protected List <LIST_ENTRY> FindAllLists(DataProviderBase dataProvider, LIST_ENTRY source) { List <LIST_ENTRY> results = new List <LIST_ENTRY>(); List <ulong> seen = new List <ulong>(); List <LIST_ENTRY> stack = new List <LIST_ENTRY>(); AddressBase addressSpace = dataProvider.ActiveAddressSpace; stack.Add(source); while (stack.Count > 0) { LIST_ENTRY item = stack[0]; stack.RemoveAt(0); if (!seen.Contains(item.PhysicalAddress)) { seen.Add(item.PhysicalAddress); results.Add(item); ulong Blink = item.Blink; if (Blink != 0) { ulong refr = addressSpace.vtop(Blink); stack.Add(new LIST_ENTRY(dataProvider, item.Blink)); } ulong Flink = item.Flink; if (Flink != 0) { ulong refr = addressSpace.vtop(Flink); stack.Add(new LIST_ENTRY(dataProvider, item.Flink)); } } } return(results); }
public HashSet <ulong> Run() { // first let's see if it already exists FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\pslist_Sessions.gz"); if (cachedFile.Exists && !_dataProvider.IsLive) { OffsetMap cachedMap = RetrieveOffsetMap(cachedFile); if (cachedMap != null) { return(cachedMap.OffsetRecords); } } HashSet <ulong> results = new HashSet <ulong>(); HashSet <ulong> sessionList = new HashSet <ulong>(); // a list of pointers to _MM_SESSION_SPAVE objects if (_processList != null) { foreach (ProcessInfo info in _processList) { if (info.Session != 0) { sessionList.Add(info.Session); } } } ulong sOffset = (ulong)_profile.GetOffset("_EPROCESS", "SessionProcessLinks"); ulong plOffset = (ulong)_profile.GetOffset("_MM_SESSION_SPACE", "ProcessList"); foreach (ulong item in sessionList) { SessionSpace ss = new SessionSpace(_profile, _dataProvider, item); LIST_ENTRY sle = ss.ProcessList; List <LIST_ENTRY> procLists = FindAllLists(_dataProvider, sle); HashSet <ulong> tempList = new HashSet <ulong>(); foreach (LIST_ENTRY entry in procLists) { tempList.Add(entry.Blink); tempList.Add(entry.Flink); } foreach (ulong ul in tempList) { if (ul - plOffset == item) { continue; } if (ul == 0) { continue; } results.Add(ul - sOffset); } } return(TrySave(results)); }
public HashSet <ulong> Run() { // first let's see if it already exists FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\pslist_PsActiveProcessHead.gz"); if (cachedFile.Exists && !_dataProvider.IsLive) { OffsetMap cachedMap = RetrieveOffsetMap(cachedFile); if (cachedMap != null) { return(cachedMap.OffsetRecords); } } HashSet <ulong> results = new HashSet <ulong>(); uint processHeadOffset = (uint)_profile.GetConstant("PsActiveProcessHead"); ulong vAddr = _profile.KernelBaseAddress + processHeadOffset; _dataProvider.ActiveAddressSpace = _profile.KernelAddressSpace; LIST_ENTRY le = new LIST_ENTRY(_dataProvider, vAddr); ulong apl = (ulong)_profile.GetOffset("_EPROCESS", "ActiveProcessLinks"); List <LIST_ENTRY> lists = FindAllLists(_dataProvider, le); foreach (LIST_ENTRY entry in lists) { if (entry.VirtualAddress == vAddr) { continue; } if (entry.VirtualAddress == 0) { continue; } results.Add(entry.VirtualAddress - apl); } return(TrySave(results)); }
public HashSet <ulong> Run() { // first let's see if it already exists FileInfo cachedFile = new FileInfo(_dataProvider.CacheFolder + "\\pslist_CSRSS.gz"); if (cachedFile.Exists && !_dataProvider.IsLive) { OffsetMap cachedMap = RetrieveOffsetMap(cachedFile); if (cachedMap != null) { return(cachedMap.OffsetRecords); } } HashSet <ulong> results = new HashSet <ulong>(); // check to see if we already have a process list with CSRSS in it if (_processList != null) { foreach (ProcessInfo info in _processList) { try { if (info.ProcessName == "csrss.exe") { ulong handleTableAddress = info.ObjectTableAddress; HandleTable ht = new HandleTable(_profile, _dataProvider, handleTableAddress); List <HandleTableEntry> records = EnumerateHandles(ht.TableStartAddress, ht.Level); foreach (HandleTableEntry e in records) { try { ObjectHeader header = new ObjectHeader(_profile, _dataProvider, e.ObjectPointer); string objectName = GetObjectName(e.TypeInfo); if (objectName == "Process") { results.Add(e.ObjectPointer + (ulong)header.Size); } } catch (Exception) { continue; } } } } catch (Exception ex) { continue; } } if (results.Count > 0) { return(TrySave(results)); } } // either we didn't have a process list, or it didn't contain any CSRSS processes uint processHeadOffset = (uint)_profile.GetConstant("PsActiveProcessHead"); ulong vAddr = _profile.KernelBaseAddress + processHeadOffset; _dataProvider.ActiveAddressSpace = _profile.KernelAddressSpace; LIST_ENTRY le = new LIST_ENTRY(_dataProvider, vAddr); ulong apl = (ulong)_profile.GetOffset("_EPROCESS", "ActiveProcessLinks"); List <LIST_ENTRY> lists = FindAllLists(_dataProvider, le); foreach (LIST_ENTRY entry in lists) { if (entry.VirtualAddress == vAddr) { continue; } if (entry.VirtualAddress == 0) { continue; } EProcess ep = new EProcess(_profile, _dataProvider, entry.VirtualAddress - apl); if (ep.ImageFileName == "csrss.exe") { ulong handleTableAddress = ep.ObjectTable; HandleTable ht = new HandleTable(_profile, _dataProvider, handleTableAddress); List <HandleTableEntry> records = EnumerateHandles(ht.TableStartAddress, ht.Level); foreach (HandleTableEntry e in records) { try { ObjectHeader header = new ObjectHeader(_profile, _dataProvider, e.ObjectPointer); string objectName = GetObjectName(e.TypeInfo); if (objectName == "Process") { results.Add(e.ObjectPointer + (ulong)header.Size); } } catch (Exception) { continue; } } } } return(TrySave(results)); }