where TModel : DataModel
{
DataModelCollection <TModel> ret = depth.HasValue
? provider.DeepLoadModels(query, depth, transactionContext)
: provider.DeepLoadModels(query, transactionContext);
return(ret);
}
public DriverObject(Profile profile, DataProviderBase dataProvider, ulong virtualAddress = 0, ulong physicalAddress = 0) : base(profile, dataProvider, virtualAddress)
{
_physicalAddress = physicalAddress;
Initialise();
ObjectHeader oh = new ObjectHeader(_profile);
long headerSize = oh.Size;
if (headerSize != -1)
{
_header = new ObjectHeader(_profile, _dataProvider, _virtualAddress - (uint)headerSize);
}
}
/// <summary>
/// Adds a new data provider witch a specified name.
/// </summary>
/// <remarks>
/// The method can be used to register a new data provider for further use.
/// </remarks>
/// <include file="Examples1.xml" path='examples/db[@name="AddDataProvider(DataProvider.IDataProvider)"]/*' />
/// <seealso cref="AddConnectionString(string)"/>
/// <seealso cref="BLToolkit.Data.DataProvider.DataProviderBase.Name"/>
/// <param name="providerName">The data provider name.</param>
/// <param name="dataProvider">An instance of the <see cref="BLToolkit.Data.DataProvider.DataProviderBase"/> interface.</param>
public static void AddDataProvider(string providerName, DataProviderBase dataProvider)
{
if (dataProvider == null)
throw new ArgumentNullException("dataProvider");
if (string.IsNullOrEmpty(providerName))
throw new ArgumentException(Resources.DbManager_InvalidProviderName, "providerName");
if (dataProvider.ConnectionType == null || !typeof(IDbConnection).IsAssignableFrom(dataProvider.ConnectionType))
throw new ArgumentException(Resources.DbManager_InvalidDataProviderConnectionType, "dataProvider");
lock (_dataProviderListLock)
{
_dataProviderNameList[providerName.ToUpper()] = dataProvider;
_dataProviderTypeList[dataProvider.ConnectionType] = dataProvider;
}
}
public static DataProviderBase GetDataProvider(string configurationString)
{
if (configurationString == null) throw new ArgumentNullException("configurationString");
if (configurationString.StartsWith(AnyProvider))
return FindFirstSuitableProvider(configurationString);
if (configurationString == _firstConfiguration)
return _firstProvider;
var dp = (DataProviderBase)_configurationList[configurationString];
if (dp == null)
{
var css = ConfigurationManager.ConnectionStrings[configurationString];
if (css != null && !string.IsNullOrEmpty(css.ProviderName))
{
string provider = null;
if (css.ProviderName == "System.Data.SqlClient")
{
try
{
using (SqlConnection sqlConnection = new SqlConnection(css.ConnectionString))
{
sqlConnection.Open();
string serverVersion = sqlConnection.ServerVersion;
string[] serverVersionDetails = serverVersion.Split(new string[] {"."},
StringSplitOptions.None);
int versionNumber = int.Parse(serverVersionDetails[0]);
switch (versionNumber)
{
case 8: provider = "MSSQL2000"; break;
case 9: provider = "MSSQL2005"; break; //MSSQL 2005 -> Can the same as 2008
case 10: provider = "MSSQL2008"; break;
case 11: provider = "MSSQL2012"; break;
default: provider = "MSSQL2008"; break;
}
}
}
catch (Exception)
{}
}
if (provider == null)
{
// This hack should be redone.
//
provider = css.ProviderName == "System.Data.SqlClient" ?
configurationString.IndexOf("2012") >= 0 ? "MSSQL2012" :
configurationString.IndexOf("2008") >= 0 ? "MSSQL2008" :
configurationString.IndexOf("2000") >= 0 ? "MSSQL2000" :
css.ProviderName :
css.ProviderName;
}
dp = _dataProviderNameList[provider];
}
else
{
// configurationString can be:
// '' : default provider, default configuration;
// '.' : default provider, default configuration;
// 'foo.bar' : 'foo' provider, 'bar' configuration;
// 'foo.' : 'foo' provider, default configuration;
// 'foo' : default provider, 'foo' configuration or
// foo provider, default configuration;
// '.foo' : default provider, 'foo' configuration;
// '.foo.bar': default provider, 'foo.bar' configuration;
//
// Default provider is SqlDataProvider
//
var cs = configurationString.ToUpper();
var key = _defaultDataProviderName;
if (cs.Length > 0)
{
cs += ProviderNameDivider;
foreach (var k in _dataProviderNameList.Keys)
{
if (cs.StartsWith(k + ProviderNameDivider))
{
key = k;
break;
}
}
}
dp = _dataProviderNameList[key];
}
if (dp == null)
throw new DataException(string.Format(
Resources.DbManager_UnknownDataProvider, configurationString));
_configurationList[configurationString] = dp;
}
if (_firstConfiguration == null)
{
lock (_configurationList.SyncRoot)
{
if (_firstConfiguration == null)
{
_firstConfiguration = configurationString;
_firstProvider = dp;
}
}
}
return dp;
}
public static DataProviderBase GetDataProvider(string configurationString)
{
if (configurationString == null) throw new ArgumentNullException("configurationString");
if (configurationString.StartsWith(AnyProvider))
return FindFirstSuitableProvider(configurationString);
if (configurationString == _firstConfiguration)
return _firstProvider;
var dp = (DataProviderBase)_configurationList[configurationString];
if (dp == null)
{
var css = ConfigurationManager.ConnectionStrings[configurationString];
if (css != null && !string.IsNullOrEmpty(css.ProviderName))
{
// This hack should be redone.
//
var provider = css.ProviderName == "System.Data.SqlClient" ?
configurationString.IndexOf("2008") >= 0 ? "MSSQL2008" :
configurationString.IndexOf("2000") >= 0 ? "MSSQL2000" :
css.ProviderName :
css.ProviderName;
dp = _dataProviderNameList[provider];
}
else
{
// configurationString can be:
// '' : default provider, default configuration;
// '.' : default provider, default configuration;
// 'foo.bar' : 'foo' provider, 'bar' configuration;
// 'foo.' : 'foo' provider, default configuration;
// 'foo' : default provider, 'foo' configuration or
// foo provider, default configuration;
// '.foo' : default provider, 'foo' configuration;
// '.foo.bar': default provider, 'foo.bar' configuration;
//
// Default provider is SqlDataProvider
//
var cs = configurationString.ToUpper();
var key = _defaultDataProviderName;
if (cs.Length > 0)
{
cs += ProviderNameDivider;
foreach (var k in _dataProviderNameList.Keys)
{
if (cs.StartsWith(k + ProviderNameDivider))
{
key = k;
break;
}
}
}
dp = _dataProviderNameList[key];
}
if (dp == null)
throw new DataException(string.Format(
Resources.DbManager_UnknownDataProvider, configurationString));
_configurationList[configurationString] = dp;
}
if (_firstConfiguration == null)
{
lock (_configurationList.SyncRoot)
{
if (_firstConfiguration == null)
{
_firstConfiguration = configurationString;
_firstProvider = dp;
}
}
}
return dp;
}
/// <summary>
/// Adds a new data provider witch a specified name.
/// </summary>
/// <remarks>
/// The method can be used to register a new data provider for further use.
/// </remarks>
/// <include file="Examples1.xml" path='examples/db[@name="AddDataProvider(DataProvider.IDataProvider)"]/*' />
/// <seealso cref="AddConnectionString(string)"/>
/// <seealso cref="BLToolkit.Data.DataProvider.DataProviderBase.Name"/>
/// <param name="providerName">The data provider name.</param>
/// <param name="dataProvider">An instance of the <see cref="BLToolkit.Data.DataProvider.DataProviderBase"/> interface.</param>
public static void AddDataProvider(string providerName, DataProviderBase dataProvider)
{
if (dataProvider == null)
throw new ArgumentNullException("dataProvider");
if (string.IsNullOrEmpty(providerName))
throw new ArgumentException(Resources.DbManager_InvalidDataProviderName, "providerName");
dataProvider.UniqueName = providerName;
AddDataProvider(dataProvider);
}
private static DataProviderBase GetDataProvider(string configurationString)
{
if (configurationString == _firstConfiguration)
return _firstProvider;
if (configurationString == null) throw new ArgumentNullException("configurationString");
DataProviderBase dp = (DataProviderBase)_configurationList[configurationString];
if (dp == null)
{
ConnectionStringSettings css = ConfigurationManager.ConnectionStrings[configurationString];
if (css != null && !string.IsNullOrEmpty(css.ProviderName))
{
dp = _dataProviderNameList[css.ProviderName];
}
else
{
// configurationString can be:
// '' : default provider, default configuration;
// '.' : default provider, default configuration;
// 'foo.bar' : 'foo' provider, 'bar' configuration;
// 'foo.' : 'foo' provider, default configuration;
// 'foo' : default provider, 'foo' configuration or
// foo provider, default configuration;
// '.foo' : default provider, 'foo' configuration;
// '.foo.bar': default provider, 'foo.bar' configuration;
//
// Default provider is SqlDataProvider
//
string cs = configurationString.ToUpper();
string key = "SQL";
if (cs.Length > 0)
{
cs += ProviderNameDivider;
foreach (string k in _dataProviderNameList.Keys)
{
if (cs.StartsWith(k + ProviderNameDivider))
{
key = k;
break;
}
}
}
dp = _dataProviderNameList[key];
}
if (dp == null)
throw new DataException(string.Format(
Resources.DbManager_UnknownDataProvider, configurationString));
_configurationList[configurationString] = dp;
}
if (_firstConfiguration == null)
{
lock (_configurationList.SyncRoot)
{
if (_firstConfiguration == null)
{
_firstConfiguration = configurationString;
_firstProvider = dp;
}
}
}
return dp;
}
