C# Class inVtero.net.Scanner

Afficher le fichier Open project: ShaneK2/inVtero.net Class Usage Examples

Méthodes publiques

Свойство	Type	Description
DumpVMCSPage	bool
FileSize	long
Filename	string

Méthodes publiques

Méthode	Description
Analyze ( int ExitAfter ) : int	A simple memory mapped scan over the input provided in the constructor
BackwardsValueScan ( String Filename, int ScanFor, int ExitAfter ) : IEnumerable	Scan for a class configured variable "HexScanDword" This is a specialized thing we are trying to avoid over scanning Turns out the physical memory run data maintained by the OS is typically very deep physically So in start-up we may use this depending on input file
FreeBSD ( long offset ) : bool	The FreeBSD check for process detection is good Consider it release quality ;)
Generic ( long offset ) : bool	Naturally the Generic checker is fairly chatty but at least you can use it to find unknowns, we could use some more tunable values here to help select the best match, I currently use the value with the lowest diff, which can be correct This will find a self pointer in the first memory run for a non-sparse memory dump. The calling code is expected to adjust offset around RUN gaps.
HV ( long offset ) : bool	In some deployments Hyper-V was found to use a configuration as such
HexScan ( List FoundValueOffsets, long offset, long ValueBlock, int ValueReadCount ) : bool
LinuxS ( long offset ) : bool	The LinuxS check is a single pass state preserving scanner This was created using kernel 3.19 as a baseline. More to follow.
NetBSD ( long offset ) : bool	TODO: NetBSD needs some analysis Will add more later, this check is a bit noisy, consider it alpha
OpenBSD ( long offset ) : bool	Slightly better check then NetBSD so I guess consider it beta!
Scanner ( string InputFile, Vtero vTero ) : inVtero.net.Support
VMCS ( long xoffset ) : bool	The VMCS scan is based on the LINK pointer, abort code and CR3 register We later isolate the EPTP based on constraints for that pointer
Windows ( long offset ) : bool	This is the same check as the earlier process detection code from CSW and DefCon

Private Methods

Méthode	Description
MapScanFile ( String File, long From, int ScanData, int Count ) : IEnumerable
Scanner ( ) : inVtero.net.Support

Method Details

Analyze() public méthode

A simple memory mapped scan over the input provided in the constructor

public Analyze ( int ExitAfter ) : int
ExitAfter	int	Optionally stop checking or exit early after this many candidates. 0 does not exit early.
Résultat	int

BackwardsValueScan() public static méthode

Scan for a class configured variable "HexScanDword" This is a specialized thing we are trying to avoid over scanning Turns out the physical memory run data maintained by the OS is typically very deep physically So in start-up we may use this depending on input file

public static BackwardsValueScan ( String Filename, int ScanFor, int ExitAfter ) : IEnumerable
Filename	String
ScanFor	int
ExitAfter	int
Résultat	IEnumerable

FreeBSD() public méthode

The FreeBSD check for process detection is good Consider it release quality ;)

public FreeBSD ( long offset ) : bool
offset	long
Résultat	bool

Generic() public méthode

Naturally the Generic checker is fairly chatty but at least you can use it to find unknowns, we could use some more tunable values here to help select the best match, I currently use the value with the lowest diff, which can be correct This will find a self pointer in the first memory run for a non-sparse memory dump. The calling code is expected to adjust offset around RUN gaps.

public Generic ( long offset ) : bool
offset	long
Résultat	bool

HV() public méthode

In some deployments Hyper-V was found to use a configuration as such

public HV ( long offset ) : bool
offset	long
Résultat	bool

HexScan() public static méthode

public static HexScan ( List FoundValueOffsets, long offset, long ValueBlock, int ValueReadCount ) : bool
FoundValueOffsets	List
offset	long
ValueBlock	long
ValueReadCount	int
Résultat	bool

LinuxS() public méthode

The LinuxS check is a single pass state preserving scanner This was created using kernel 3.19 as a baseline. More to follow.

public LinuxS ( long offset ) : bool
offset	long
Résultat	bool

NetBSD() public méthode

TODO: NetBSD needs some analysis Will add more later, this check is a bit noisy, consider it alpha

public NetBSD ( long offset ) : bool
offset	long
Résultat	bool

OpenBSD() public méthode

Slightly better check then NetBSD so I guess consider it beta!

public OpenBSD ( long offset ) : bool
offset	long
Résultat	bool

Scanner() public méthode

public Scanner ( string InputFile, Vtero vTero ) : inVtero.net.Support
InputFile	string
vTero	Vtero
Résultat	inVtero.net.Support

VMCS() public méthode

The VMCS scan is based on the LINK pointer, abort code and CR3 register We later isolate the EPTP based on constraints for that pointer

public VMCS ( long xoffset ) : bool
xoffset	long
Résultat	bool

Windows() public méthode

This is the same check as the earlier process detection code from CSW and DefCon

public Windows ( long offset ) : bool
offset	long
Résultat	bool

Property Details

DumpVMCSPage public_oe property

public bool DumpVMCSPage
Résultat	bool

FileSize public_oe property

public long FileSize
Résultat	long

Filename public_oe property

public string Filename
Résultat	string