C# 클래스 inVtero.net.Vtero

Moving things around to support save state If it turns out that we are to parse the input aggressivly, it may make sence to not have to waste time doing the same analysis over again Rooting everything off of a main class helps the structure a bit

파일 보기 프로젝트 열기: ShaneK2/inVtero.net 1 사용 예제들

공개 프로퍼티들

프로퍼티	타입	설명
ASGroups	ConcurrentBag>.ConcurrentDictionary
AddressSpace	ConcurrentBag>.ConcurrentDictionary
FileSize	long
GroupThreshold	double
KVS	VirtualScanner
KernelProc	DetectedProc
MemFile	string
OverRidePhase	bool
Phase	int
Processes	ConcurrentBag
ProgressCallback	System.Action
VMCSs	VMCS>.ConcurrentDictionary
hCurrentProcess	System.IntPtr

공개 메소드들

메소드	설명
AddProcessPageTable ( DetectedProc tdp, Mem memAxs ) : void
CheckpointRestoreState ( string SaveFile ) : Vtero
CheckpointSaveState ( string OverrideName = null, string DirSpec = null ) : string
DecodePointer ( ulong BlockAddress, ulong Always, ulong Never, ulong Value ) : ulong	You only need this if you can't get symbols. see http://uninformed.org/index.cgi?v=3&a=3&t=sumry by skape & Skywing
DumpASToFile ( IDictionary AS_ToDump = null ) : void	Memory Dump routines
DumpFailList ( ) : void
DumpProc ( string Folder, DetectedProc Proc, bool IncludeData = false, bool KernelSpace = true ) : long
ExtractCVDebug ( DetectedProc dp, MemSection sec ) : CODEVIEW_HEADER
ExtrtactAddressSpaces ( IOrderedEnumerable MemSpace = null, ConcurrentBag Procs = null, PTType pTypes = PTType.UNCONFIGURED ) : List>.Dictionary	This routine is fairly expensive, maybe unnecessary as well but it demo's walking the page table + EPT. You can connect an address space dumper really easily TODO: Remake this. Instead of just pre-buffering everything. Ensure the GroupAS detections are appropriate and if not, reassign the VMCS/EPTP page to bare metal or a different HVLayer item.
GetKernelDebuggerData ( DetectedProc dp, Extract ext, CODEVIEW_HEADER cv_data, string SymbolCache ) : bool	Prefer symbol loading.
GetKernelRangeFromGroup ( int GroupID ) : DetectedProc
GetSymAddress ( DetectedProc dp, string SymName ) : long
GetSymValueLong ( DetectedProc dp, string SymName ) : long	TODO: Make better for all types
GroupAS ( PTType pTypes = PTType.UNCONFIGURED ) : void	Group address spaces into related buckets We will assign an address space ID to each detected proc so we know what process belongs with who After AS grouping we will know what EPTP belongs to which AS since one of the DP's will have it's CR3 in the VMCS Yes it's a bit complicated. The overall procedure however is straight forward in that; * For every detected process Bucket into groups which are the "Address spaces" that initially are (a) based on kernel address space similarities and then (b) based on what VMCS value was found pointing to that group This ensures that if we have several hypervisors with a possibly identical kernel grouping (i.e. the PFN's were used by each kernel were identical), they are disambiguated by the VMCS. (Which can be validated later) The benefit here is that brute forcing at this stage is fairly expensive and can lead to significant overhead, there does tend to be some outliers for large systems that need to be looked at more to determine who they belong too. Nevertheless, it's inconsequential if they are grouped with the appropriate AS since even if they are isolated into their own 'AS' this is an artificial construct for our book keeping. The net result is that even if some process is grouped by itself due to some aggressive variation in kernel PFN' use (lots of dual mapped memory/MDL's or something), it's still able to be dumped and analyzed.
HashRange ( VIRTUAL_ADDRESS KEY, PFN VALUE ) : byte[]
ModuleScan ( DetectedProc dp, long StartingVA, long EndingVA = 0xFFFFFFFFF000 ) : Extract>.ConcurrentDictionary	Only scanning for core kernel modules
PrintLastDumped ( List LastList ) : void
ProcDetectScan ( PTType Modes, int DetectOnly ) : int
ReScanNextLevel ( DetectedProc tdp, bool DisplayOutput = false ) : void
TryLoadSymbols ( CODEVIEW_HEADER cv_data, long BaseVA, string SymPath ) : bool
VMCSScan ( ) : int
Vtero ( ) : inVtero.net.Support
Vtero ( string MemoryDump ) : inVtero.net.Support
Vtero ( string MemoryDump, AMemoryRunDetector MD ) : inVtero.net.Support
WalkProcList ( DetectedProc dp ) : dynamic[]
WriteColor ( ConsoleColor ForeGround, ConsoleColor BackGround, string var ) : void
WriteColor ( ConsoleColor ForeGround, string var ) : void
WriteRange ( VIRTUAL_ADDRESS KEY, PFN VALUE, string BaseFileName, Mem PhysMemReader = null, bool SinglePFNStore = false, bool DumpNULL = false ) : string

비공개 메소드들

메소드	설명
DeriveMemoryDescriptors ( ) : void
REPLhelp ( ) : void

메소드 상세

AddProcessPageTable() 공개 메소드

public AddProcessPageTable ( DetectedProc tdp, Mem memAxs ) : void
tdp	DetectedProc
memAxs	Mem
리턴	void

CheckpointRestoreState() 공개 메소드

public CheckpointRestoreState ( string SaveFile ) : Vtero
SaveFile	string
리턴	Vtero

CheckpointSaveState() 공개 메소드

public CheckpointSaveState ( string OverrideName = null, string DirSpec = null ) : string
OverrideName	string
DirSpec	string
리턴	string

DecodePointer() 공개 메소드

You only need this if you can't get symbols. see http://uninformed.org/index.cgi?v=3&a=3&t=sumry by skape & Skywing

public DecodePointer ( ulong BlockAddress, ulong Always, ulong Never, ulong Value ) : ulong
BlockAddress	ulong
Always	ulong
Never	ulong
Value	ulong
리턴	ulong

DumpASToFile() 공개 메소드

Memory Dump routines

public DumpASToFile ( IDictionary AS_ToDump = null ) : void
AS_ToDump	IDictionary
리턴	void

DumpFailList() 공개 메소드

public DumpFailList ( ) : void
리턴	void

DumpProc() 공개 메소드

public DumpProc ( string Folder, DetectedProc Proc, bool IncludeData = false, bool KernelSpace = true ) : long
Folder	string
Proc	DetectedProc
IncludeData	bool
KernelSpace	bool
리턴	long

ExtractCVDebug() 공개 메소드

public ExtractCVDebug ( DetectedProc dp, MemSection sec ) : CODEVIEW_HEADER
dp	DetectedProc
sec	MemSection
리턴	CODEVIEW_HEADER

ExtrtactAddressSpaces() 공개 메소드

This routine is fairly expensive, maybe unnecessary as well but it demo's walking the page table + EPT. You can connect an address space dumper really easily TODO: Remake this. Instead of just pre-buffering everything. Ensure the GroupAS detections are appropriate and if not, reassign the VMCS/EPTP page to bare metal or a different HVLayer item.

public ExtrtactAddressSpaces ( IOrderedEnumerable MemSpace = null, ConcurrentBag Procs = null, PTType pTypes = PTType.UNCONFIGURED ) : List>.Dictionary
MemSpace	IOrderedEnumerable	The list of VMCS/EPTP configurations which will alter the page table use
Procs	ConcurrentBag	Detected procs to query
pTypes	PTType	Type bitmask to interpret
리턴	List>.Dictionary

GetKernelDebuggerData() 공개 메소드

Prefer symbol loading.

public GetKernelDebuggerData ( DetectedProc dp, Extract ext, CODEVIEW_HEADER cv_data, string SymbolCache ) : bool
dp	DetectedProc
ext	Extract
cv_data	CODEVIEW_HEADER
SymbolCache	string
리턴	bool

GetKernelRangeFromGroup() 공개 메소드

public GetKernelRangeFromGroup ( int GroupID ) : DetectedProc
GroupID	int
리턴	DetectedProc

GetSymAddress() 공개 메소드

public GetSymAddress ( DetectedProc dp, string SymName ) : long
dp	DetectedProc
SymName	string
리턴	long

GetSymValueLong() 공개 메소드

TODO: Make better for all types

public GetSymValueLong ( DetectedProc dp, string SymName ) : long
dp	DetectedProc
SymName	string
리턴	long

GroupAS() 공개 메소드

Group address spaces into related buckets We will assign an address space ID to each detected proc so we know what process belongs with who After AS grouping we will know what EPTP belongs to which AS since one of the DP's will have it's CR3 in the VMCS Yes it's a bit complicated. The overall procedure however is straight forward in that; * For every detected process Bucket into groups which are the "Address spaces" that initially are (a) based on kernel address space similarities and then (b) based on what VMCS value was found pointing to that group This ensures that if we have several hypervisors with a possibly identical kernel grouping (i.e. the PFN's were used by each kernel were identical), they are disambiguated by the VMCS. (Which can be validated later) The benefit here is that brute forcing at this stage is fairly expensive and can lead to significant overhead, there does tend to be some outliers for large systems that need to be looked at more to determine who they belong too. Nevertheless, it's inconsequential if they are grouped with the appropriate AS since even if they are isolated into their own 'AS' this is an artificial construct for our book keeping. The net result is that even if some process is grouped by itself due to some aggressive variation in kernel PFN' use (lots of dual mapped memory/MDL's or something), it's still able to be dumped and analyzed.

public GroupAS ( PTType pTypes = PTType.UNCONFIGURED ) : void
pTypes	PTType	Types to scan for, this is of the already detected processes list so it's already filtered really
리턴	void

HashRange() 공개 메소드

public HashRange ( VIRTUAL_ADDRESS KEY, PFN VALUE ) : byte[]
KEY	VIRTUAL_ADDRESS
VALUE	PFN
리턴	byte[]

ModuleScan() 공개 메소드

Only scanning for core kernel modules

public ModuleScan ( DetectedProc dp, long StartingVA, long EndingVA = 0xFFFFFFFFF000 ) : Extract>.ConcurrentDictionary
dp	DetectedProc
StartingVA	long
EndingVA	long
리턴	Extract>.ConcurrentDictionary

PrintLastDumped() 공개 메소드

public PrintLastDumped ( List LastList ) : void
LastList	List
리턴	void

ProcDetectScan() 공개 메소드

public ProcDetectScan ( PTType Modes, int DetectOnly ) : int
Modes	PTType
DetectOnly	int
리턴	int

ReScanNextLevel() 공개 메소드

public ReScanNextLevel ( DetectedProc tdp, bool DisplayOutput = false ) : void
tdp	DetectedProc
DisplayOutput	bool
리턴	void

TryLoadSymbols() 공개 메소드

public TryLoadSymbols ( CODEVIEW_HEADER cv_data, long BaseVA, string SymPath ) : bool
cv_data	CODEVIEW_HEADER
BaseVA	long
SymPath	string
리턴	bool

VMCSScan() 공개 메소드

public VMCSScan ( ) : int
리턴	int

Vtero() 공개 메소드

public Vtero ( ) : inVtero.net.Support
리턴	inVtero.net.Support

Vtero() 공개 메소드

public Vtero ( string MemoryDump ) : inVtero.net.Support
MemoryDump	string
리턴	inVtero.net.Support

Vtero() 공개 메소드

public Vtero ( string MemoryDump, AMemoryRunDetector MD ) : inVtero.net.Support
MemoryDump	string
MD	AMemoryRunDetector
리턴	inVtero.net.Support

WalkProcList() 공개 메소드

public WalkProcList ( DetectedProc dp ) : dynamic[]
dp	DetectedProc
리턴	dynamic[]

WriteColor() 공개 메소드

public WriteColor ( ConsoleColor ForeGround, ConsoleColor BackGround, string var ) : void
ForeGround	ConsoleColor
BackGround	ConsoleColor
var	string
리턴	void

WriteColor() 공개 메소드

public WriteColor ( ConsoleColor ForeGround, string var ) : void
ForeGround	ConsoleColor
var	string
리턴	void

WriteRange() 공개 메소드

public WriteRange ( VIRTUAL_ADDRESS KEY, PFN VALUE, string BaseFileName, Mem PhysMemReader = null, bool SinglePFNStore = false, bool DumpNULL = false ) : string
KEY	VIRTUAL_ADDRESS
VALUE	PFN
BaseFileName	string
PhysMemReader	Mem
SinglePFNStore	bool
DumpNULL	bool
리턴	string

프로퍼티 상세

ASGroups 공개적으로 프로퍼티

public ConcurrentDictionary> ASGroups
리턴	ConcurrentBag>.ConcurrentDictionary

AddressSpace 공개적으로 프로퍼티

public ConcurrentDictionary> AddressSpace
리턴	ConcurrentBag>.ConcurrentDictionary

FileSize 공개적으로 프로퍼티

public long FileSize
리턴	long

GroupThreshold 공개적으로 프로퍼티

public double GroupThreshold
리턴	double

KVS 공개적으로 프로퍼티

public VirtualScanner,inVtero.net KVS
리턴	VirtualScanner

KernelProc 공개적으로 프로퍼티

public DetectedProc,inVtero.net KernelProc
리턴	DetectedProc

MemFile 공개적으로 프로퍼티

public string MemFile
리턴	string

OverRidePhase 공개적으로 프로퍼티

Set OverRidePhase to force a re-run of a stage

public bool OverRidePhase
리턴	bool

Phase 공개적으로 프로퍼티

public int Phase
리턴	int

Processes 공개적으로 프로퍼티

public ConcurrentBag Processes
리턴	ConcurrentBag

ProgressCallback 공개적으로 정적으로 프로퍼티

public static Action,System ProgressCallback
리턴	System.Action

VMCSs 공개적으로 프로퍼티

public ConcurrentDictionary VMCSs
리턴	VMCS>.ConcurrentDictionary

hCurrentProcess 공개적으로 정적으로 프로퍼티

public static IntPtr,System hCurrentProcess
리턴	System.IntPtr