public static void Token(DetectedProc p, long TokenAddress = 0) { if (PrivilegeSet == null || PrivilegeSet.Count < 1) { InitFromKernel(p); } long TokenToDump = TokenAddress; if (TokenToDump == 0) { TokenToDump = p.EProc.Token; } // check all processes primary token's var tok = p.xStructInfo("_TOKEN", TokenToDump); // find enabled address var enabled = (long)tok.Privileges.Enabled.Value; WxColor(ConsoleColor.Cyan, ConsoleColor.Black, $"{p.ShortName} Enabled Privileges: "); foreach (var priv in PrivilegeSet) { if (((enabled >> priv.Value) & 1) != 0) { WriteLine($"{priv.Name, 8}"); } } Write(Environment.NewLine); }
public static IEnumerable <Tuple <ulong, string> > SimpleRegex(Regex re, DetectedProc dp, bool MatchAscii = true, bool MatchUTF16 = false, bool MatchUTF8 = false) { byte[] block4k = new byte[PAGE_SIZE]; byte[] block2MB = new byte[LARGE_PAGE_SIZE]; string s = string.Empty; MatchCollection mc = null; dp.MemAccess.ResetDumpBitmap(); foreach (var entry in dp.PT.FillPageQueue(false, true, true, false)) { if (dp.MemAccess.IsDumpedPFN(entry.PTE)) { continue; } dp.MemAccess.SetDumpedPFN(entry.PTE); bool GotData = false; byte[] block = entry.PTE.LargePage ? block2MB : block4k; dp.MemAccess.GetPageForPhysAddr(entry.PTE, ref block, ref GotData); if (!GotData || UnsafeHelp.IsZeroPage(block) == 0 || UnsafeHelp.IsFFFPage(block) == 0) { continue; } if (MatchAscii) { s = Encoding.ASCII.GetString(block, 0, block.Length); mc = re.Matches(s); foreach (Match m in mc) { yield return(Tuple.Create <ulong, string>(entry.VA.FullAddr + (uint)m.Index, m.Value)); } } if (MatchUTF16) { s = Encoding.Unicode.GetString(block, 0, block.Length); mc = re.Matches(s); foreach (Match m in mc) { yield return(Tuple.Create <ulong, string>(entry.VA.FullAddr + (uint)m.Index, m.Value)); } } if (MatchUTF8) { s = Encoding.UTF8.GetString(block, 0, block.Length); mc = re.Matches(s); foreach (Match m in mc) { yield return(Tuple.Create <ulong, string>(entry.VA.FullAddr + (uint)m.Index, m.Value)); } } } yield break; }
public Dumper(Vtero vtero, string outDir, DetectedProc dp, MemRangeArgs args) { Vtero = vtero; DP = dp; OutDir = outDir; SelectedRegions = args.Regions; }
public static void InitFromKernel(DetectedProc p) { PrivilegeSet = new List <Privilege>(); //build list of privs foreach (var priv in p.MatchSymbols("Se*Privilege", "ntkrnlmp")) { var addr = (long)priv.Item2; var val = p.GetByteValue(addr); var nfo = new Privilege() { Name = priv.Item1, Address = (long)priv.Item2, Value = val }; PrivilegeSet.Add(nfo); } }
public static IEnumerable <ulong> ByteScan(Byte[] ToFind, DetectedProc dp, int align = 1, bool DoKernel = false, int MaxCount = 0) { byte[] block4k = new byte[PAGE_SIZE]; byte[] block2MB = new byte[LARGE_PAGE_SIZE]; string s = string.Empty; foreach (var entry in dp.PT.FillPageQueue(false, DoKernel, true, false)) { bool GotData = false; byte[] block = entry.PTE.LargePage ? block2MB : block4k; dp.MemAccess.GetPageForPhysAddr(entry.PTE, ref block, ref GotData); if (!GotData) { continue; } int i = 0; do { i = block.SearchBytes(ToFind, i, align); if (i < 0) { break; } var VA = (entry.VA.FullAddr + (uint)i); yield return(VA); i += ToFind.Length; } while (i <= (block.Length - ToFind.Length)); } yield break; }
public Heaps(DetectedProc P) { p = P; HEAPS = new List <dynamic>(); }