public static long Rva2offset(Program.MiniDump minidump, long virutal_address) { List <MinidumpMemory.MinidumpMemorySegment> memory_segments = new List <MinidumpMemory.MinidumpMemorySegment>(); bool is_fulldump; if (minidump.sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64) { memory_segments = minidump.memory_segments_64.memory_segments; is_fulldump = true; } else { memory_segments = minidump.memory_segments.memory_segments; is_fulldump = false; } foreach (MinidumpMemory.MinidumpMemorySegment ms in memory_segments) { if (ms.start_virtual_address <= (long)virutal_address && ms.end_virtual_address >= (long)virutal_address) { if (ms.start_virtual_address < (long)virutal_address) { int offset = (int)(virutal_address - (long)ms.start_virtual_address); return((long)(ms.start_file_address + (long)offset)); } return((long)ms.start_file_address); } } return(0); }
public static string ExtractANSIStringString(Program.MiniDump minidump, UNICODE_STRING str) { if (str.MaximumLength == 0) { return(null); } minidump.fileBinaryReader.BaseStream.Seek(Helpers.Rva2offset(minidump, str.Buffer), 0); byte[] resultBytes = minidump.fileBinaryReader.ReadBytes(str.MaximumLength); var pinnedArray = GCHandle.Alloc(resultBytes, GCHandleType.Pinned); var tmp_p = pinnedArray.AddrOfPinnedObject(); var result = Marshal.PtrToStringAnsi(tmp_p); pinnedArray.Free(); return(result); }
public static string ExtractSid(Program.MiniDump minidump, long pSid) { byte nbAuth; int sizeSid; var pSidInt = Minidump.Helpers.ReadInt64(minidump.fileBinaryReader, pSid); minidump.fileBinaryReader.BaseStream.Seek(Rva2offset(minidump, pSidInt) + 8, 0); var nbAuth_b = minidump.fileBinaryReader.ReadBytes(1); nbAuth = nbAuth_b[0]; sizeSid = 4 * nbAuth + 6 + 1 + 1; minidump.fileBinaryReader.BaseStream.Seek(Rva2offset(minidump, pSidInt), 0); var sid_b = minidump.fileBinaryReader.ReadBytes(sizeSid); ConvertSidToStringSid(sid_b, out IntPtr ptrSid); return(Marshal.PtrToStringAuto(ptrSid)); }
public static string ExtractUnicodeStringString(Program.MiniDump minidump, UNICODE_STRING str) { if (str.MaximumLength == 0) { return(null); } minidump.fileBinaryReader.BaseStream.Seek(Helpers.Rva2offset(minidump, str.Buffer), 0); byte[] resultBytes = minidump.fileBinaryReader.ReadBytes(str.MaximumLength); var encoder = new UnicodeEncoding(false, false, true); try { return(encoder.GetString(resultBytes)); } catch (Exception) { return(PrintHexBytes(resultBytes)); } }
//https://github.com/skelsec/minidump/blob/96d6b64dba679df14f5f78c64c3a045be8c4f1f1/minidump/minidumpreader.py#L323 public static long search_module(Program.MiniDump minidump, string module_name, byte[] pattern, bool find_first = false, bool reverse = false, int chunksize = (10 * 1024)) { long pos = minidump.fileBinaryReader.BaseStream.Position; ModuleList.MinidumpModule mod = get_module_by_name(module_name, minidump.modules); List <MinidumpMemory.MinidumpMemorySegment> memory_segments = new List <MinidumpMemory.MinidumpMemorySegment>(); bool is_fulldump; if (minidump.sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64) { memory_segments = minidump.memory_segments_64.memory_segments; is_fulldump = true; } else { memory_segments = minidump.memory_segments.memory_segments; is_fulldump = false; } byte[] needles = new byte[] { }; foreach (MinidumpMemory.MinidumpMemorySegment ms in memory_segments) { if (mod.baseaddress <= ms.start_virtual_address && ms.start_virtual_address <= mod.endaddress) { minidump.fileBinaryReader.BaseStream.Seek(ms.start_file_address, 0); byte[] data = minidump.fileBinaryReader.ReadBytes((int)ms.size); minidump.fileBinaryReader.BaseStream.Seek(pos, 0); int offset = PatternAt(data, pattern); if (offset != -1) { return(ms.start_file_address + offset); } } } return(0); }
//https://github.com/skelsec/minidump/blob/96d6b64dba679df14f5f78c64c3a045be8c4f1f1/minidump/minidumpreader.py#L268 public static long find_in_module(Program.MiniDump minidump, string module_name, byte[] pattern, bool find_first = false, bool reverse = false) { return(search_module(minidump, module_name, pattern, find_first = find_first, reverse = reverse)); }
//https://github.com/skelsec/pypykatz/blob/bd1054d1aa948133a697a1dfcb57a5c6463be41a/pypykatz/lsadecryptor/package_commons.py#L64 public static long find_signature(Program.MiniDump minidump, string module_name, byte[] signature) { return(find_in_module(minidump, module_name, signature)); }