protected void compareChildren(ComparableNodes nodes)
{
foreach (ulong id in nodes.Keys)
{
XmlNode adNode = nodes[id].Item1;
XmlNode rkNode = nodes[id].Item2;
if (adNode != null && rkNode != null)
{
compareNodes(adNode, rkNode);
}
}
}
protected void compareSDTs(XmlNodeList adNodes, XmlNodeList rkNodes)
{
ComparableNodes nodes = compareLists(adNodes, rkNodes, true);
foreach (ulong key in nodes.Keys)
{
XmlNode adSDTs = nodes[key].Item1;
XmlNode rkSDTs = nodes[key].Item2;
if (adSDTs != null && rkSDTs != null)
{
XmlNodeList adSSDTs = adSDTs.SelectNodes("SSDTs");
XmlNodeList rkSSDTs = rkSDTs.SelectNodes("SSDTs");
Console.WriteLine("SSDTs: {0} {1}", adSSDTs.Count, rkSSDTs.Count);
if (adSSDTs.Count == rkSSDTs.Count)
{
for (int i = 0; i < adSSDTs.Count; ++i)
{
Console.WriteLine("Children: {0} {1}", adSSDTs[i].ChildNodes.Count, rkSSDTs[i].ChildNodes.Count);
string adVA = adSSDTs[i].SelectSingleNode("VirtAddr").InnerText;
string rkVA = rkSSDTs[i].SelectSingleNode("VirtAddr").InnerText;
if (adVA != rkVA)
{
Console.WriteLine("Address: {0:X} {1:X}", adVA, rkVA);
}
XmlNodeList adAdds = adSSDTs[i].SelectNodes("SSDTAddr");
XmlNodeList rkAdds = rkSSDTs[i].SelectNodes("SSDTAddr");
if (adAdds.Count == rkAdds.Count)
{
for (int addr = 0; addr < adAdds.Count; ++addr)
{
if (adAdds[addr].InnerText != rkAdds[addr].InnerText)
{
Console.WriteLine("SSDTAddr: {0:X} {1:X}", adAdds[addr].InnerText, rkAdds[addr].InnerText);
}
}
}
else
{
Console.WriteLine("SSDTAddrs {0} {1}", adAdds.Count, rkAdds.Count);
}
}
}
}
}
}
protected ComparableNodes evaluateLists(XmlNodeList adNodes, XmlNodeList rkNodes, string xpath)
{
ComparableNodes Nodes = new ComparableNodes();
foreach (XmlNode node in adNodes)
{
ulong key;
if (!ulong.TryParse(node.SelectSingleNode(xpath).InnerText, out key))
{
Console.WriteLine("Unable to convert key value {0} to ulong for node: {1}",
node.SelectSingleNode(xpath).InnerText,
node.Format());
continue;
}
if (Nodes.ContainsKey(key))
{
Console.WriteLine("Found duplicate key {0} tagged {1}", key, xpath);
continue;
}
Nodes.Add(key, new Tuple <XmlNode, XmlNode>(node, null));
}
foreach (XmlNode node in rkNodes)
{
ulong key;
if (!ulong.TryParse(node.SelectSingleNode(xpath).InnerText, out key))
{
Console.WriteLine("Unable to convert key value {0} to ulong for node: {1}",
node.SelectSingleNode(xpath).InnerText,
node.Format());
continue;
}
if (Nodes.Keys.Contains(key))
{
XmlNode adNode = Nodes[key].Item1;
Nodes[key] = new Tuple <XmlNode, XmlNode>(adNode, node);
}
else
{
Nodes.Add(key, new Tuple <XmlNode, XmlNode>(null, node));
}
}
return(Nodes);
}
protected ComparableNodes compareLists(XmlNodeList adList, XmlNodeList rkList, bool showCountsWhenIdentical)
{
string key = string.Empty;
if (adList.Count > 0)
{
key = adList[0].GetKey();
}
if (key == string.Empty)
{
Console.WriteLine("Not able to compare these lists.");
return(new ComparableNodes());
}
ComparableNodes nodes = evaluateLists(adList, rkList, key);
if (showCountsWhenIdentical ||
adList.Count != rkList.Count ||
adList.Count != nodes.Count)
{
Console.WriteLine(adList[0].Name);
Console.WriteLine("Access Data: {0}", adList.Count);
Console.WriteLine("Rekall: {0}", rkList.Count);
Console.WriteLine("Unique Keys: {0}", nodes.Count);
Console.WriteLine();
Console.WriteLine(adList[0].GetHeading());
foreach (ulong id in nodes.Keys)
{
XmlNode adNode = nodes[id].Item1;
XmlNode rkNode = nodes[id].Item2;
Console.WriteLine("{0,11} {1} {2}",
id,
adNode.Format(),
rkNode.Format());
}
}
return(nodes);
}
public void Compare()
{
XmlNodeList adProcs = _adDoc.DocumentElement.SelectNodes("Process");
XmlNodeList rkProcs = _rkDoc.DocumentElement.SelectNodes("Process");
if (adProcs.Count + rkProcs.Count > 0)
{
ComparableNodes nodes = compareLists(adProcs, rkProcs, true);
compareChildren(nodes);
}
XmlNodeList adMods = _adDoc.DocumentElement.SelectNodes("Module");
XmlNodeList rkMods = _rkDoc.DocumentElement.SelectNodes("Module");
if (adMods.Count + rkMods.Count > 0)
{
ComparableNodes nodes = compareLists(adMods, rkMods, true);
compareChildren(nodes);
}
XmlNodeList adSDTs = _adDoc.DocumentElement.SelectNodes("SDTs");
XmlNodeList rkSDTs = _rkDoc.DocumentElement.SelectNodes("SDTs");
if (adSDTs.Count + rkSDTs.Count > 0)
{
compareSDTs(adSDTs, rkSDTs);
}
XmlNodeList adReg = _adDoc.DocumentElement.SelectNodes("RegistryKey");
XmlNodeList rkReg = _rkDoc.DocumentElement.SelectNodes("RegistryKey");
if (adReg.Count + rkReg.Count > 0)
{
compareLists(adReg, rkReg, true);
}
}
