C# Class inVtero.net.Vtero

Moving things around to support save state If it turns out that we are to parse the input aggressivly, it may make sence to not have to waste time doing the same analysis over again Rooting everything off of a main class helps the structure a bit
Mostrar archivo Open project: ShaneK2/inVtero.net Class Usage Examples

Public Properties

Property Type Description
ASGroups ConcurrentBag>.ConcurrentDictionary
AddressSpace ConcurrentBag>.ConcurrentDictionary
FileSize long
GroupThreshold double
KVS VirtualScanner
KernelProc DetectedProc
MemFile string
OverRidePhase bool
Phase int
Processes ConcurrentBag
ProgressCallback System.Action
VMCSs VMCS>.ConcurrentDictionary
hCurrentProcess System.IntPtr

Public Methods

Method Description
AddProcessPageTable ( DetectedProc tdp, Mem memAxs ) : void
CheckpointRestoreState ( string SaveFile ) : Vtero
CheckpointSaveState ( string OverrideName = null, string DirSpec = null ) : string
DecodePointer ( ulong BlockAddress, ulong Always, ulong Never, ulong Value ) : ulong

You only need this if you can't get symbols. see http://uninformed.org/index.cgi?v=3&a=3&t=sumry by skape & Skywing

DumpASToFile ( IDictionary AS_ToDump = null ) : void

Memory Dump routines

DumpFailList ( ) : void
DumpProc ( string Folder, DetectedProc Proc, bool IncludeData = false, bool KernelSpace = true ) : long
ExtractCVDebug ( DetectedProc dp, MemSection sec ) : CODEVIEW_HEADER
ExtrtactAddressSpaces ( IOrderedEnumerable MemSpace = null, ConcurrentBag Procs = null, PTType pTypes = PTType.UNCONFIGURED ) : List>.Dictionary

This routine is fairly expensive, maybe unnecessary as well but it demo's walking the page table + EPT. You can connect an address space dumper really easily TODO: Remake this. Instead of just pre-buffering everything. Ensure the GroupAS detections are appropriate and if not, reassign the VMCS/EPTP page to bare metal or a different HVLayer item.

GetKernelDebuggerData ( DetectedProc dp, Extract ext, CODEVIEW_HEADER cv_data, string SymbolCache ) : bool

Prefer symbol loading.

GetKernelRangeFromGroup ( int GroupID ) : DetectedProc
GetSymAddress ( DetectedProc dp, string SymName ) : long
GetSymValueLong ( DetectedProc dp, string SymName ) : long

TODO: Make better for all types

GroupAS ( PTType pTypes = PTType.UNCONFIGURED ) : void

Group address spaces into related buckets We will assign an address space ID to each detected proc so we know what process belongs with who After AS grouping we will know what EPTP belongs to which AS since one of the DP's will have it's CR3 in the VMCS Yes it's a bit complicated. The overall procedure however is straight forward in that; * For every detected process Bucket into groups which are the "Address spaces" that initially are (a) based on kernel address space similarities and then (b) based on what VMCS value was found pointing to that group This ensures that if we have several hypervisors with a possibly identical kernel grouping (i.e. the PFN's were used by each kernel were identical), they are disambiguated by the VMCS. (Which can be validated later) The benefit here is that brute forcing at this stage is fairly expensive and can lead to significant overhead, there does tend to be some outliers for large systems that need to be looked at more to determine who they belong too. Nevertheless, it's inconsequential if they are grouped with the appropriate AS since even if they are isolated into their own 'AS' this is an artificial construct for our book keeping. The net result is that even if some process is grouped by itself due to some aggressive variation in kernel PFN' use (lots of dual mapped memory/MDL's or something), it's still able to be dumped and analyzed.

HashRange ( VIRTUAL_ADDRESS KEY, PFN VALUE ) : byte[]
ModuleScan ( DetectedProc dp, long StartingVA, long EndingVA = 0xFFFFFFFFF000 ) : Extract>.ConcurrentDictionary

Only scanning for core kernel modules

PrintLastDumped ( List LastList ) : void
ProcDetectScan ( PTType Modes, int DetectOnly ) : int
ReScanNextLevel ( DetectedProc tdp, bool DisplayOutput = false ) : void
TryLoadSymbols ( CODEVIEW_HEADER cv_data, long BaseVA, string SymPath ) : bool
VMCSScan ( ) : int
Vtero ( ) : inVtero.net.Support
Vtero ( string MemoryDump ) : inVtero.net.Support
Vtero ( string MemoryDump, AMemoryRunDetector MD ) : inVtero.net.Support
WalkProcList ( DetectedProc dp ) : dynamic[]
WriteColor ( ConsoleColor ForeGround, ConsoleColor BackGround, string var ) : void
WriteColor ( ConsoleColor ForeGround, string var ) : void
WriteRange ( VIRTUAL_ADDRESS KEY, PFN VALUE, string BaseFileName, Mem PhysMemReader = null, bool SinglePFNStore = false, bool DumpNULL = false ) : string

Private Methods

Method Description
DeriveMemoryDescriptors ( ) : void
REPLhelp ( ) : void

Method Details

AddProcessPageTable() public method

public AddProcessPageTable ( DetectedProc tdp, Mem memAxs ) : void
tdp DetectedProc
memAxs Mem
return void

CheckpointRestoreState() public method

public CheckpointRestoreState ( string SaveFile ) : Vtero
SaveFile string
return Vtero

CheckpointSaveState() public method

public CheckpointSaveState ( string OverrideName = null, string DirSpec = null ) : string
OverrideName string
DirSpec string
return string

DecodePointer() public method

You only need this if you can't get symbols. see http://uninformed.org/index.cgi?v=3&a=3&t=sumry by skape & Skywing
public DecodePointer ( ulong BlockAddress, ulong Always, ulong Never, ulong Value ) : ulong
BlockAddress ulong
Always ulong
Never ulong
Value ulong
return ulong

DumpASToFile() public method

Memory Dump routines
public DumpASToFile ( IDictionary AS_ToDump = null ) : void
AS_ToDump IDictionary
return void

DumpFailList() public method

public DumpFailList ( ) : void
return void

DumpProc() public method

public DumpProc ( string Folder, DetectedProc Proc, bool IncludeData = false, bool KernelSpace = true ) : long
Folder string
Proc DetectedProc
IncludeData bool
KernelSpace bool
return long

ExtractCVDebug() public method

public ExtractCVDebug ( DetectedProc dp, MemSection sec ) : CODEVIEW_HEADER
dp DetectedProc
sec MemSection
return CODEVIEW_HEADER

ExtrtactAddressSpaces() public method

This routine is fairly expensive, maybe unnecessary as well but it demo's walking the page table + EPT. You can connect an address space dumper really easily TODO: Remake this. Instead of just pre-buffering everything. Ensure the GroupAS detections are appropriate and if not, reassign the VMCS/EPTP page to bare metal or a different HVLayer item.
public ExtrtactAddressSpaces ( IOrderedEnumerable MemSpace = null, ConcurrentBag Procs = null, PTType pTypes = PTType.UNCONFIGURED ) : List>.Dictionary
MemSpace IOrderedEnumerable The list of VMCS/EPTP configurations which will alter the page table use
Procs ConcurrentBag Detected procs to query
pTypes PTType Type bitmask to interpret
return List>.Dictionary

GetKernelDebuggerData() public method

Prefer symbol loading.
public GetKernelDebuggerData ( DetectedProc dp, Extract ext, CODEVIEW_HEADER cv_data, string SymbolCache ) : bool
dp DetectedProc
ext Extract
cv_data CODEVIEW_HEADER
SymbolCache string
return bool

GetKernelRangeFromGroup() public method

public GetKernelRangeFromGroup ( int GroupID ) : DetectedProc
GroupID int
return DetectedProc

GetSymAddress() public method

public GetSymAddress ( DetectedProc dp, string SymName ) : long
dp DetectedProc
SymName string
return long

GetSymValueLong() public method

TODO: Make better for all types
public GetSymValueLong ( DetectedProc dp, string SymName ) : long
dp DetectedProc
SymName string
return long

GroupAS() public method

Group address spaces into related buckets We will assign an address space ID to each detected proc so we know what process belongs with who After AS grouping we will know what EPTP belongs to which AS since one of the DP's will have it's CR3 in the VMCS Yes it's a bit complicated. The overall procedure however is straight forward in that; * For every detected process Bucket into groups which are the "Address spaces" that initially are (a) based on kernel address space similarities and then (b) based on what VMCS value was found pointing to that group This ensures that if we have several hypervisors with a possibly identical kernel grouping (i.e. the PFN's were used by each kernel were identical), they are disambiguated by the VMCS. (Which can be validated later) The benefit here is that brute forcing at this stage is fairly expensive and can lead to significant overhead, there does tend to be some outliers for large systems that need to be looked at more to determine who they belong too. Nevertheless, it's inconsequential if they are grouped with the appropriate AS since even if they are isolated into their own 'AS' this is an artificial construct for our book keeping. The net result is that even if some process is grouped by itself due to some aggressive variation in kernel PFN' use (lots of dual mapped memory/MDL's or something), it's still able to be dumped and analyzed.
public GroupAS ( PTType pTypes = PTType.UNCONFIGURED ) : void
pTypes PTType Types to scan for, this is of the already detected processes list so it's already filtered really
return void

HashRange() public method

public HashRange ( VIRTUAL_ADDRESS KEY, PFN VALUE ) : byte[]
KEY VIRTUAL_ADDRESS
VALUE PFN
return byte[]

ModuleScan() public method

Only scanning for core kernel modules
public ModuleScan ( DetectedProc dp, long StartingVA, long EndingVA = 0xFFFFFFFFF000 ) : Extract>.ConcurrentDictionary
dp DetectedProc
StartingVA long
EndingVA long
return Extract>.ConcurrentDictionary

PrintLastDumped() public method

public PrintLastDumped ( List LastList ) : void
LastList List
return void

ProcDetectScan() public method

public ProcDetectScan ( PTType Modes, int DetectOnly ) : int
Modes PTType
DetectOnly int
return int

ReScanNextLevel() public method

public ReScanNextLevel ( DetectedProc tdp, bool DisplayOutput = false ) : void
tdp DetectedProc
DisplayOutput bool
return void

TryLoadSymbols() public method

public TryLoadSymbols ( CODEVIEW_HEADER cv_data, long BaseVA, string SymPath ) : bool
cv_data CODEVIEW_HEADER
BaseVA long
SymPath string
return bool

VMCSScan() public method

public VMCSScan ( ) : int
return int

Vtero() public method

public Vtero ( ) : inVtero.net.Support
return inVtero.net.Support

Vtero() public method

public Vtero ( string MemoryDump ) : inVtero.net.Support
MemoryDump string
return inVtero.net.Support

Vtero() public method

public Vtero ( string MemoryDump, AMemoryRunDetector MD ) : inVtero.net.Support
MemoryDump string
MD AMemoryRunDetector
return inVtero.net.Support

WalkProcList() public method

public WalkProcList ( DetectedProc dp ) : dynamic[]
dp DetectedProc
return dynamic[]

WriteColor() public method

public WriteColor ( ConsoleColor ForeGround, ConsoleColor BackGround, string var ) : void
ForeGround ConsoleColor
BackGround ConsoleColor
var string
return void

WriteColor() public method

public WriteColor ( ConsoleColor ForeGround, string var ) : void
ForeGround ConsoleColor
var string
return void

WriteRange() public method

public WriteRange ( VIRTUAL_ADDRESS KEY, PFN VALUE, string BaseFileName, Mem PhysMemReader = null, bool SinglePFNStore = false, bool DumpNULL = false ) : string
KEY VIRTUAL_ADDRESS
VALUE PFN
BaseFileName string
PhysMemReader Mem
SinglePFNStore bool
DumpNULL bool
return string

Property Details

ASGroups public_oe property

public ConcurrentDictionary> ASGroups
return ConcurrentBag>.ConcurrentDictionary

AddressSpace public_oe property

public ConcurrentDictionary> AddressSpace
return ConcurrentBag>.ConcurrentDictionary

FileSize public_oe property

public long FileSize
return long

GroupThreshold public_oe property

public double GroupThreshold
return double

KVS public_oe property

public VirtualScanner,inVtero.net KVS
return VirtualScanner

KernelProc public_oe property

public DetectedProc,inVtero.net KernelProc
return DetectedProc

MemFile public_oe property

public string MemFile
return string

OverRidePhase public_oe property

Set OverRidePhase to force a re-run of a stage
public bool OverRidePhase
return bool

Phase public_oe property

public int Phase
return int

Processes public_oe property

public ConcurrentBag Processes
return ConcurrentBag

ProgressCallback public_oe static_oe property

public static Action,System ProgressCallback
return System.Action

VMCSs public_oe property

public ConcurrentDictionary VMCSs
return VMCS>.ConcurrentDictionary

hCurrentProcess public_oe static_oe property

public static IntPtr,System hCurrentProcess
return System.IntPtr