public bool Windows(long offset)
{
var Candidate = false;
// pre randomized kernel 10.16 anniversario edition
const int SELF_PTR = 0x1ed;
//var offset = CurrWindowBase + CurrMapBase;
var shifted = (block[SELF_PTR] & 0xFFFFFFFFF000);
var diff = offset - shifted;
// detect mode 2, 2 seems good for most purposes and is more portable
// maybe 0x3 is sufficient
if (((block[0] & 0xfdf) == 0x847) && ((block[SELF_PTR] & 0xff) == 0x63 || (block[SELF_PTR] & 0xff) == 0x67))
{
// we disqualify entries that have these bits configured
//111 1111 1111 1111 0000 0000 0000 0000 0000 0000 0000 0000 0000 0100 1000 0000
if ((block[0x1ed] & 0x7FFF000000000480) == 0)
{
#if MODE_1
if (!SetDiff)
{
FirstDiff = diff;
SetDiff = true;
}
#endif
if (!DetectedProcesses.ContainsKey(offset))
{
var dp = new DetectedProc { CR3Value = shifted, FileOffset = offset, Diff = diff, Mode = 2, PageTableType = PTType.Windows, TrueOffset = TrueOffset };
for (int p = 0; p < 0x200; p++)
{
if (block[p] != 0)
dp.TopPageTablePage.Add(p, block[p]);
}
DetectedProcesses.TryAdd(offset, dp);
if (Vtero.VerboseOutput)
WriteColor(ConsoleColor.Cyan, ConsoleColor.Black, dp.ToString());
Candidate = true;
}
}
}
// mode 1 is implemented to hit on very few supported bits
// developing a version close to this that will work for Linux
#region MODE 1 IS PRETTY LOOSE
#if MODE_1
else
/// detect MODE 1, we can probably get away with even just testing & 1, the valid bit
//if (((block[0] & 3) == 3) && (block[0x1ed] & 3) == 3)
if ((block[0] & 1) == 1 && (block[0xf68 / 8] & 1) == 1)
{
// a possible kernel first PFN? should look somewhat valid...
if (!SetDiff)
{
// I guess we could be attacked here too, the system kernel could be modified/hooked/bootkit enough
// we'll see if we need to analyze this in the long run
// the idea of mode 1 is a very low bit-scan, but we also do not want to mess up FirstDiff
// these root entries are valid for all win64's for PTE/hyper/session space etc.
if ((block[0xf78 / 8] & 1) == 1 && (block[0xf80 / 8] & 1) == 1 && (block[0xff8 / 8] & 1) == 1 && (block[0xff0 / 8] == 0))
{
// W/O this we may see some false positives
// however can remove if you feel aggressive
if (diff < FileSize && (offset > shifted ? (diff + shifted == offset) : (diff + offset == shifted)))
{
FirstDiff = diff;
SetDiff = true;
}
}
}
if (SetDiff &&
!(FirstDiff != diff) &&
(shifted < (FileSize + diff)
//|| shifted != 0
))
{
if (!DetectedProcesses.ContainsKey(offset))
{
var dp = new DetectedProc { CR3Value = shifted, FileOffset = offset, Diff = diff, Mode = 1, PageTableType = PTType.Windows };
DetectedProcesses.TryAdd(offset, dp);
WriteColor(dp);
Candidate = true;
}
}
}
#endif
#endregion
return Candidate;
}
