Property | Type | Description | |
---|---|---|---|
DumpVMCSPage | bool | ||
FileSize | long | ||
Filename | string |
Method | Description | |
---|---|---|
Analyze ( int ExitAfter ) : int |
A simple memory mapped scan over the input provided in the constructor
|
|
BackwardsValueScan ( String Filename, int ScanFor, int ExitAfter ) : IEnumerable |
Scan for a class configured variable "HexScanDword" This is a specialized thing we are trying to avoid over scanning Turns out the physical memory run data maintained by the OS is typically very deep physically So in start-up we may use this depending on input file
|
|
FreeBSD ( long offset ) : bool |
The FreeBSD check for process detection is good Consider it release quality ;)
|
|
Generic ( long offset ) : bool |
Naturally the Generic checker is fairly chatty but at least you can use it to find unknowns, we could use some more tunable values here to help select the best match, I currently use the value with the lowest diff, which can be correct This will find a self pointer in the first memory run for a non-sparse memory dump. The calling code is expected to adjust offset around RUN gaps.
|
|
HV ( long offset ) : bool |
In some deployments Hyper-V was found to use a configuration as such
|
|
HexScan ( List |
||
LinuxS ( long offset ) : bool |
The LinuxS check is a single pass state preserving scanner This was created using kernel 3.19 as a baseline. More to follow.
|
|
NetBSD ( long offset ) : bool |
TODO: NetBSD needs some analysis Will add more later, this check is a bit noisy, consider it alpha
|
|
OpenBSD ( long offset ) : bool |
Slightly better check then NetBSD so I guess consider it beta!
|
|
Scanner ( string InputFile, |
||
VMCS ( long xoffset ) : bool |
The VMCS scan is based on the LINK pointer, abort code and CR3 register We later isolate the EPTP based on constraints for that pointer
|
|
Windows ( long offset ) : bool |
This is the same check as the earlier process detection code from CSW and DefCon
|
Method | Description | |
---|---|---|
MapScanFile ( String File, long From, int ScanData, int Count ) : IEnumerable |
||
Scanner ( ) : inVtero.net.Support |
public Analyze ( int ExitAfter ) : int | ||
ExitAfter | int | Optionally stop checking or exit early after this many candidates. 0 does not exit early. |
return | int |
public static BackwardsValueScan ( String Filename, int ScanFor, int ExitAfter ) : IEnumerable |
||
Filename | String | |
ScanFor | int | |
ExitAfter | int | |
return | IEnumerable |
public static HexScan ( List |
||
FoundValueOffsets | List |
|
offset | long | |
ValueBlock | long | |
ValueReadCount | int | |
return | bool |
public Scanner ( string InputFile, |
||
InputFile | string | |
vTero | ||
return | inVtero.net.Support |