C# Class inVtero.net.Scanner

Show file Open project: ShaneK2/inVtero.net Class Usage Examples

Public Properties

Property	Type	Description
DumpVMCSPage	bool
FileSize	long
Filename	string

Public Methods

Method	Description
Analyze ( int ExitAfter ) : int	A simple memory mapped scan over the input provided in the constructor
BackwardsValueScan ( String Filename, int ScanFor, int ExitAfter ) : IEnumerable	Scan for a class configured variable "HexScanDword" This is a specialized thing we are trying to avoid over scanning Turns out the physical memory run data maintained by the OS is typically very deep physically So in start-up we may use this depending on input file
FreeBSD ( long offset ) : bool	The FreeBSD check for process detection is good Consider it release quality ;)
Generic ( long offset ) : bool	Naturally the Generic checker is fairly chatty but at least you can use it to find unknowns, we could use some more tunable values here to help select the best match, I currently use the value with the lowest diff, which can be correct This will find a self pointer in the first memory run for a non-sparse memory dump. The calling code is expected to adjust offset around RUN gaps.
HV ( long offset ) : bool	In some deployments Hyper-V was found to use a configuration as such
HexScan ( List FoundValueOffsets, long offset, long ValueBlock, int ValueReadCount ) : bool
LinuxS ( long offset ) : bool	The LinuxS check is a single pass state preserving scanner This was created using kernel 3.19 as a baseline. More to follow.
NetBSD ( long offset ) : bool	TODO: NetBSD needs some analysis Will add more later, this check is a bit noisy, consider it alpha
OpenBSD ( long offset ) : bool	Slightly better check then NetBSD so I guess consider it beta!
Scanner ( string InputFile, Vtero vTero ) : inVtero.net.Support
VMCS ( long xoffset ) : bool	The VMCS scan is based on the LINK pointer, abort code and CR3 register We later isolate the EPTP based on constraints for that pointer
Windows ( long offset ) : bool	This is the same check as the earlier process detection code from CSW and DefCon

Private Methods

Method	Description
MapScanFile ( String File, long From, int ScanData, int Count ) : IEnumerable
Scanner ( ) : inVtero.net.Support

Method Details

Analyze() public method

A simple memory mapped scan over the input provided in the constructor

public Analyze ( int ExitAfter ) : int
ExitAfter	int	Optionally stop checking or exit early after this many candidates. 0 does not exit early.
return	int

BackwardsValueScan() public static method

Scan for a class configured variable "HexScanDword" This is a specialized thing we are trying to avoid over scanning Turns out the physical memory run data maintained by the OS is typically very deep physically So in start-up we may use this depending on input file

public static BackwardsValueScan ( String Filename, int ScanFor, int ExitAfter ) : IEnumerable
Filename	String
ScanFor	int
ExitAfter	int
return	IEnumerable

FreeBSD() public method

The FreeBSD check for process detection is good Consider it release quality ;)

public FreeBSD ( long offset ) : bool
offset	long
return	bool

Generic() public method

Naturally the Generic checker is fairly chatty but at least you can use it to find unknowns, we could use some more tunable values here to help select the best match, I currently use the value with the lowest diff, which can be correct This will find a self pointer in the first memory run for a non-sparse memory dump. The calling code is expected to adjust offset around RUN gaps.

public Generic ( long offset ) : bool
offset	long
return	bool

HV() public method

In some deployments Hyper-V was found to use a configuration as such

public HV ( long offset ) : bool
offset	long
return	bool

HexScan() public static method

public static HexScan ( List FoundValueOffsets, long offset, long ValueBlock, int ValueReadCount ) : bool
FoundValueOffsets	List
offset	long
ValueBlock	long
ValueReadCount	int
return	bool

LinuxS() public method

The LinuxS check is a single pass state preserving scanner This was created using kernel 3.19 as a baseline. More to follow.

public LinuxS ( long offset ) : bool
offset	long
return	bool

NetBSD() public method

TODO: NetBSD needs some analysis Will add more later, this check is a bit noisy, consider it alpha

public NetBSD ( long offset ) : bool
offset	long
return	bool

OpenBSD() public method

Slightly better check then NetBSD so I guess consider it beta!

public OpenBSD ( long offset ) : bool
offset	long
return	bool

Scanner() public method

public Scanner ( string InputFile, Vtero vTero ) : inVtero.net.Support
InputFile	string
vTero	Vtero
return	inVtero.net.Support

VMCS() public method

The VMCS scan is based on the LINK pointer, abort code and CR3 register We later isolate the EPTP based on constraints for that pointer

public VMCS ( long xoffset ) : bool
xoffset	long
return	bool

Windows() public method

This is the same check as the earlier process detection code from CSW and DefCon

public Windows ( long offset ) : bool
offset	long
return	bool

Property Details

DumpVMCSPage public property

public bool DumpVMCSPage
return	bool

FileSize public property

public long FileSize
return	long

Filename public property

public string Filename
return	string