示例#1
0
        private void DataGrid_RIP_CopySignature(object sender, RoutedEventArgs e)
        {
            RIPEntry entry = this.DataGrid_RIP.SelectedItem as RIPEntry;

            if (entry != null)
            {
                try
                {
                    Clipboard.SetDataObject(entry.Signature);
                }
                catch
                { }
            }
        }
示例#2
0
        private void DataGrid_RIP_CopyTargetAddressString(object sender, RoutedEventArgs e)
        {
            RIPEntry entry = this.DataGrid_RIP.SelectedItem as RIPEntry;

            if (entry != null)
            {
                try
                {
                    Clipboard.SetDataObject(entry.TargetAddressString);
                }
                catch
                { }
            }
        }
示例#3
0
        private async void Button_ExportResults_Click(object sender, RoutedEventArgs e)
        {
            if (this.DataGrid_RIP == null)
            {
                return;
            }
            if (this.DataGrid_RIP.Items == null)
            {
                return;
            }

            var dialog = new SaveFileDialog();

            dialog.Filter = "txt file (*.txt)|*.txt|all files (*.*)|*.*";
            if (dialog.ShowDialog() == true)
            {
                SetUIEnabled(false);

                var task = Task.Run(() =>
                {
                    var file = dialog.FileName;
                    System.IO.StreamWriter sr = new System.IO.StreamWriter(file, false, System.Text.Encoding.ASCII);

                    foreach (var item in this.DataGrid_RIP.Items)
                    {
                        RIPEntry entry = item as RIPEntry;
                        string csv     = "";
                        csv           += String.Format("{0, -30}", entry.AddressRelativeString) + " ";
                        csv           += String.Format("{0, -16}", entry.AddressString) + " ";
                        csv           += String.Format("{0, -30}", entry.TargetAddressRelativeString) + " ";
                        csv           += String.Format("{0, -16}", entry.TargetAddressString) + " ";
                        csv           += String.Format("{0, -64}", entry.Signature) + Environment.NewLine;
                        sr.Write(csv);
                    }

                    sr.Close();
                });

                await task;
                MessageBox.Show("Complete.");
                SetUIEnabled(true);
            }
        }
示例#4
0
        private async void Button_ExportResults_Click(object sender, RoutedEventArgs e)
        {
            if (this.DataGrid_RIP == null)
            {
                return;
            }
            if (this.DataGrid_RIP.Items == null)
            {
                return;
            }

            var window = (Window)this.VisualRoot;
            var dialog = new SaveFileDialog
            {
                Filters = new List <FileDialogFilter> {
                    new FileDialogFilter {
                        Name = "binary file (*.bin)", Extensions = new List <string> {
                            "bin"
                        }
                    },
                    new FileDialogFilter {
                        Name = "all files (*.*)", Extensions = new List <string> {
                            "*"
                        }
                    },
                }
            };

            var file = await dialog.ShowAsync(window);

            if (string.IsNullOrEmpty(file))
            {
                return;
            }

            SetUIEnabled(false);

            var task = Task.Run(() =>
            {
                System.IO.StreamWriter sr = new System.IO.StreamWriter(file, false, System.Text.Encoding.ASCII);

                foreach (var item in this.DataGrid_RIP.Items)
                {
                    RIPEntry entry = item as RIPEntry;
                    string csv     = "";
                    csv           += String.Format("{0, -30}", entry.AddressRelativeString) + " ";
                    csv           += String.Format("{0, -16}", entry.AddressString) + " ";
                    csv           += String.Format("{0, -30}", entry.TargetAddressRelativeString) + " ";
                    csv           += String.Format("{0, -16}", entry.TargetAddressString) + " ";
                    csv           += String.Format("{0, -64}", entry.Signature) + Environment.NewLine;
                    sr.Write(csv);
                }

                sr.Close();
            });

            await task;

            MessageBox.Show("Complete.");
            SetUIEnabled(true);
        }
示例#5
0
        private async void Button_StartScan_Click(object sender, RoutedEventArgs e)
        {
            DataGrid_RIP.DataContext = null;
            entries = new List <RIPEntry>();
            TextBox_Log.Clear();
            GC.Collect();

            if (string.IsNullOrWhiteSpace(TextBox_FilterString.Text))
            {
                var result = await MessageBox.Show("Requires huge memories to run without filter.\n If results are more than 1M, snip them.\n Procced?", "Caution", MessageBoxButton.OKCancel);

                if (result != MessageBoxResult.OK)
                {
                    return;
                }
            }


            if (this.RadioButton_Group1_Process.IsChecked == true)
            {
                if (TargetProcess == null)
                {
                    return;
                }

                //List<RIPEntry> entries = new List<RIPEntry>();
                Stopwatch stopwatch = new Stopwatch();
                SetUIEnabled(false);

                List <string> filters = ParseFilter();
                foreach (var f in filters)
                {
                    TextBox_Log.AppendText($"filter: {f}" + Environment.NewLine);
                }

                bool searchFromAllModules = CheckBox_AllModules.IsChecked ?? false;
                bool onlyLEA = CheckBox_OnlyLEA.IsChecked ?? false;

                List <ProcessModule> ProcessModules = new List <ProcessModule>();

                if (searchFromAllModules)
                {
                    foreach (ProcessModule m in TargetProcess.Modules)
                    {
                        ProcessModules.Add(m);
                    }
                }
                else
                {
                    if (ComboBox_SpecificModule.SelectedItem != null)
                    {
                        ProcessModules.Add((ProcessModule)ComboBox_SpecificModule.SelectedItem);
                    }
                    else
                    {
                        ProcessModules.Add(TargetProcess.MainModule);
                    }
                }


                var task = Task.Run(() =>
                {
                    foreach (var m in ProcessModules)
                    {
                        int moduleMemorySize = m.ModuleMemorySize;
                        IntPtr startAddres   = m.BaseAddress;
                        IntPtr endAddres     = new IntPtr(m.BaseAddress.ToInt64() + moduleMemorySize);

                        this.Dispatcher.Invoke((Action)(() =>
                        {
                            TextBox_Log.AppendText($"----------------------------------------------------" + Environment.NewLine);

                            TextBox_Log.AppendText($"Module Name: {m.ModuleName}" + Environment.NewLine);
                            TextBox_Log.AppendText($"File Name: {m.FileName}" + Environment.NewLine);
                            TextBox_Log.AppendText($"Module Size: {moduleMemorySize.ToString("#,0")} Byte" + Environment.NewLine);
                            TextBox_Log.AppendText($"Start Address: {startAddres.ToInt64().ToString("X2")} ({startAddres.ToInt64()})" + Environment.NewLine);
                            TextBox_Log.AppendText($"End Address  : {endAddres.ToInt64().ToString("X2")} ({endAddres.ToInt64()})" + Environment.NewLine);
                            TextBox_Log.AppendText($"Scan started. Please wait..." + "  ");
                        }));

                        stopwatch.Start();

                        IntPtr currentAddress = startAddres;
                        int bufferSize        = 1 * 1024 * 1024;
                        byte[] buffer         = new byte[bufferSize];

                        while (currentAddress.ToInt64() < endAddres.ToInt64())
                        {
                            // size
                            IntPtr nSize = new IntPtr(bufferSize);

                            // if remaining memory size is less than splitSize, change nSize to remaining size
                            if (IntPtr.Add(currentAddress, bufferSize).ToInt64() > endAddres.ToInt64())
                            {
                                nSize = (IntPtr)(endAddres.ToInt64() - currentAddress.ToInt64());
                            }

                            IntPtr numberOfBytesRead = IntPtr.Zero;
                            if (Helper.ReadProcessMemory(TargetProcessHandle, currentAddress, buffer, nSize, ref numberOfBytesRead))
                            {
                                for (int i = 0; i < numberOfBytesRead.ToInt64() - 4; i++)
                                {
                                    var entry               = new RIPEntry();
                                    entry.Address           = new IntPtr(currentAddress.ToInt64() + i);
                                    entry.AddressValueInt64 = BitConverter.ToInt32(buffer, i);
                                    entry.TargetAddress     = new IntPtr(entry.Address.ToInt64() + entry.AddressValueInt64 + 4);


                                    if (entry.TargetAddress.ToInt64() < startAddres.ToInt64() || entry.TargetAddress.ToInt64() > endAddres.ToInt64())
                                    {
                                        continue;
                                    }

                                    var offsetString1 = (entry.Address.ToInt64() - startAddres.ToInt64()).ToString("X");
                                    if (offsetString1.Length % 2 == 1)
                                    {
                                        offsetString1 = "0" + offsetString1;
                                    }
                                    entry.AddressRelativeString = '"' + m.ModuleName + '"' + "+" + offsetString1;

                                    var offsetString2 = (entry.TargetAddress.ToInt64() - startAddres.ToInt64()).ToString("X");
                                    if (offsetString2.Length % 2 == 1)
                                    {
                                        offsetString2 = "0" + offsetString2;
                                    }
                                    entry.TargetAddressRelativeString = '"' + m.ModuleName + '"' + "+" + offsetString2;

                                    if (filters.Any() &&
                                        !filters.Any(x => x == entry.TargetAddressString) &&
                                        !filters.Any(x => x == entry.TargetAddressRelativeString))
                                    {
                                        continue;
                                    }

                                    // Signature
                                    int bufferSize2           = 64;
                                    byte[] buffer2            = new byte[bufferSize2];
                                    IntPtr nSize2             = new IntPtr(bufferSize2);
                                    IntPtr numberOfBytesRead2 = IntPtr.Zero;
                                    if (Helper.ReadProcessMemory(TargetProcessHandle, new IntPtr(entry.Address.ToInt64() - bufferSize2), buffer2, nSize2, ref numberOfBytesRead2))
                                    {
                                        if (numberOfBytesRead2.ToInt64() == bufferSize2)
                                        {
                                            if (onlyLEA && (buffer2.Length < 2 || buffer2[buffer2.Length - 2] != 0x8D))
                                            {
                                                continue;
                                            }
                                            entry.Signature = BitConverter.ToString(buffer2).Replace("-", "");
                                        }
                                    }

                                    if (entries.Count < MaxEntries)
                                    {
                                        entries.Add(entry);
                                    }
                                }
                            }
                            if ((currentAddress.ToInt64() + numberOfBytesRead.ToInt64()) == endAddres.ToInt64())
                            {
                                currentAddress = new IntPtr(currentAddress.ToInt64() + numberOfBytesRead.ToInt64());
                            }
                            else
                            {
                                currentAddress = new IntPtr(currentAddress.ToInt64() + numberOfBytesRead.ToInt64() - 4);
                            }
                        }

                        stopwatch.Stop();

                        this.Dispatcher.Invoke((Action)(() =>
                        {
                            TextBox_Log.AppendText($"Complete." + Environment.NewLine);
                            TextBox_Log.AppendText($"Result Count: {entries.Count.ToString("#,0")}" + Environment.NewLine);
                            TextBox_Log.AppendText($"Scan Time: {stopwatch.ElapsedMilliseconds}ms" + Environment.NewLine);
                        }));
                    }
                });

                await task;
                DataGrid_RIP.Items = entries;
                SetUIEnabled(true);
            }
            else if (this.RadioButton_Group1_File.IsChecked == true)
            {
                if (string.IsNullOrWhiteSpace(BinFileName))
                {
                    return;
                }
                Stopwatch stopwatch = new Stopwatch();

                SetUIEnabled(false);

                List <string> filters = ParseFilter();
                foreach (var f in filters)
                {
                    TextBox_Log.AppendText($"filter: {f}" + Environment.NewLine);
                }


                var task = Task.Run(() =>
                {
                    System.IO.FileStream fs  = new System.IO.FileStream(BinFileName, System.IO.FileMode.Open, System.IO.FileAccess.Read);
                    System.IO.FileStream fs2 = new System.IO.FileStream(BinFileName, System.IO.FileMode.Open, System.IO.FileAccess.Read);

                    long startPosition   = 0;
                    long endPosition     = fs.Length;
                    long currentPosition = 0;

                    int bufferSize = 8 * 1024 * 1024;
                    byte[] buffer  = new byte[bufferSize];

                    this.Dispatcher.Invoke((Action)(() =>
                    {
                        TextBox_Log.AppendText($"----------------------------------------------------" + Environment.NewLine);
                        TextBox_Log.AppendText($"File Name: {BinFileName}" + Environment.NewLine);
                        TextBox_Log.AppendText($"Module Size: {endPosition.ToString("#,0")} Byte" + Environment.NewLine);
                        TextBox_Log.AppendText($"Scan started. Please wait..." + "  ");
                    }));

                    stopwatch.Start();

                    while (currentPosition < endPosition)
                    {
                        int readSize = fs.Read(buffer, 0, bufferSize);

                        for (int i = 0; i < readSize - 4; i++)
                        {
                            var entry               = new RIPEntry();
                            entry.Address           = new IntPtr(currentPosition + i);
                            entry.AddressValueInt64 = BitConverter.ToInt32(buffer, i);
                            entry.TargetAddress     = new IntPtr(entry.Address.ToInt64() + entry.AddressValueInt64 + 4);

                            if (entry.TargetAddress.ToInt64() < startPosition || entry.TargetAddress.ToInt64() > endPosition)
                            {
                                continue;
                            }

                            var offsetString1 = (entry.Address.ToInt64() - startPosition).ToString("X");
                            if (offsetString1.Length % 2 == 1)
                            {
                                offsetString1 = "0" + offsetString1;
                            }
                            entry.AddressRelativeString = '"' + System.IO.Path.GetFileName(BinFileName) + '"' + "+" + offsetString1;

                            var offsetString2 = (entry.TargetAddress.ToInt64() - startPosition).ToString("X");
                            if (offsetString2.Length % 2 == 1)
                            {
                                offsetString2 = "0" + offsetString2;
                            }
                            entry.TargetAddressRelativeString = '"' + System.IO.Path.GetFileName(BinFileName) + '"' + "+" + offsetString2;

                            if (filters.Any() &&
                                !filters.Any(x => x == entry.TargetAddressString) &&
                                !filters.Any(x => x == entry.TargetAddressRelativeString))
                            {
                                continue;
                            }

                            // Signature

                            int bufferSize2 = 64;
                            byte[] buffer2  = new byte[bufferSize2];
                            int offset2     = entry.Address.ToInt32() - bufferSize2;
                            if (offset2 >= 0 && offset2 + bufferSize2 <= endPosition)
                            {
                                fs2.Seek(offset2, System.IO.SeekOrigin.Begin);
                                var readBytes = fs2.Read(buffer2, 0, bufferSize2);
                                if (readBytes == bufferSize2)
                                {
                                    entry.Signature = BitConverter.ToString(buffer2).Replace("-", "");
                                }
                            }

                            if (entries.Count < MaxEntries)
                            {
                                entries.Add(entry);
                            }
                        }

                        if (readSize < bufferSize)
                        {
                            currentPosition += readSize;
                        }
                        else
                        {
                            currentPosition += (readSize - 4);
                            fs.Seek(-4, System.IO.SeekOrigin.Current);
                        }
                    }

                    fs.Close();
                    fs2.Close();

                    stopwatch.Stop();

                    this.Dispatcher.Invoke((Action)(() =>
                    {
                        TextBox_Log.AppendText($"Complete." + Environment.NewLine);
                        TextBox_Log.AppendText($"Result Count: {entries.Count.ToString("#,0")}" + Environment.NewLine);
                        TextBox_Log.AppendText($"Scan Time: {stopwatch.ElapsedMilliseconds}ms" + Environment.NewLine);
                    }));
                });

                await task;
                DataGrid_RIP.DataContext = entries;

                SetUIEnabled(true);
            }

            GC.Collect();
        }