public static void Token(DetectedProc p, long TokenAddress = 0)
{
if (PrivilegeSet == null || PrivilegeSet.Count < 1)
{
InitFromKernel(p);
}
long TokenToDump = TokenAddress;
if (TokenToDump == 0)
{
TokenToDump = p.EProc.Token;
}
// check all processes primary token's
var tok = p.xStructInfo("_TOKEN", TokenToDump);
// find enabled address
var enabled = (long)tok.Privileges.Enabled.Value;
WxColor(ConsoleColor.Cyan, ConsoleColor.Black, $"{p.ShortName} Enabled Privileges: ");
foreach (var priv in PrivilegeSet)
{
if (((enabled >> priv.Value) & 1) != 0)
{
WriteLine($"{priv.Name, 8}");
}
}
Write(Environment.NewLine);
}
public static IEnumerable <Tuple <ulong, string> > SimpleRegex(Regex re, DetectedProc dp, bool MatchAscii = true, bool MatchUTF16 = false, bool MatchUTF8 = false)
{
byte[] block4k = new byte[PAGE_SIZE];
byte[] block2MB = new byte[LARGE_PAGE_SIZE];
string s = string.Empty;
MatchCollection mc = null;
dp.MemAccess.ResetDumpBitmap();
foreach (var entry in dp.PT.FillPageQueue(false, true, true, false))
{
if (dp.MemAccess.IsDumpedPFN(entry.PTE))
{
continue;
}
dp.MemAccess.SetDumpedPFN(entry.PTE);
bool GotData = false;
byte[] block = entry.PTE.LargePage ? block2MB : block4k;
dp.MemAccess.GetPageForPhysAddr(entry.PTE, ref block, ref GotData);
if (!GotData ||
UnsafeHelp.IsZeroPage(block) == 0 ||
UnsafeHelp.IsFFFPage(block) == 0)
{
continue;
}
if (MatchAscii)
{
s = Encoding.ASCII.GetString(block, 0, block.Length);
mc = re.Matches(s);
foreach (Match m in mc)
{
yield return(Tuple.Create <ulong, string>(entry.VA.FullAddr + (uint)m.Index, m.Value));
}
}
if (MatchUTF16)
{
s = Encoding.Unicode.GetString(block, 0, block.Length);
mc = re.Matches(s);
foreach (Match m in mc)
{
yield return(Tuple.Create <ulong, string>(entry.VA.FullAddr + (uint)m.Index, m.Value));
}
}
if (MatchUTF8)
{
s = Encoding.UTF8.GetString(block, 0, block.Length);
mc = re.Matches(s);
foreach (Match m in mc)
{
yield return(Tuple.Create <ulong, string>(entry.VA.FullAddr + (uint)m.Index, m.Value));
}
}
}
yield break;
}
public Dumper(Vtero vtero, string outDir, DetectedProc dp, MemRangeArgs args)
{
Vtero = vtero;
DP = dp;
OutDir = outDir;
SelectedRegions = args.Regions;
}
public static void InitFromKernel(DetectedProc p)
{
PrivilegeSet = new List <Privilege>();
//build list of privs
foreach (var priv in p.MatchSymbols("Se*Privilege", "ntkrnlmp"))
{
var addr = (long)priv.Item2;
var val = p.GetByteValue(addr);
var nfo = new Privilege()
{
Name = priv.Item1, Address = (long)priv.Item2, Value = val
};
PrivilegeSet.Add(nfo);
}
}
public static IEnumerable <ulong> ByteScan(Byte[] ToFind, DetectedProc dp, int align = 1, bool DoKernel = false, int MaxCount = 0)
{
byte[] block4k = new byte[PAGE_SIZE];
byte[] block2MB = new byte[LARGE_PAGE_SIZE];
string s = string.Empty;
foreach (var entry in dp.PT.FillPageQueue(false, DoKernel, true, false))
{
bool GotData = false;
byte[] block = entry.PTE.LargePage ? block2MB : block4k;
dp.MemAccess.GetPageForPhysAddr(entry.PTE, ref block, ref GotData);
if (!GotData)
{
continue;
}
int i = 0;
do
{
i = block.SearchBytes(ToFind, i, align);
if (i < 0)
{
break;
}
var VA = (entry.VA.FullAddr + (uint)i);
yield return(VA);
i += ToFind.Length;
} while (i <= (block.Length - ToFind.Length));
}
yield break;
}
public Heaps(DetectedProc P)
{
p = P;
HEAPS = new List <dynamic>();
}
