HBGARY RESPONDER™ 2.0 PLUG-IN QUICK START GUIDE
13.07.2015 Views
Share Embed Flag

HBGARY RESPONDER™ 2.0 PLUG-IN QUICK START GUIDE

HBGARY RESPONDER™ 2.0 PLUG-IN QUICK START GUIDE

HBGARY RESPONDER™ 2.0 PLUG-IN QUICK START GUIDE

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
hbgary.com

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

<strong>HBGARY</strong> RESPONDER <strong>2.0</strong><strong>PLUG</strong>-<strong>IN</strong> <strong>QUICK</strong> <strong>START</strong> <strong>GUIDE</strong>

TABLE OF CONTENTS

1. <strong>IN</strong>TRODUCTION

2. DEVELOPMENT ENVIRONMENTS••• unsafe••• unsafe••••

3. BROWS<strong>IN</strong>G THE API→••• →

•→→private protectedinternal

→:\Program Files (x86)\HBGaryResponder 2\Responder.EXE→

4. “HELLO, WORLD”class Plugininterface IPlugin• Logic• Plugin• IPluginIPluginPluginIPluginpublic interface IPlugin{// Methodsbool OnLoad(ArrayList openDocuments);void OnOpenDocument(IDocument document);void OnCloseDocument(IDocument document);void OnUnload();}// Propertiesbool UnloadEnabled { get; }

PluginIPluginusing System.Collections;namespace Logic{public class Plugin : IPlugin{public bool OnLoad(ArrayList openDocuments){return true;}public void OnOpenDocument(IDocument document) { }public void OnCloseDocument(IDocument document) { }public void OnUnload() { }}}public bool UnloadEnabled{get { return true /*OR false*/; }}OnLoad ArrayList usingSystem.Collections ArrayList System.Collectionsinterface IPluginIPluginbool OnLoad(ArrayList openDocuments)openDocumentsboolvoid OnOpenDocument(IDocument document)void OnCloseDocument(IDocument document)void OnUnload()UnloadEnabledtrue OnUnload

ool UnloadEnabledboolPluginInterface.dllDocumentInterface.dll PluginInterface.dllIPluginDocumentInterface.dllIDocumentSystem.Collectionsmscorlib.dllinterface IDocumentclass DocumentsObjectinterface IDocumentabstract class DocumentBaseIDocument IDocument DocumentBaseDocumentsObjectDocumentsObjectOnLoadOnOpenDocument Parse AddDocumentMainLogic.dllDocumentsObject

private DocumentsObject Documents = new DocumentsObject();public bool OnLoad(ArrayList openDocuments){Documents.Parse(openDocuments);return true;}public void OnOpenDocument(IDocument document){Documents.AddDocument(document);}IDocumentOnOpenDocumentforeach(IDocument document in documentCollection)IDocumentclass DocumentsObjectDocumentsObjectParse→AddDocumentDocumentsMessagesDocument DocumentMessagesDriversBrowserDocument DriversFileBrowserDocument FilesFunctionBrowserDocument FunctionsIDTBrowserDocument IDT

InternetHistoryDocument InternetHistoryKeysPasswordsDocument KeysPasswordsModulesBrowserDocument ModulesNetworkBrowserDocument NetworkPatternHitsDocument PatternHitsProcessBrowserDocument ProcessesRegistryBrowserDocument RegistrySamplesDocument SamplesSSDTBrowserDocument SSDTStringsBrowserDocument StringsSymbolBrowserDocument Symbols

DocumentsObjectFrameDocument FrameFrameDocumentInspectorDocument InspectorInspectorDocumentInspectorProjectProjectDataStoreInspectorSnapshotToolBoxDocument ToolboxToolBoxDocumentInspectorProject ProjectDataStoreInspectorSnapshotIProject IDataStoreISnapshot

class Enginenamespace Command.FrameEngineusingLogicMainLogic.dllCommand.FrameEngineCommand.FrameusingCommand.FrameMainLogic.dllCommand.FrameStartProgressCommand(FrameDocument document)ShowProgressCommand(FrameDocument document, string message,int progress)FinishProgressCommand(FrameDocument document, string message)SetProgressWindowTextCommand(FrameDocument document, string text)PostLogMessageCommand(FrameDocument document, string message)PostLogMessageCommand string message ExceptionPostLogMessageCommandCommand.Frame Engine.QueueCommand Engine.QueueCommandPostLogMessageCommandPostLogMessageCommandFrameDocumentstringPostLogMessageOnLoad

using Command.Frame;public bool OnLoad(ArrayList openDocuments){Documents.Parse(openDocuments);PostLogMessage("Hello, world.");}return true;internal void PostLogMessage(string message){if(Documents.Frame != null)Engine.QueueCommand(new PostLogMessageCommand(Documents.Frame, message));}

DocumentInterface.dll MainLogic.dll PluginInterface.dllusing System.Collections;using Command.Frame;namespace Logic{public class Plugin : IPlugin{private DocumentsObject Documents = new DocumentsObject();public bool OnLoad(ArrayList openDocuments){Documents.Parse(openDocuments);PostLogMessage("Hello, world.");}return true;public void OnOpenDocument(IDocument document){Documents.AddDocument(document);}public void OnCloseDocument(IDocument document) { }public void OnUnload() { }public bool UnloadEnabled{get { return true /*OR false*/; }}}}internal void PostLogMessage(string message){if(Documents.Frame != null)Engine.QueueCommand(new PostLogMessageCommand(Documents.Frame,message));}

DocumentsObject.ToolBoxDocumentstringprivate const string PluginName = "Hello, World";private const string PluginCategory = "Practice Plug-ins";PluginNamePluginCategoryToolBoxDocumentToolBoxDocumentToolBoxActionpublic delegate void ToolBoxAction(string parentGroup, string menuItem, object tag);object tagOnLoadToolBoxActionOnToolBoxActionOnToolBoxAction• string menuItem PluginName• InspectorDocument null.• InspectorDocument Project null

private void OnToolBoxAction(string parentGroup, string menuItem, object tag){if(menuItem != PluginName||Documents.Inspector == null||Documents.Inspector.Project == null)return;}PostLogMessage("Hello, world.");Documents.Inspector.ProjectIProjectInspectorInterface.dllusingOnloadOnToolBoxActionToolBoxDocument.OnToolBoxAction eventAddToolBoxActionCommandCommand.ToolBoxEngine.QueueCommandToolBoxDocument using Command.ToolBoxMainLogic.dllusing Command.ToolBox;public bool OnLoad(ArrayList openDocuments){Documents.Parse(openDocuments);// First additional statementDocuments.Toolbox.OnToolBoxAction += OnToolBoxAction;// Second additional statementEngine.QueueCommand(new AddToolBoxActionCommand(Documents.Toolbox,PluginCategory,PluginName,null));}return true;

5. ACCESS<strong>IN</strong>G <strong>IN</strong>FORMATIONclass DocumentsObjectDocumentsObject→DocumentsMessagesDocumentDocumentsMessagesList DocumentMessages()DocumentsObject.DocumentMessagesDocumentMessageDefinitionDocumentMessageDefinitionulong BasePhysicalOffsetulong BaseVirtualAddressstring Descriptionstring FilePathbool hasLengthulong Length

ool hasProcessuint PIDobject TagGuidIDataInstanceIDataInstanceInspectorDriversBrowserDocumentList Drivers()Drivers DocumentsObject.Drivers DriverDefinitionDriverDefinitionstring DriverNamestring DriverPathbool IsHiddenulong BaseAddressuint ImageSizeulong EntryPointmainobject TagGuidIPackageIPackageInspectorDriverDefinition object Weight string Sequence uint ProcessPID

FileBrowserDocumentList Files()Files DocumentsObject.Files FileDefinitionFileDefinitionstring FileNamestring FilePathstring ProcessNamestring AccessMaskobject TagGuidOPEN_FILE_ENTRY OPEN_FILE_ENTRYProjectDataStoreclass ProjectDataStoreinterface IDataStoreFunctionBrowserDocumentList Functions()FunctionsDocumentsObject.FunctionsFunctionDefinitionFunctionDefinitionstring FunctionName

ulong FunctionOffsetulong FunctionVirtualAddressstring PackageNameIPackageobject TagGuidIFunctionIFunctionInspectorFunctionDefinition string FunctionType bool IsHookedIDTBrowserDocumentList IDTs()IDTs DocumentsObject.IDT IDTDefinitionIDTDefinitionstring EntryNamestring TargetModuleNamestring TargetModulePathbool Hookeduint GateType

string Targetulong PhysicalOffsetulong VirtualAddressobject TagGuidIDataInstanceIDTDefinition uint CPUInternetHistoryDocumentNetworkActivityList NetworkActivity()DocumentsObject.InternetHistoryInternetHistoryDefinitionInternetHistoryDefinitionulong BasePhysicalOffsetstring Descriptionstring UrlPathobject TagGuidIDataInstanceKeysPasswordsDocumentKeysPasswordsDocumentsObject.KeysPasswordsList KeysPasswords()KeyPassHitDefinitionKeyPassHitDefinitionulong VirtualAddress

ulong Offsetstring PackageIPackagePackageType.ProcessMemorySnapshotPackageType.PhysicalMemorySnapshotstring Processstring TypeIDataInstancestring Usernamestring Passwordobject TagGuidIDataInstanceModulesBrowserDocumentList Modules()Modules DocumentsObject.Modules ModuleDefinitionModuleDefinitionModuleDefinitionulong BaseAddressuint ModuleLengthulong EntryPointmainstring ModuleName

string ProcessNameuint ProcessPIDstring Pathbool HasBeenAnalyzedbool Hiddenobject TagGuidIPackageModuleDefinition object Weight string SequenceNetworkBrowserDocumentList Sockets()SocketsDocumentsObject.NetworkNetworkSocketDefinitionNetworkSocketDefinitionstring Sourcestring Deststring Typestring StateState"LISTEN<strong>IN</strong>G" "CONNECTED""LAST_ACK"

string ProcessNameobject TagGuidOPEN_SOCKET_ENTRY OPEN_SOCKET_ENTRYProjectDataStore class ProjectDataStore interfaceIDataStoreProcessBrowserDocumentList Processes()ProcessesDocumentsObject.ProcessesProcessDefinitionProcessDefinitionstring ProcessNamebool IsHiddenuint PIDuint ParentProcessPIDulong StartTimeDateTimepublic DateTime Win32ToDateTime(ulong win32Time){return new DateTime(1601, 1, 1, 0, 0, 0, DateTimeKind.Unspecified).AddTicks((long)win32Time);}ulong EndTimeStartTime

string CommandLinestring WindowTitlestring WorkingDirectorystring DllPath"C:\W<strong>IN</strong>DOWS\System32;C:\W<strong>IN</strong>DOWS\system32;C:\W<strong>IN</strong>DOWS\system;C:\W<strong>IN</strong>DOWS;.;C:\Perl\bin\;C:\W<strong>IN</strong>DOWS\system32;C:\W<strong>IN</strong>DOWS;C:\W<strong>IN</strong>DOWS\System32\Wbem;C:\Program Files\MySQL\MySQL Server 4.1\binobject TagGuidIPackageRegistryBrowserDocumentList Registry()RegistryDocumentsObject.RegistryRegistryKeyDefinitionRegistryKeyDefinitionstring KeyNamestring KeyPathstring ProcessNameobject TagGuidOPEN_REGISTRY_KEY OPEN_REGISTRY_KEY

ProjectDataStore class ProjectDataStore interfaceIDataStoreRegistryKeyDefinition string Type string ValueSSDTBrowserDocumentList SSDTs()SSDTs DocumentsObject.SSDT SSDTDefinitionSSDTDefinitionstring EntryNamestring Target"0x00000000'BF953705:SSDT1Handler_1287h"string TargetModulestring TargetModulePathbool IsHookedSSDTDefinition object TagStringsBrowserDocumentList Strings()Strings DocumentsObject.Strings StringDefinitionStringDefinitionulong VirtualAddress

ulong Offsetstring Namestring PackageIPackagestring TypeASCII Unicodeint NumXrefsList Xrefsobject TagGuidIPackageSymbolBrowserDocumentList Symbols()Symbols DocumentsObject.Symbols SymbolDefinitionSymbolDefinitionulong VirtualAddressulong Offsetstring Namestring PackageIPackagestring TypeCall Ptr stUnknownint NumXrefs

List Xrefsobject TagGuidIVASymbolclass ProjectDataStoreinterface IDataStoreclass ProjectDataStoreIDataStoreIDataStoreIDataStore.LookupAllObjects IDataStore.GetNamedValueIDataStore.GetNamedAttributeIDataStoreDocumentsObject.Inspector.Project.DataStoreIDataStoreDataStoreInterface.dll using InspectorIDataStore

method LookupAllObjectsLookupAllObjects ArrayList GuidDataStoreLookupAllObjectsDocumentMessageDefinitionGetNamedValue GetNamedAttributeDocumentsMessagesDocument.DocumentMessagesGuidList definitionList = new List();foreach(Guid packageGuid in DataStore.LookupAllObjects(DataGroup.Package))foreach(Guid dataGuid in DataStore.LookupAllObjects(DataGroup.DataInstance, DataValueName.ParentID, packageGuid)){if("DOCUMENT_FRAGMENT" != (string)DataStore.GetNamedAttribute(DataGroup.DataInstance, dataGuid, "sObjectType"))continue;}IDataInstance instance = DataInstanceFactory.Open(DataStore, dataGuid);DocumentMessageDefinition definition = new DocumentMessageDefinition{BasePhysicalOffset = (ulong)DataStore.GetNamedAttribute(DataGroup.GenericObject, instance.ID, "dBasePhysicalOffset"),BaseVirtualAddress = (ulong)DataStore.GetNamedAttribute(DataGroup.GenericObject, instance.ID, "dBaseVirtualAddress"),Description = (string)DataStore.GetNamedAttribute(DataGroup.GenericObject, instance.ID, "sDescription"),FilePath= (string)DataStore.GetNamedAttribute(DataGroup.GenericObject, instance.ID, "sFilePath"),hasLength= (bool)DataStore.GetNamedAttribute(DataGroup.GenericObject, instance.ID, "bhasLength"),hasProcess = (bool)DataStore.GetNamedAttribute(DataGroup.GenericObject, instance.ID, "bhasProcess"),Length= (ulong)DataStore.GetNamedAttribute(DataGroup.GenericObject, instance.ID, "dLength"),PID= (uint)DataStore.GetNamedAttribute(DataGroup.GenericObject, instance.ID, "iPID"),Tag= instance.ID};definitionList.Add(definition);LookupAllObjectsDOCUMENT_FRAGMENTIDataInstanceGuidIPackageDocumentMessageDefinitionGuidIDataInstanceIDataInstanceIPackageIDataInstanceinstace.IDdataGuid

IDataStoreLookupAllObjectsArrayList LookupAllObjects(DataGroup group)GuidDataGroupDataGroupenum DataGroupArrayList LookupAllObjects(DataGroup group, string attributeName,object targetValue)GuidDataGroup"sObjectType"ArrayList LookupAllObjects(DataGroup group, DataValueName valueName,object targetValue)GuidDataGroupDataValueName Guid DataValueNameDataValueNameenumDataValueName

enum DataGroupDataGroupLookupAllObjectsGetNamedAttributeGetNamedValueGuid GroupName method GetNamedValue methodSetNamedValueDataGroupInspectorInterface.dll using Inspectorenum DataGroup class interface Factory1 Package InspectorPackage IPackage PackageFactory2 Class InspectorClass IClass ClassFactory3 Function InspectorFunction IFunction FunctionFactory4 Block InspectorBlock IBlock BlockFactory5 DataInstance InspectorDataInstance IDataInstance DataInstanceFactory6 Sample InspectorSample ISample SampleFactory7 Snapshot InspectorSnapshot ISnapshot SnapshotFactory13 ReportItem InspectorReportObject IReportObject ReportFactory15 VASymbol InspectorVASymbol IVASymbol VASymbolFactory0 GenericObject - - -8 BlockBlockXref - - -9 BlockFunctionXref - - -10 BlockDataXref - - -16 Comment - - -PackageFactory.OpenIPackageInspectorPackageLookupAllObjectsGetNamedAttributeIDataStoremethodGetNamedAttributemethod SetNamedAttribute

enum DataValueNameDataValueNameLookupAllObjects GetNamedValue DataValueNamemethod GetNamedAttributemethod SetNamedAttributeIDataStoreGetNamedAttributeSetNamedAttributeobject GetNamedAttribute(DataGroup group, Guid guid, string attributeName)GuidobjectDataGroupunsignedGetNamedAttributestring"b"bool System.Boolean"i" uint System.UInt32"d" ulong System.UInt64"s""g"string System.StringGuid System.GuidNullReferenceExceptionGetNamedAttributeGetNamedAttributenull

foreach(Guid guid in DataStore.LookupAllObjects(DataGroup.Package)){/*DataGroup.Package encompasses three object types: "EPROCESS_BLOCK","MODULE_ENTRY", and "DRIVER_ENTRY". Only "EPROCESS_BLOCK" and "MODULE_ENTRY"use the "iPID" named attribute, however.*/object oPid = DataStore.GetNamedAttribute(DataGroup.Package, guid, "iPID");if(oPid == null)continue;}/*Without the above null check, this cast will raise a NullReferenceExceptionfor objects of type "DRIVER_ENTRY", which have no "iPID" attribute and, as aresult, return null when that attribute is requested.*/uint pid = (uint)oPid;null GetNamedAttribute GetNamedValuenullmethod LookupAllObjectsbool SetNamedAttribute(DataGroup group, Guid guid, string attributeName,object newValue)newValueGuidDataGroup bool truefalseIDataStore• bool uint ulong string Guid• string"b" "i" "d" "s""g"stringInvalidCastException// Raises an InvalidCastException.DataStore.SetNamedAttribute(DataGroup.Package, guid, "iTypeTest", 12345);// Successfully stores the data.DataStore.SetNamedAttribute(DataGroup.Package, guid, "iTypeTest", (uint)12345);

stringException// Raises an Exception.DataStore.SetNamedAttribute(DataGroup.Package, guid, "TypeTest", "Test string");// Successfully stores the data.DataStore.SetNamedAttribute(DataGroup.Package, guid, "sTypeTest", "Test string");method GetNamedValuemethod SetNamedValueDataValueNamebool uint ulong stringGuidboolobject GetNamedValue(DataGroup group, Guid guid, DataValueName name)GuidobjectDataGroupbool SetNamedAttribute(DataGroup group, Guid guid, DataValueName name,object newValue)newValue Guid DataGroupbool true falseDataValueNameGuid ParentIDGuidIPackageGuid FromIDGuid Xref Xref IFunction IBlock IDataInstanceXref BlockFunctionXref BlockBlockXrefBlockDataXrefGuid ToIDGuid Xref Xref IBlock IDataInstanceXref BlockBlockXrefDataBlockXrefulong FromOffsetIBlock

ulong Offsetulong Lengthulong BaseVirtualAddressulong SectionOffset"SECTION_OBJECT"ulong SectionEndOffset"SECTION_OBJECT"ulong SectionRelativeVirtualOffsetIPackage"SECTION_OBJECT"ulong SectionRelativeVirtualEndOffsetIPackage"SECTION_OBJECT"string Namestring"DOCUMENT_FRAGMENT""KEYS_AND_PASSWORDS""KEYS_AND_PASSWORDS"Guid EntryBlockIDGuid IBlock IFuctionuint GroupNameDataGroupulong ToOffsetIBlock Xref Xref IBlockulong EntryPointOffsetIBlockIPackagestring DisplayTypeInspector.DisplayTypeIReportObject

string ImageIReportObjectIReportObject.Imagestring ReportLongDescriptionIReportObjectIReportObject.LongDescriptionstring SymbolTypeInspector.stVASymbolIVASymbolstring ReferenceFilePathIPackagestring SourceTypeInspector.SourceType IClass IReportObject"sObjectType"DataGroupDataGroup.Package DataGroup.DataInstanceDataGroup.GenericObject"sObjectType""sObjectType"DataGroupDataGroupstring"DRIVER_ENTRY" : DataGroup.PackageIPackagePackageType.DynamicModule"sObjectType""DRIVER_ENTRY""DRIVER_ENTRY"

"sModuleName""sModulePath""dPhysicalBase_MZ""bIsHidden""sAquisitionMethod""XXX""dImageBase""iImageBase""iImageLength""dImageEntry"DataValueName.OffsetDataValueName.BaseVirtualAddress"EPROCESS_BLOCK" : DataGroup.PackageIPackagePackageType.ProcessContainer"sObjectType""EPROCESS_BLOCK""EPROCESS_BLOCK""sProcessName"

"iPID""iParentPID""sStartTime""sEndTime"0"sCommandLine""sWindowTitle""sWorkingDirectory""sDllPath""C:\W<strong>IN</strong>DOWS\System32;C:\W<strong>IN</strong>DOWS\system32;C:\W<strong>IN</strong>DOWS\system;C:\W<strong>IN</strong>DOWS;.;C:\Perl\bin\;C:\W<strong>IN</strong>DOWS\system32;C:\W<strong>IN</strong>DOWS;C:\W<strong>IN</strong>DOWS\System32\Wbem;C:\Program Files\MySQL\MySQL Server 4.1\bin""dPDB"EPROCESS"sAquisitionMethod""bIsHidden""sAquisitionMethod""EPROCESS_BLOCK""EPROCESS PsActiveProcessHead"EPROCESS

PsActiveProcessHeadnt!PsActiveProcessHeadEPROCESSDataValueName.Offset"MODULE_ENTRY" : DataGroup.PackageIPackagePackageType.DynamicModule"sObjectType""MODULE_ENTRY""MODULE_ENTRY""sModuleName""sModulePath""dPhysicalBase_MZ""bIsHidden""sAquisitionMethod""XXX""dImageBase""iImageBase""iImageLength""dImageEntry"

DataValueName.OffsetDataValueName.BaseVirtualAddress"DOCUMENT_FRAGMENT" : DataGroup.DataInstance"sObjectType""DOCUMENT_FRAGMENT""DOCUMENT_FRAGMENT""gParentClassID"GuidIClass"dBasePhysicalOffset""dBaseVirtualAddress""sDescription""sFilePath""bhasLength""bhasProcess""dLength""iPID"

DataValueName.NameDataValueName.ParentIDDataValueName.Offset"KEYS_AND_PASSWORDS" : DataGroup.DataInstance"sObjectType" == "KEYS_AND_PASSWORDS""KEYS_AND_PASSWORDS""KEYS_AND_PASSWORDS""gParentClassID"GuidIClass"dBasePhysicalOffset""dBaseVirtualAddress""sDescription""sProcessName""sUserName""sPassWord""bhasLength""bhasProcess"

"dLength""iPID"DataValueName.NameDataValueName.ParentIDDataValueName.Offset"IDT_ENTRY" : DataGroup.DataInstance"sObjectType" == "IDT_ENTRY""IDT_ENTRY""IDT_ENTRY""dPhysicalOffset""dVirtualAddress""iIndex""bHooked""iGateType"GateTypeIDTBrowserDocument"sTargetModuleName""sTargetModulePath"

"sFunctionName""dFunctionAddress""bIsHooked""gReferenceObjectID"GuidIPackage"SSDT_ENTRY" : DataGroup.DataInstance"sObjectType""SSDT_ENTRY""SSDT_ENTRY""dDirectoryAddress""dSSDTAddress""iSSDTIndex""iIndex""bHooked""sTargetModuleName""sTargetModulePath""sFunctionName"

"dFunctionAddress""bIsHooked""gReferenceObjectID"GuidIPackage"CALL_PTR" : DataGroup.DataInstance"sObjectType""CALL_PTR""CALL_PTR""gSectionID"Guid "SECTION_OBJECT" "CALL_PTR"DataValueName.LengthDataValueName.ParentIDDataValueName.Offset"DATA_STR<strong>IN</strong>G" : DataGroup.DataInstance"sObjectType""DATA_STR<strong>IN</strong>G""DATA_STR<strong>IN</strong>G""sEncoding""ASCII""UNICODE""bIsNullTerminated"true

DataValueName.NameDataValueName.LengthDataValueName.ParentIDDataValueName.Offset"OPEN_FILE_ENTRY" : DataGroup.GenericObject"sObjectType""OPEN_FILE_ENTRY""OPEN_FILE_ENTRY""gParentClassID"GuidIClass"sFileName""sFullPath""iPID""bReadAccess"read"bWriteAccess"write"bDeleteAccess"delete"bSharedRead"shared read"bSharedWrite"shared write

"bSharedDelete"deleteDataValueName.ParentID"OPEN_REGISTRY_KEY" : DataGroup.GenericObject"sObjectType""OPEN_REGISTRY_KEY""OPEN_REGISTRY_KEY""gParentClassID"GuidIClass"sKeyName""sFullKeyPath""iPID"DataValueName.ParentID"OPEN_SOCKET_ENTRY" : DataGroup.GenericObject"sObjectType""OPEN_SOCKET_ENTRY" "OPEN_SOCKET_ENTRY"

"gParentClassID"GuidIClass"sSource""sDestination""sState""iSourcePort""iDestinationPort""bIsTCP""bIsIPv6"false"iPID"DataValueName.ParentID"THREAD_ENTRY" : DataGroup.GenericObjectPhysicalThreadsDocument"sObjectType""THREAD_ENTRY""THREAD_ENTRY""gParentClassID"GuidIClass

"iBasePriority""iContextSwitchCount""iLastErrorCode""iPriority""dpStackBase""dpStartAddress""dpTebBaseAddress""dStackLimit""iState""iTid""iPid""gSSDTConsumersClassID"GuidIClassDataValueName.ParentID

"SECTION_OBJECT" : DataGroup.GenericObject"sObjectType""SECTION_OBJECT""SECTION_OBJECT"DataValueName.SectionRelativeVirtualOffsetDataValueName.SectionRelativeVirtualEndOffsetDataValueName.SectionOffsetDataValueName.SectionEndOffsetDataValueName.ParentID"SYSTEM_<strong>IN</strong>FO" : DataGroup.GenericObject"sObjectType""SYSTEM_<strong>IN</strong>FO""SYSTEM_<strong>IN</strong>FO""sIsPAE""dSystemPDB""<strong>IN</strong>VALID_STR<strong>IN</strong>G_MARKER" : DataGroup.GenericObject"sObjectType""<strong>IN</strong>VALID_STR<strong>IN</strong>G_MARKER""<strong>IN</strong>VALID_STR<strong>IN</strong>G_MARKER"

DataValueName.OffsetDataValueName.LengthDataValueName.ParentID"RULE_MATCH" : DataGroup.GenericObject"sObjectType""RULE_MATCH""RULE_MATCH""sRuleType""sDDNAWeight""DDNA_HIT" : DataGroup.GenericObject"DDNA_HIT" GuidIReportObject"sObjectType" == "DDNA_HIT""DDNA_HIT"IReportObject"RULE_MATCH" "DDNA_HIT""VAD_ENTRY" : DataGroup.GenericObject"sObjectType""VAD_ENTRY""VAD_ENTRY""gParentClassID"GuidIClass

"dStart""dEnd""sDesc""iNPages""dPhysOffset""iNPages" index"iNPages""dPhysOffset""dPhysOffset0""dPhysOffset1"DataValueName.ParentID

XrefXrefIBlockIBlock IFunction IDataInstance XrefDataGroup Xref DataBlockXref DataDataXrefDataGroup.BlockBlockXrefDataGroup.BlockFunctionXrefDataGroup.BlockDataXrefDataValueName.FromOffsetDataValueName.ToOffsetDataValueName.FromIDDataValueName.ToID

"VAD_ENTRY" "iNPages" "dPhysOffset""iNPages"0x1000// This foreach statement applies our reconstruction logic to all modules with one or// more associated "VAD_ENTRY" objects.foreach(Guid guid in DataStore.LookupAllObjects(DataGroup.GenericObject, "sObjectType","VAD_ENTRY")){// The number of memory pages that compose the module.uint pageCount = (uint)DataStore.GetNamedAttribute(DataGroup.GenericObject, guid,"iNPages");// A loop through each of the module's memory pages.for(int i = 0; i < pageCount; i++){// The physical offset of the memory page in the snapshot.ulong address = (ulong)DataStore.GetNamedAttribute(DataGroup.GenericObject, guid,"dPhysOffset" + i);}}// Use the address here."VAD_ENTRY""VAD_ENTRY""VAD_ENTRY"BinaryReaderbyteIPackage ISnapshot BinaryReaderconst

Each memory page is 0x1000 bytes.const int pageSize = 0x1000;// A reference to the snapshot package is obtained via the InspectorDocument.IPackage snapshotPackage = Documents.Inspector.GetPhysicalMemorySnapshotPackage();// Non-Physical Memory Snapshot projects do not include the right kind of snapshot.if(snapshotPackage == null)return;// A reference to the snapshot itself is obtained via the snapshot package.ISnapshot snapshot = snapshotPackage.InitialSnapshot;// Even if the project is of the right type, the snapshot may have been moved or// deleted. Ensure that it still exists in the appropriate place before proceeding.if(!File.Exists(snapshot.ReferenceFilePath))return;// Every snapshot includes a build-in BinaryReader.BinaryReader byteReader = snapshot.ByteReader;BinaryReader File using System.IObyteintbyte// Create the byte array that will contain the reassembled module with indices equal// to the number of memory pages multiplied by the size of each memory page.byte[] moduleBytes = new byte[pageCount * pageSize];// readIndex is incremented with each valid page and tracks the base index in// moduleBytes that the subsequent page will be written to.int readIndex = 0;byteBinaryReader

for(int i = 0; i < pageCount; i++){ulong address = (ulong)DataStore.GetNamedAttribute(DataGroup.GenericObject, guid,"dPhysOffset" + i);}// If the memory page address is within the bounds of the snapshot, set the// position of the stream to address, read that page into moduleBytes starting at// readIndex, and increment readIndex by pageSize for the next page.if(address < Snapshot.Length){byteReader.BaseStream.Seek((long)address, SeekOrigin.Begin);ReadAll(byteReader, moduleBytes, readIndex, pageSize);readIndex += pageSize;}Stream.ReadSystem.IO.FileStream.Readpublic static void ReadAll(BinaryReader byteReader, byte[] data, int offset,int length){while(length > 0){int read = byteReader.Read(data, offset, length);}}length -= read;offset += read;

"VAD_ENTRY"const int pageSize = 0x1000;IPackage snapshotPackage = Documents.Inspector.GetPhysicalMemorySnapshotPackage();if(snapshotPackage == null)return;ISnapshot snapshot = snapshotPackage.InitialSnapshot;if(!File.Exists(snapshot.ReferenceFilePath))return;BinaryReader byteReader = snapshot.ByteReader;foreach(Guid guid in DataStore.LookupAllObjects(DataGroup.GenericObject, "sObjectType","VAD_ENTRY")){uint pageCount = (uint)DataStore.GetNamedAttribute(DataGroup.GenericObject, guid,"iNPages");byte[] moduleBytes = new byte[pageCount * pageSize];int readIndex = 0;for(int i = 0; i < pageCount; i++){ulong address = (ulong)DataStore.GetNamedAttribute(DataGroup.GenericObject, guid,"dPhysOffset" + i);}if(address < Snapshot.Length){byteReader.BaseStream.Seek((long)address, SeekOrigin.Begin);ReadAll(byteReader, moduleBytes, readIndex, pageSize);readIndex += pageSize;}}// moduleBytes now contains the reconstructed module and is ready for further// processing.

Inspectorenum DataGroupInspectorInspectorLibrary.dllInspectorPackage : IPackage"DRIVER_ENTRY""MODULE_ENTRY""EPROCESS_BLOCK"InspectorClass : IClassInspectorBlock : IBlockIInstructionInspectorInstruction : IInstructionInspectorSnapshot : ISnapshotBinaryReaderInspectorDataInstance : IDataInstance"CALL_PTR" "DATA_STR<strong>IN</strong>G""DOCUMENT_FRAGMENT" "IDT_ENTRY" "KEYS_AND_PASSWORDS""SSDT_ENTRY"InspectorFunction : IFunctionInspectorReportObject : IReportObject

6. APPENDIX I: C# RESOURCES

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!