C# Класс inVtero.net.Scanner

Показать файл Открыть проект Примеры использования класса

Открытые свойства

Свойство	Тип	Описание
DumpVMCSPage	bool
FileSize	long
Filename	string

Открытые методы

Метод	Описание
Analyze ( int ExitAfter ) : int	A simple memory mapped scan over the input provided in the constructor
BackwardsValueScan ( String Filename, int ScanFor, int ExitAfter ) : IEnumerable	Scan for a class configured variable "HexScanDword" This is a specialized thing we are trying to avoid over scanning Turns out the physical memory run data maintained by the OS is typically very deep physically So in start-up we may use this depending on input file
FreeBSD ( long offset ) : bool	The FreeBSD check for process detection is good Consider it release quality ;)
Generic ( long offset ) : bool	Naturally the Generic checker is fairly chatty but at least you can use it to find unknowns, we could use some more tunable values here to help select the best match, I currently use the value with the lowest diff, which can be correct This will find a self pointer in the first memory run for a non-sparse memory dump. The calling code is expected to adjust offset around RUN gaps.
HV ( long offset ) : bool	In some deployments Hyper-V was found to use a configuration as such
HexScan ( List FoundValueOffsets, long offset, long ValueBlock, int ValueReadCount ) : bool
LinuxS ( long offset ) : bool	The LinuxS check is a single pass state preserving scanner This was created using kernel 3.19 as a baseline. More to follow.
NetBSD ( long offset ) : bool	TODO: NetBSD needs some analysis Will add more later, this check is a bit noisy, consider it alpha
OpenBSD ( long offset ) : bool	Slightly better check then NetBSD so I guess consider it beta!
Scanner ( string InputFile, Vtero vTero ) : inVtero.net.Support
VMCS ( long xoffset ) : bool	The VMCS scan is based on the LINK pointer, abort code and CR3 register We later isolate the EPTP based on constraints for that pointer
Windows ( long offset ) : bool	This is the same check as the earlier process detection code from CSW and DefCon

Приватные методы

Метод	Описание
MapScanFile ( String File, long From, int ScanData, int Count ) : IEnumerable
Scanner ( ) : inVtero.net.Support

Описание методов

Analyze() публичный метод

A simple memory mapped scan over the input provided in the constructor

public Analyze ( int ExitAfter ) : int
ExitAfter	int	Optionally stop checking or exit early after this many candidates. 0 does not exit early.
Результат	int

BackwardsValueScan() публичный статический метод

Scan for a class configured variable "HexScanDword" This is a specialized thing we are trying to avoid over scanning Turns out the physical memory run data maintained by the OS is typically very deep physically So in start-up we may use this depending on input file

public static BackwardsValueScan ( String Filename, int ScanFor, int ExitAfter ) : IEnumerable
Filename	String
ScanFor	int
ExitAfter	int
Результат	IEnumerable

FreeBSD() публичный метод

The FreeBSD check for process detection is good Consider it release quality ;)

public FreeBSD ( long offset ) : bool
offset	long
Результат	bool

Generic() публичный метод

Naturally the Generic checker is fairly chatty but at least you can use it to find unknowns, we could use some more tunable values here to help select the best match, I currently use the value with the lowest diff, which can be correct This will find a self pointer in the first memory run for a non-sparse memory dump. The calling code is expected to adjust offset around RUN gaps.

public Generic ( long offset ) : bool
offset	long
Результат	bool

HV() публичный метод

In some deployments Hyper-V was found to use a configuration as such

public HV ( long offset ) : bool
offset	long
Результат	bool

HexScan() публичный статический метод

public static HexScan ( List FoundValueOffsets, long offset, long ValueBlock, int ValueReadCount ) : bool
FoundValueOffsets	List
offset	long
ValueBlock	long
ValueReadCount	int
Результат	bool

LinuxS() публичный метод

The LinuxS check is a single pass state preserving scanner This was created using kernel 3.19 as a baseline. More to follow.

public LinuxS ( long offset ) : bool
offset	long
Результат	bool

NetBSD() публичный метод

TODO: NetBSD needs some analysis Will add more later, this check is a bit noisy, consider it alpha

public NetBSD ( long offset ) : bool
offset	long
Результат	bool

OpenBSD() публичный метод

Slightly better check then NetBSD so I guess consider it beta!

public OpenBSD ( long offset ) : bool
offset	long
Результат	bool

Scanner() публичный метод

public Scanner ( string InputFile, Vtero vTero ) : inVtero.net.Support
InputFile	string
vTero	Vtero
Результат	inVtero.net.Support

VMCS() публичный метод

The VMCS scan is based on the LINK pointer, abort code and CR3 register We later isolate the EPTP based on constraints for that pointer

public VMCS ( long xoffset ) : bool
xoffset	long
Результат	bool

Windows() публичный метод

This is the same check as the earlier process detection code from CSW and DefCon

public Windows ( long offset ) : bool
offset	long
Результат	bool

Описание свойств

DumpVMCSPage публичное свойство

public bool DumpVMCSPage
Результат	bool

FileSize публичное свойство

public long FileSize
Результат	long

Filename публичное свойство

public string Filename
Результат	string