inVtero.net.Scanner.LinuxS C# (CSharp) Method

Scanner Class Documentation Show file Open project: ShaneK2/inVtero.net

LinuxS() public method

The LinuxS check is a single pass state preserving scanner This was created using kernel 3.19 as a baseline. More to follow.
public LinuxS ( long offset ) : bool
offset long
return bool 
        public bool LinuxS(long offset)
        {
            var Candidate = false;
            var group = -1;

            // The main observation on kern319 is the given set below of must-have offsets that are identical and 0x7f8 which is unique per process
            // Next is the behavior that uses entries in 2 directions from top down and bottom up 
            // i.e. 0x7f0 0x0 are the next expected values.
            // All others would be unset in the top level / base page
            //
            // Kernel should have only the magnificent entries
            // memcmp 0 ranges 8-7f0, 800-880, 888-c88, c98-e88, e90-ea0, ea8-ff0
            // after first (likely kernel) page table found, use it's lower 1/2 to validate other detected page tables
            // Linux was found (so far) to have a consistent kernel view.
            var kern319 = new Dictionary<int, bool> { [0x7f8] = false, [0x880] = true, [0xc90] = true, [0xe88] = true, [0xea0] = true, [0xff0] = true, [0xff8] = true };

            var Profiles = new List<Dictionary<int, bool>>();

            if (((block[0xFF] & 0xfff) == 0x067) &&
               ((block[0x110] & 0xfff) == 0x067) &&
               ((block[0x192] & 0xfff) == 0x067) &&
               ((block[0x1d1] & 0xfff) == 0x067) &&
               ((block[0x1d4] & 0xfff) == 0x067) &&
               ((block[0x1fe] & 0xfff) == 0x067) &&
               ((block[0x1ff] & 0xfff) == 0x067) 

               // this is the largest block of 0's 
               // just do this one to qualify
               //IsZero(block, 8, 0xe0)
               )

            if (
                    /*IsZero(block, 8,     0xE0) &&
                IsZero(block, 0x100, 0x10) &&*/
                IsZero(block, 0x111, 0x80) &&
                IsZero(block, 0x193, 0x3e) &&
                IsZero(block, 0x1D2, 0x02) &&
                IsZero(block, 0x1D5, 0x29))
            {
                // before we catalog this entry, check to see if we can put it in a group
                for (int i = 0; i < LinuxSFirstPages.Count(); i++)
                    if (EqualBytesLongUnrolled(block, LinuxSFirstPages[i], 0x100))
                        group = i;

                // if we haven't found anything yet, setup first page
                if (LinuxSFirstPage == null)
                {
                    LinuxSFirstPage = block;
                    LinuxSFirstPages.Add(block);
                    group = 0;
                }

                // load DP 
                var dp = new DetectedProc { CR3Value = offset, FileOffset = offset, Diff = 0, Mode = 2, Group = group, PageTableType = PTType.LinuxS, TrueOffset = TrueOffset };
                    for (int p = 0; p < 0x200; p++)
                    if (block[p] != 0)
                        dp.TopPageTablePage.Add(p, block[p]);

                if (Vtero.VerboseOutput)
                    WriteColor(ConsoleColor.Cyan, dp.ToString());

                DetectedProcesses.TryAdd(offset, dp);
                Candidate = true;
            }
            return Candidate;
        }
Scanner
Analyze
BackwardsValueScan
FreeBSD
Generic
HV
HexScan
LinuxS
MapScanFile
NetBSD
OpenBSD
Scanner
VMCS
Windows