/// <summary> /// Starts the scan using the current constraints. /// </summary> private void StartScan() { // Create a constraint manager that includes the current active constraint ConstraintNode scanConstraints = this.ActiveConstraint.Clone(); if (!scanConstraints.IsValid()) { Logger.Log(LogLevel.Warn, "Unable to start scan with given constraints"); return; } DataType dataType = ScanResultsViewModel.GetInstance().ActiveType; // Collect values TrackableTask <Snapshot> valueCollectorTask = ValueCollector.CollectValues( SnapshotManager.GetSnapshot(Snapshot.SnapshotRetrievalMode.FromActiveSnapshotOrPrefilter, dataType)); TaskTrackerViewModel.GetInstance().TrackTask(valueCollectorTask); // Perform manual scan on value collection complete valueCollectorTask.OnCompletedEvent += ((completedValueCollection) => { Snapshot snapshot = valueCollectorTask.Result; TrackableTask <Snapshot> scanTask = ManualScanner.Scan( snapshot, scanConstraints); TaskTrackerViewModel.GetInstance().TrackTask(scanTask); SnapshotManager.SaveSnapshot(scanTask.Result); }); }
private void StartScan(int index, Int64 searchAddress, bool validatingProcess = false) { if (index > 0) { SnapshotManager.ClearSnapshots(); } ConstraintNode scanConstraints = new ScanConstraint(ScanConstraint.ConstraintType.Equal, searchAddress, dataType); TrackableTask <Snapshot> valueCollectorTask = ValueCollector.CollectValues( SnapshotManager.GetSnapshot(Snapshot.SnapshotRetrievalMode.FromActiveSnapshotOrPrefilter, dataType), TrackableTask.UniversalIdentifier); valueCollectorTask.OnCompletedEvent += ((completedValueCollectionTask) => { Snapshot snapshot = valueCollectorTask.Result; TrackableTask <Snapshot> scanTask = ManualScanner.Scan( snapshot, scanConstraints, TrackableTask.UniversalIdentifier); SnapshotManager.SaveSnapshot(scanTask.Result); snapshot = scanTask.Result; scannedAddresses.Add(new List <Int64>()); if (snapshot != null) { for (UInt64 i = 0; i < snapshot.ElementCount; ++i) { SnapshotElementIndexer element = snapshot[i]; Object currentValue = element.HasCurrentValue() ? element.LoadCurrentValue() : null; Object previousValue = element.HasPreviousValue() ? element.LoadPreviousValue() : null; String moduleName = String.Empty; UInt64 address = Query.Default.AddressToModule(element.BaseAddress, out moduleName); PointerItem pointerItem = new PointerItem(baseAddress: address, dataType: dataType, moduleName: moduleName, value: currentValue); pointerItem.ForceResolveAddress(); scannedAddresses[index].Add(Int64.Parse(pointerItem.AddressSpecifier, NumberStyles.HexNumber, CultureInfo.CurrentCulture)); } } int nextIteration = index + 1; if (nextIteration < addressesToFind.Count) { StartScan(nextIteration, addressesToFind[nextIteration], validatingProcess); } else { SearchLogic(validatingProcess); } }); }
/// <summary> /// Starts the scan using the current constraints. /// </summary> private void StartScan() { // Create a constraint manager that includes the current active constraint DataTypeBase dataType = ScanResultsViewModel.GetInstance().ActiveType; ScanConstraints scanConstraints = new ScanConstraints(dataType, this.ActiveConstraint?.Clone()); if (!scanConstraints.IsValid()) { Logger.Log(LogLevel.Warn, "Unable to start scan with given constraints"); return; } try { // Collect values TrackableTask <Snapshot> valueCollectorTask = ValueCollector.CollectValues( SessionManager.Session.OpenedProcess, SessionManager.Session.SnapshotManager.GetActiveSnapshotCreateIfNone(SessionManager.Session.OpenedProcess), TrackableTask.UniversalIdentifier ); TaskTrackerViewModel.GetInstance().TrackTask(valueCollectorTask); // Perform manual scan on value collection complete valueCollectorTask.OnCompletedEvent += ((completedValueCollectionTask) => { Snapshot snapshot = valueCollectorTask.Result; TrackableTask <Snapshot> scanTask = ManualScanner.Scan( snapshot, scanConstraints, TrackableTask.UniversalIdentifier); TaskTrackerViewModel.GetInstance().TrackTask(scanTask); SessionManager.Session.SnapshotManager.SaveSnapshot(scanTask.Result); }); } catch (TaskConflictException) { } }
public Int32 Handle() { // If set to 0.0, assume unset and set to 1.0. Otherwise, clamp in bounds. Intensity = Intensity <= 0.0 ? 1.0 : Math.Clamp(Intensity, 0.0, 1.0); // Collect values TrackableTask <Snapshot> valueCollectorTask = ValueCollector.CollectValues( SessionManager.Session.SnapshotManager.GetActiveSnapshotCreateIfNone(SessionManager.Session.OpenedProcess, DataTypeBase.Int32), TrackableTask.UniversalIdentifier); // Recollect values TrackableTask <Snapshot> valueRecollectorTask = ValueCollector.CollectValues( valueCollectorTask.Result, TrackableTask.UniversalIdentifier); // Scan for any changed values TrackableTask <Snapshot> scanTask = ManualScanner.Scan( valueRecollectorTask.Result, new ScanConstraint(ScanConstraint.ConstraintType.Changed, DataTypeBase.Int32), TrackableTask.UniversalIdentifier); Random random = new Random(); // Start overwriting any memory that changed with 0s foreach (SnapshotRegion region in scanTask.Result.SnapshotRegions) { for (Int32 index = 0; index < region.ElementCount; index++) { if (random.NextDouble() <= Intensity) { MemoryWriter.Instance.Write <Int32>(SessionManager.Session.OpenedProcess, region[index].BaseAddress, 0); } } } return(0); }
/// <summary> /// Performs a pointer scan for a given address. /// </summary> /// <param name="address">The address for which to perform a pointer scan.</param> /// <param name="maxOffset">The maximum pointer offset.</param> /// <param name="depth">The maximum pointer search depth.</param> /// <param name="alignment">The pointer scan alignment.</param> /// <param name="taskIdentifier">The unique identifier to prevent duplicate tasks.</param> /// <returns>Atrackable task that returns the scan results.</returns> public static TrackableTask <PointerBag> Scan(Process process, PointerBag previousPointerBag, Boolean readMemory, Boolean performUnchangedScan, String taskIdentifier = null) { try { TrackableTask <PointerBag> pointerScanTask = TrackableTask <PointerBag> .Create(PointerRebase.Name, taskIdentifier, out UpdateProgress updateProgress, out CancellationToken cancellationToken); return(pointerScanTask.With(Task <PointerBag> .Run(() => { try { cancellationToken.ThrowIfCancellationRequested(); Stopwatch stopwatch = new Stopwatch(); stopwatch.Start(); DataTypeBase pointerDataType = previousPointerBag.PointerSize.ToDataType(); ScanConstraint scanConstraint = new ScanConstraint(ScanConstraint.ConstraintType.Unchanged); ScanConstraints scanConstraints = new ScanConstraints(pointerDataType, scanConstraint); IList <Level> oldLevels = previousPointerBag.Levels; IList <Level> newLevels = new List <Level>(); for (Int32 levelIndex = 0; levelIndex < oldLevels.Count; levelIndex++) { Snapshot updatedStaticPointers = oldLevels[levelIndex].StaticPointers; Snapshot updatedHeapPointers = oldLevels[levelIndex].HeapPointers; // Step 1) Re-read values of all pointers if (readMemory) { TrackableTask <Snapshot> staticValueCollector = ValueCollector.CollectValues(process, updatedStaticPointers); // Does not apply to target address if (levelIndex > 0) { TrackableTask <Snapshot> heapValueCollector = ValueCollector.CollectValues(process, updatedHeapPointers); updatedHeapPointers = heapValueCollector.Result; } updatedStaticPointers = staticValueCollector.Result; } // Step 2) A neat (optional) trick: Scan for unchanged values to filter out dynamic pointers if (performUnchangedScan) { TrackableTask <Snapshot> staticValueScanner = ManualScanner.Scan(updatedStaticPointers, scanConstraints); // Does not apply to target address if (levelIndex > 0) { TrackableTask <Snapshot> heapValueScanner = ManualScanner.Scan(updatedHeapPointers, scanConstraints); updatedHeapPointers = heapValueScanner.Result; } updatedStaticPointers = staticValueScanner.Result; } Stopwatch levelStopwatch = new Stopwatch(); levelStopwatch.Start(); // Step 3) Rebase heap onto new previous heap if (levelIndex > 0) { IVectorSearchKernel heapSearchKernel = SearchKernelFactory.GetSearchKernel(newLevels.Last().HeapPointers, previousPointerBag.MaxOffset, previousPointerBag.PointerSize); TrackableTask <Snapshot> heapFilterTask = PointerFilter.Filter(pointerScanTask, updatedHeapPointers, heapSearchKernel, previousPointerBag.PointerSize, newLevels.Last().HeapPointers, previousPointerBag.MaxOffset); updatedHeapPointers = heapFilterTask.Result; } // Step 4) Filter static pointers that still point into the updated heap IVectorSearchKernel staticSearchKernel = SearchKernelFactory.GetSearchKernel(updatedHeapPointers, previousPointerBag.MaxOffset, previousPointerBag.PointerSize); TrackableTask <Snapshot> staticFilterTask = PointerFilter.Filter(pointerScanTask, updatedStaticPointers, staticSearchKernel, previousPointerBag.PointerSize, updatedHeapPointers, previousPointerBag.MaxOffset); updatedStaticPointers = staticFilterTask.Result; levelStopwatch.Stop(); Logger.Log(LogLevel.Info, "Pointer rebase from level " + (levelIndex) + " => " + (levelIndex + 1) + " completed in: " + levelStopwatch.Elapsed); newLevels.Add(new Level(updatedHeapPointers, updatedStaticPointers)); } // Exit if canceled cancellationToken.ThrowIfCancellationRequested(); PointerBag pointerBag = new PointerBag(newLevels, previousPointerBag.MaxOffset, previousPointerBag.PointerSize); stopwatch.Stop(); Logger.Log(LogLevel.Info, "Pointer rebase complete in: " + stopwatch.Elapsed); return pointerBag; } catch (OperationCanceledException ex) { Logger.Log(LogLevel.Warn, "Pointer rebase canceled", ex); } catch (Exception ex) { Logger.Log(LogLevel.Error, "Error performing pointer rebase", ex); } return null; }, cancellationToken))); } catch (TaskConflictException ex) { Logger.Log(LogLevel.Warn, "A pointer scan is already scheduled."); throw ex; } }
public Int32 Handle() { DataTypeBase dataType = ScanSettings.DataType; ScanConstraint.ConstraintType constraintType = ScanConstraint.ConstraintType.Equal; if (String.IsNullOrWhiteSpace(this.Constraint)) { // Default to equals this.Constraint = "e"; } switch (this.Constraint.ToLower()) { case "le": break; case "l": break; case "g": break; case "ge": break; case "e": break; case "c": break; case "u": break; case "i": break; case "d": break; default: Console.WriteLine("Unknown constraint type '" + this.Constraint + "', defaulting to equal"); break; } if (!SyntaxChecker.CanParseValue(dataType, this.Value)) { Console.WriteLine("Failed to parse '" + this.Value + "' as data type " + dataType?.ToString()); return(-1); } ScanConstraint scanConstraints = new ScanConstraint(constraintType, dataType, Conversions.ParsePrimitiveStringAsPrimitive(dataType, this.Value)); // Collect values TrackableTask <Snapshot> valueCollectorTask = ValueCollector.CollectValues( SessionManager.Session.SnapshotManager.GetActiveSnapshotCreateIfNone(SessionManager.Session.OpenedProcess, dataType), TrackableTask.UniversalIdentifier); // Perform manual scan Snapshot snapshot = valueCollectorTask.Result; TrackableTask <Snapshot> scanTask = ManualScanner.Scan( snapshot, scanConstraints, TrackableTask.UniversalIdentifier); SessionManager.Session.SnapshotManager.SaveSnapshot(scanTask.Result); Console.WriteLine(); return(0); }