inVtero.net.Specialties.VMWare.IsSupportedFormat C# (CSharp) Method

VMWare Class Documentation Usage Examples Of inVtero.net.Specialties.VMWare::IsSupportedFormat Show file Open project: ShaneK2/inVtero.net

IsSupportedFormat() public method

OK need to double check later but even though there are 64 bits available in the field only 32bits are seemingly being used. Otherwise the values have to be interpreted as physical addresses and not page numbers.

public IsSupportedFormat ( Vtero vtero ) : bool
vtero	Vtero
return	bool

        public override bool IsSupportedFormat(Vtero vtero)
        {
            // use abstract implementation & scan for internal 
            // were actually not going to use this in VMWare since were so good at vmss
            // this is sort of meaningless :( 
            //LogicalPhysMemDesc = ExtractMemDesc(vtero);

            bool rv = false;
            if (!File.Exists(vDeviceFile) || !File.Exists(MemFile))
                return rv;

            using (var dstream = File.OpenRead(vDeviceFile))
            {
                using (var dbin = new BinaryReader(dstream))
                {
                    // D2BE is really easy to extract data from
                    if (dbin.ReadUInt32() != 0xBED2BED2)
                        return rv;
                }
            }

            rv = true;

            var MemRunDescriptor = new MemoryDescriptor();
            // vmem files are contagious starting from 0
            MemRunDescriptor.StartOfMemmory = 0;
            
            var stateData = File.ReadAllBytes(vDeviceFile);
            var ToFind = ASCIIEncoding.ASCII.GetBytes("regionsCount");
            var rpn = ASCIIEncoding.ASCII.GetBytes("regionPageNum");
            var ppn = ASCIIEncoding.ASCII.GetBytes("regionPPN");
            var rsiz = ASCIIEncoding.ASCII.GetBytes("regionSize");

            int i;
            for(i=0; i < stateData.Length-ToFind.Length; i++)
            {
                int n = 0;
                bool Found = false;
                do
                {
                    if (stateData[i + n] != ToFind[n])
                        break;

                    n++;
                    if (n >= ToFind.Length)
                        Found = true;
                } while (!Found);

                if (Found)
                    break;
            }

            long TotalPages = 0;

            i += ToFind.Length;
            var Count = BitConverter.ToUInt32(stateData, i);
            MemRunDescriptor.NumberOfRuns = Count;
            i += 4; i += 2; // 2 bytes looks like a typeID or some sort of magic
            // below the >> 20 is/was what seemed to be an adjustment for 64-44 bits of
            // physical address range
            // however the additional >> 12 is physical address into physical pages
            // but it seemingly was supposed to be pages to begin with so who knows, but this works
            // maybe it is pages and I needed +4 on the index and then everything works with a .ToUInt32
            // but that now seems short of the physical limits, anyhow, this works ;)
            for (int r = 0; r < Count; r++)
            {
                i += rpn.Length;
                var basePage = BitConverter.ToInt64(stateData, i) >> 20 >> 12;
                i += 8; i += 2;
                i += ppn.Length;
                var ppnVal = BitConverter.ToInt64(stateData, i) >> 20 >> 12;
                i += 8; i += 2;
                i += rsiz.Length;
                var regionSize = BitConverter.ToInt64(stateData, i) >> 20 >> 12;
                i += 8; i += 2;

                TotalPages += regionSize;

                MemRunDescriptor.Run.Add(new MemoryRun() { BasePage = ppnVal, PageCount = regionSize, regionPPN = basePage });
            }

            MemRunDescriptor.NumberOfPages = TotalPages;
            PhysMemDesc = MemRunDescriptor;

            return rv;
        }

Usage Example

Example #1

Show file

File: inVtero.cs Project: IOActive/inVtero.net

        public Vtero(string MemoryDump) :this()
        {
            MemFile = MemoryDump.ToLower();

            if (MemFile.EndsWith(".dmp"))
            {
                var dump = new CrashDump(MemFile);
                if (dump.IsSupportedFormat())
                    DetectedDesc = dump.PhysMemDesc;
            }
            else if(MemFile.EndsWith(".vmss") || MemFile.EndsWith(".vmsn") || MemFile.EndsWith(".vmem"))
            {
                var dump = new VMWare(MemFile);
                if (dump.IsSupportedFormat())
                {
                    DetectedDesc = dump.PhysMemDesc;

                    MemFile = dump.MemFile;
                }
            }

            scan = new Scanner(MemFile);
            FileSize = new FileInfo(MemFile).Length;

        }

All Usage Examples Of inVtero.net.Specialties.VMWare::IsSupportedFormat

VMWare

IsSupportedFormat

VMWare