| public FillTable ( bool RedundantKernelSpaces, int depth = 4 ) : long | ||
| RedundantKernelSpaces | bool | |
| depth | int | |
| Результат | long | |
public static PageTable AddProcess(DetectedProc dp, Mem mem, bool OnlyUserSpace = false)
{
long Address = 0;
int AddressIndex = 0;
// dump Page table high to low
var va = new VIRTUAL_ADDRESS(long.MaxValue - 0xfff);
var rv = new PageTable
{
Failed = new List <HARDWARE_ADDRESS_ENTRY>(),
DP = dp,
mem = mem
};
// TODO: encode VA's for self/recursive physical addr's
if (dp.PageTableType == PTType.Windows)
{
Address = MagicNumbers.Windows_SelfAsVA;
AddressIndex = MagicNumbers.Windows_SelfPtr;
}
// any output is error/warning output
var cnt = rv.FillTable(new VIRTUAL_ADDRESS(Address), AddressIndex, dp.CR3Value, OnlyUserSpace);
if (cnt == 0)
{
if (dp.vmcs != null)
{
WriteLine($"BAD EPTP/DirectoryTable Base {dp.vmcs.EPTP:X16}, try a different candidate or this dump may lack a hypervisor. Attempting PT walk W/O SLAT");
}
else
{
WriteLine($"Decoding failed for {dp.CR3Value:X16}");
}
/*cnt = rv.FillTable(new VIRTUAL_ADDRESS(Address), AddressIndex, dp.CR3Value, OnlyUserSpace);
* WriteLine($"Physical walk w/o SLAT yielded {cnt} entries");*/
}
dp.PT = rv;
return(rv);
}
public static PageTable AddProcess(DetectedProc dp, Mem mem, bool OnlyUserSpace = false)
{
long Address = 0;
int AddressIndex = 0;
// dump Page table high to low
var va = new VIRTUAL_ADDRESS(long.MaxValue - 0xfff);
var rv = new PageTable
{
Failed = new List<HARDWARE_ADDRESS_ENTRY>(),
DP = dp,
mem = mem
};
// TODO: encode VA's for self/recursive physical addr's
if (dp.PageTableType == PTType.Windows)
{
Address = MagicNumbers.Windows_SelfAsVA;
AddressIndex = MagicNumbers.Windows_SelfPtr;
}
// any output is error/warning output
var cnt = rv.FillTable(new VIRTUAL_ADDRESS(Address), AddressIndex, dp.CR3Value, OnlyUserSpace);
if (cnt == 0)
{
if (dp.vmcs != null)
WriteLine($"BAD EPTP/DirectoryTable Base {dp.vmcs.EPTP:X16}, try a different candidate or this dump may lack a hypervisor. Attempting PT walk W/O SLAT");
else
WriteLine($"Decoding failed for {dp.CR3Value:X16}");
/*cnt = rv.FillTable(new VIRTUAL_ADDRESS(Address), AddressIndex, dp.CR3Value, OnlyUserSpace);
WriteLine($"Physical walk w/o SLAT yielded {cnt} entries");*/
}
dp.PT = rv;
return rv;
}
public static PageTable AddProcess(DetectedProc dp, Mem mem)
{
long Address = 0;
int AddressIndex = 0;
// dump Page table high to low
var va = new VIRTUAL_ADDRESS(long.MaxValue - 0xfff);
var rv = new PageTable
{
Failed = new List<HARDWARE_ADDRESS_ENTRY>(),
DP = dp,
mem = mem
};
// TODO: encode VA's for self/recursive physical addr's
if (dp.PageTableType == PTType.Windows)
{
Address = MagicNumbers.Windows_SelfAsVA;
AddressIndex = MagicNumbers.Windows_SelfPtr;
}
// any output is error/warning output
var cnt = rv.FillTable(new VIRTUAL_ADDRESS(Address), AddressIndex, dp.CR3Value);
Debug.WriteLine($"extracted {cnt} PTE from process {dp.vmcs.EPTP:X16}:{dp.CR3Value:X16}");
dp.PT = rv;
return rv;
}