/// <summary> /// Collects .Net objects in the external process. /// </summary> protected override void OnUpdate() { this.UpdateInterval = DotNetObjectCollector.PollingTime; ProxyCommunicator proxyCommunicator = ProxyCommunicator.GetInstance(); NormalizedProcess process = EngineCore.GetInstance()?.Processes?.GetOpenedProcess(); IProxyService proxyService = proxyCommunicator.GetProxyService(EngineCore.GetInstance().Processes.IsOpenedProcess32Bit()); if (proxyService == null) { return; } try { if (process == null || !proxyService.RefreshHeap(process.ProcessId)) { return; } List <DotNetObject> objectTrees = new List <DotNetObject>(); HashSet <UInt64> visited = new HashSet <UInt64>(); foreach (UInt64 rootRef in proxyService.GetRoots()) { String rootName = proxyService.GetRootName(rootRef); Type rootType = Conversions.TypeCodeToType((TypeCode)proxyService.GetRootType(rootRef)); if (rootRef == 0 || rootName == null) { continue; } foreach (String excludedPrefix in excludedPrefixes) { if (rootName.StartsWith(excludedPrefix, StringComparison.OrdinalIgnoreCase)) { rootName = rootName.Substring(excludedPrefix.Length, rootName.Length - excludedPrefix.Length).Trim(); } } if (excludedNameSpaces.Any(x => rootName.StartsWith(x, StringComparison.OrdinalIgnoreCase))) { continue; } if (rootType != null) { if (excludedNameSpaces.Any(x => rootType.Name.StartsWith(x, StringComparison.OrdinalIgnoreCase))) { continue; } } if (visited.Contains(rootRef)) { continue; } try { DotNetObject rootObject = new DotNetObject(null, rootRef, rootType, rootName); visited.Add(rootRef); objectTrees.Add(rootObject); this.RecursiveBuild(proxyService, visited, rootObject, rootRef); } catch { } } this.ObjectTrees = objectTrees; } catch { } base.OnUpdate(); }
/// <summary> /// Assemble the specified assembly code at a base address. /// </summary> /// <param name="isProcess32Bit">Whether or not the assembly is in the context of a 32 bit program.</param> /// <param name="assembly">The assembly code.</param> /// <param name="baseAddress">The address where the code is rebased.</param> /// <param name="message">The logs generated by the assembler.</param> /// <returns>An array of bytes containing the assembly code.</returns> public Byte[] Assemble(Boolean isProcess32Bit, String assembly, IntPtr baseAddress, out String message, out String innerMessage) { // Call proxy service, which simply passes the asm code to Fasm.net to assemble the instructions // Note: for assembling instructions, we must always use the 32-bit proxy service to assemble both x86/x64 instructions return(ProxyCommunicator.GetInstance().GetProxyService(true).Assemble(isProcess32Bit, assembly, baseAddress.ToUInt64(), out message, out innerMessage)); }