public ulong FindKernelDtbBody() { ulong physicalAddress = 0; bool escape = false; // check if we already have it (from the live image) if (_kernelDtb == 0) { ulong filenameOffset = _profile.GetOffset("_EPROCESS", "ImageFileName"); StringSearch mySearch = new StringSearch(_dataProvider); mySearch.AddNeedle("Idle\x00\x00\x00\x00\x00\x00\x00"); foreach (var answer in mySearch.Scan()) { if (escape) { break; } try { List <ulong> hitList = answer.First().Value; foreach (ulong hit in hitList) { try { EProcess ep = new EProcess(_profile, _dataProvider, 0, hit - filenameOffset); dynamic test = ep.Members; _kernelDtb = ep.DTB; if (_kernelDtb > _dataProvider.ImageLength || _kernelDtb == 0) { _kernelDtb = 0; continue; } if (ep.Pid != 0 || ep.Ppid != 0) { _kernelDtb = 0; continue; } InfoHelper helper = new InfoHelper(); helper.Type = InfoHelperType.InfoDictionary; helper.Name = "0x" + _kernelDtb.ToString("X08") + " (" + _kernelDtb.ToString() + ")"; helper.Title = "Directory Table Base"; AddToInfoDictionary("Directory Table Base", helper); //helper = new InfoHelper(); //helper.Type = InfoHelperType.InfoDictionary; //helper.Name = ep.Pid.ToString(); //helper.Title = "PID"; //AddToInfoDictionary("PID", helper); //helper = new InfoHelper(); //helper.Type = InfoHelperType.InfoDictionary; //helper.Name = ep.Ppid.ToString(); //helper.Title = "Parent PID"; //AddToInfoDictionary("Parent PID", helper); physicalAddress = (ulong)ep.PhysicalAddress; escape = true; break; } catch (Exception ex) { continue; } } } catch (Exception) { } } } return(physicalAddress); }
public void FindKernelImageBody(AddressBase kernelAddress = null) { if (kernelAddress != null) { _kernelAddressSpace = kernelAddress; } try { uint buildOffset = (uint)_profile.GetConstant("NtBuildLab"); // first check that we haven't already got it - the live info grab will have got it! if (_kernelBaseAddress != 0) { ulong pAddr = _kernelAddressSpace.vtop(_kernelBaseAddress + buildOffset, true); if (pAddr == 0) { return; } byte[] buffer2 = _dataProvider.ReadMemory(pAddr & 0xfffffffff000, 2); string build = ReadString(buffer2, (uint)(pAddr & 0xfff)); InfoHelper helper = new InfoHelper(); helper.Type = InfoHelperType.InfoDictionary; helper.Name = build; helper.Title = "Build String"; AddToInfoDictionary("Build String", helper); try { uint buildOffset2 = (uint)_profile.GetConstant("NtBuildLabEx"); pAddr = _kernelAddressSpace.vtop(_kernelBaseAddress + buildOffset2, true); if (pAddr == 0) { return; } buffer2 = _dataProvider.ReadMemory(pAddr & 0xfffffffff000, 2); build = ReadString(buffer2, (uint)(pAddr & 0xfff)); helper = new InfoHelper(); helper.Type = InfoHelperType.InfoDictionary; helper.Name = build; helper.Title = "Build String Ex"; AddToInfoDictionary("Build String Ex", helper); } catch { } return; } StringSearch mySearch = new StringSearch(_dataProvider); mySearch.AddNeedle("INITKDBG"); mySearch.AddNeedle("MISYSPTE"); mySearch.AddNeedle("PAGEKD"); byte[] buffer = null; foreach (var answer in mySearch.Scan()) { foreach (var kvp in answer) { List <ulong> hitList = kvp.Value; foreach (ulong hit in hitList) { // the physical address must exist in the kernel address space space ulong vAddr = _kernelAddressSpace.ptov(hit); if (vAddr == 0) { continue; } //// let's grab the PE header while we're here ulong page = vAddr & 0xfffffffff000; // remember PE images are page aligned for (int i = 0; i < 10; i++) // need to think about 10 being enough { ulong tryAddress = _kernelAddressSpace.vtop(page, false); buffer = _dataProvider.ReadMemory(tryAddress, 1); string sig = Encoding.Default.GetString(buffer, 0, 2); if (sig == "MZ") { PE peHeader = new PE(_dataProvider, _kernelAddressSpace, page); RSDS debugSection = peHeader.DebugSection; if (IsValidKernel(debugSection.Filename)) { _kernelBaseAddress = page; ulong pAddr = _kernelAddressSpace.vtop(_kernelBaseAddress + buildOffset, false); if (pAddr == 0) { continue; } buffer = _dataProvider.ReadMemory(pAddr & 0xfffffffff000, 2); //CurrentHexViewerContentAddress = pAddr & 0xfffffffff000; //CurrentHexViewerContent = buffer; string build = ReadString(buffer, (uint)(pAddr & 0xfff)); InfoHelper helper = new InfoHelper(); helper.Type = InfoHelperType.InfoDictionary; helper.Name = "0x" + _kernelBaseAddress.ToString("X08"); helper.Title = "Kernel Base Address"; helper.VirtualAddress = _kernelBaseAddress; helper.BufferSize = 4096; AddToInfoDictionary("Kernel Base Address", helper); helper = new InfoHelper(); helper.Type = InfoHelperType.InfoDictionary; helper.Name = build; helper.Title = "Build String"; AddToInfoDictionary("Build String", helper); try { uint buildOffset2 = (uint)_profile.GetConstant("NtBuildLabEx"); pAddr = _kernelAddressSpace.vtop(_kernelBaseAddress + buildOffset2, true); if (pAddr == 0) { continue; } buffer = _dataProvider.ReadMemory(pAddr & 0xfffffffff000, 2); build = ReadString(buffer, (uint)(pAddr & 0xfff)); helper = new InfoHelper(); helper.Type = InfoHelperType.InfoDictionary; helper.Name = build; helper.Title = "Build String Ex"; AddToInfoDictionary("Build String Ex", helper); } catch { } return; } } // move backwards one page at a time page -= 0x1000; } } } } } catch { return; } }
public void FindProfileGuidBody() { if (_dataProvider.IsLive) { try { // get the system folder string systemDirectory = Environment.SystemDirectory; string kernelLocation = systemDirectory + "\\ntoskrnl.exe"; int matches = 0; using (FileStream fs = new FileStream(kernelLocation, FileMode.Open, FileAccess.Read)) { while (true) { byte b = (byte)fs.ReadByte(); if (matches == 0 && b == 82) // R { matches = 1; } else if (matches == 1 && b == 83) // S { matches = 2; } else if (matches == 2 && b == 68) // D { matches = 3; } else if (matches == 3 && b == 83) // S { byte[] buffer = new byte[16]; int result = fs.Read(buffer, 0, 16); Guid g = new Guid(buffer); buffer = new byte[4]; result = fs.Read(buffer, 0, 4); uint age = BitConverter.ToUInt32(buffer, 0); buffer = new byte[12]; result = fs.Read(buffer, 0, 12); string name = Encoding.Default.GetString(buffer); if (name == "ntkrnlpa.pdb" || name == "ntkrnlmp.pdb" || name == "ntkrpamp.pdb" || name == "ntoskrnl.pdb") { string GuidAge = (g.ToString("N") + age.ToString()).ToUpper(); ProfileName = GuidAge + ".gz"; InfoHelper helper = new InfoHelper(); helper.Type = InfoHelperType.InfoDictionary; helper.Name = ProfileName; helper.Title = "Profile Name"; AddToInfoDictionary("ProfileName", helper); _profile = new Profile(ProfileName, @"E:\Forensics\MxProfileCache", _cacheLocation); // TO DO - make this a user option when you get around to writing the settings dialog Architecture = _profile.Architecture; Architecture = _profile.Architecture; helper = new InfoHelper(); helper.Type = InfoHelperType.InfoDictionary; helper.Name = Architecture; helper.Title = "Architecture"; AddToInfoDictionary("Architecture", helper); if (_profile.Architecture == "I386") { _kiUserSharedData = 0xFFDF0000; _profile.PoolAlign = 8; } else { _kiUserSharedData = 0xFFFFF78000000000; _profile.PoolAlign = 16; } helper = new InfoHelper(); helper.Type = InfoHelperType.InfoDictionary; helper.Name = "0x" + _kiUserSharedData.ToString("X"); helper.Title = "KiUserSharedData"; AddToInfoDictionary("KiUserSharedData", helper); return; } matches = 0; } else { matches = 0; } } } } catch (Exception) { return; } } else { StringSearch mySearch = new StringSearch(_dataProvider); mySearch.AddNeedle("RSDS"); //Dictionary<string, List<ulong>> results = mySearch.Scan(); foreach (var answer in mySearch.Scan()) { try { List <ulong> hitList = answer["RSDS"]; foreach (ulong hit in hitList) { try { RSDS rsds = new RSDS(_dataProvider, hit); if (rsds.Signature == "RSDS" && (rsds.Filename == "ntkrnlpa.pdb" || rsds.Filename == "ntkrnlmp.pdb" || rsds.Filename == "ntkrpamp.pdb" || rsds.Filename == "ntoskrnl.pdb")) { InfoHelper helper = new InfoHelper(); helper.Type = InfoHelperType.InfoDictionary; helper.Name = "0x" + hit.ToString("X08") + " (p)"; helper.PhysicalAddress = hit; helper.BufferSize = 36; helper.Title = "Debug Symbols (RSDS)"; AddToInfoDictionary("Debug Symbols (RSDS)", helper); helper = new InfoHelper(); helper.Type = InfoHelperType.InfoDictionary; helper.Name = rsds.Filename; helper.Title = "Debug Symbols Filename"; AddToInfoDictionary("Debug Symbols Filename", helper); ProfileName = rsds.GuidAge + ".gz"; helper = new InfoHelper(); helper.Type = InfoHelperType.InfoDictionary; helper.Name = ProfileName; helper.Title = "Profile Name"; AddToInfoDictionary("ProfileName", helper); _profile = new Profile(ProfileName, @"E:\Forensics\MxProfileCache", _cacheLocation); // TO DO - make this a user option when you get around to writing the settings dialog Architecture = _profile.Architecture; helper = new InfoHelper(); helper.Type = InfoHelperType.InfoDictionary; helper.Name = Architecture; helper.Title = "Architecture"; AddToInfoDictionary("Architecture", helper); if (_profile.Architecture == "I386") { _kiUserSharedData = 0xFFDF0000; _profile.PoolAlign = 8; } else { _kiUserSharedData = 0xFFFFF78000000000; _profile.PoolAlign = 16; } helper = new InfoHelper(); helper.Type = InfoHelperType.InfoDictionary; helper.Name = "0x" + _kiUserSharedData.ToString("X"); helper.Title = "KiUserSharedData"; helper.VirtualAddress = _kiUserSharedData; helper.BufferSize = 4096; AddToInfoDictionary("KiUserSharedData", helper); return; } } catch (Exception) { continue; } } } catch (Exception) { return; } } } }