C# 클래스 inVtero.net.Scanner

파일 보기 프로젝트 열기: ShaneK2/inVtero.net 1 사용 예제들

공개 프로퍼티들

프로퍼티	타입	설명
DumpVMCSPage	bool
FileSize	long
Filename	string

공개 메소드들

메소드	설명
Analyze ( int ExitAfter ) : int	A simple memory mapped scan over the input provided in the constructor
BackwardsValueScan ( String Filename, int ScanFor, int ExitAfter ) : IEnumerable	Scan for a class configured variable "HexScanDword" This is a specialized thing we are trying to avoid over scanning Turns out the physical memory run data maintained by the OS is typically very deep physically So in start-up we may use this depending on input file
FreeBSD ( long offset ) : bool	The FreeBSD check for process detection is good Consider it release quality ;)
Generic ( long offset ) : bool	Naturally the Generic checker is fairly chatty but at least you can use it to find unknowns, we could use some more tunable values here to help select the best match, I currently use the value with the lowest diff, which can be correct This will find a self pointer in the first memory run for a non-sparse memory dump. The calling code is expected to adjust offset around RUN gaps.
HV ( long offset ) : bool	In some deployments Hyper-V was found to use a configuration as such
HexScan ( List FoundValueOffsets, long offset, long ValueBlock, int ValueReadCount ) : bool
LinuxS ( long offset ) : bool	The LinuxS check is a single pass state preserving scanner This was created using kernel 3.19 as a baseline. More to follow.
NetBSD ( long offset ) : bool	TODO: NetBSD needs some analysis Will add more later, this check is a bit noisy, consider it alpha
OpenBSD ( long offset ) : bool	Slightly better check then NetBSD so I guess consider it beta!
Scanner ( string InputFile, Vtero vTero ) : inVtero.net.Support
VMCS ( long xoffset ) : bool	The VMCS scan is based on the LINK pointer, abort code and CR3 register We later isolate the EPTP based on constraints for that pointer
Windows ( long offset ) : bool	This is the same check as the earlier process detection code from CSW and DefCon

비공개 메소드들

메소드	설명
MapScanFile ( String File, long From, int ScanData, int Count ) : IEnumerable
Scanner ( ) : inVtero.net.Support

메소드 상세

Analyze() 공개 메소드

A simple memory mapped scan over the input provided in the constructor

public Analyze ( int ExitAfter ) : int
ExitAfter	int	Optionally stop checking or exit early after this many candidates. 0 does not exit early.
리턴	int

BackwardsValueScan() 공개 정적인 메소드

Scan for a class configured variable "HexScanDword" This is a specialized thing we are trying to avoid over scanning Turns out the physical memory run data maintained by the OS is typically very deep physically So in start-up we may use this depending on input file

public static BackwardsValueScan ( String Filename, int ScanFor, int ExitAfter ) : IEnumerable
Filename	String
ScanFor	int
ExitAfter	int
리턴	IEnumerable

FreeBSD() 공개 메소드

The FreeBSD check for process detection is good Consider it release quality ;)

public FreeBSD ( long offset ) : bool
offset	long
리턴	bool

Generic() 공개 메소드

Naturally the Generic checker is fairly chatty but at least you can use it to find unknowns, we could use some more tunable values here to help select the best match, I currently use the value with the lowest diff, which can be correct This will find a self pointer in the first memory run for a non-sparse memory dump. The calling code is expected to adjust offset around RUN gaps.

public Generic ( long offset ) : bool
offset	long
리턴	bool

HV() 공개 메소드

In some deployments Hyper-V was found to use a configuration as such

public HV ( long offset ) : bool
offset	long
리턴	bool

HexScan() 공개 정적인 메소드

public static HexScan ( List FoundValueOffsets, long offset, long ValueBlock, int ValueReadCount ) : bool
FoundValueOffsets	List
offset	long
ValueBlock	long
ValueReadCount	int
리턴	bool

LinuxS() 공개 메소드

The LinuxS check is a single pass state preserving scanner This was created using kernel 3.19 as a baseline. More to follow.

public LinuxS ( long offset ) : bool
offset	long
리턴	bool

NetBSD() 공개 메소드

TODO: NetBSD needs some analysis Will add more later, this check is a bit noisy, consider it alpha

public NetBSD ( long offset ) : bool
offset	long
리턴	bool

OpenBSD() 공개 메소드

Slightly better check then NetBSD so I guess consider it beta!

public OpenBSD ( long offset ) : bool
offset	long
리턴	bool

Scanner() 공개 메소드

public Scanner ( string InputFile, Vtero vTero ) : inVtero.net.Support
InputFile	string
vTero	Vtero
리턴	inVtero.net.Support

VMCS() 공개 메소드

The VMCS scan is based on the LINK pointer, abort code and CR3 register We later isolate the EPTP based on constraints for that pointer

public VMCS ( long xoffset ) : bool
xoffset	long
리턴	bool

Windows() 공개 메소드

This is the same check as the earlier process detection code from CSW and DefCon

public Windows ( long offset ) : bool
offset	long
리턴	bool

프로퍼티 상세

DumpVMCSPage 공개적으로 프로퍼티

public bool DumpVMCSPage
리턴	bool

FileSize 공개적으로 프로퍼티

public long FileSize
리턴	long

Filename 공개적으로 프로퍼티

public string Filename
리턴	string