inVtero.net.Scanner.HV C# (CSharp) Method

Scanner Class Documentation 显示文件 Open project: ShaneK2/inVtero.net

HV() public method

In some deployments Hyper-V was found to use a configuration as such
public HV ( long offset ) : bool
offset long
return bool 
        public bool HV(long offset)
        {
            var Candidate = false;

            //var offset = CurrWindowBase + CurrMapBase;
            var shifted = (block[0x1fe] & 0xFFFFFFFFF000);
            var diff = offset - shifted;

            // detect mode 2, 2 seems good for most purposes and is more portable
            // maybe 0x3 is sufficient
            if (shifted != 0 && ((block[0] & 0xfff) == 0x063) && ((block[0x1fe] & 0xff) == 0x63 || (block[0x1fe] & 0xff) == 0x67) && block[0x1ff] == 0)
            {
                // we disqualify entries that have these bits configured
                // 111 1111 1111 1111 0000 0000 0000 0000 0000 0000 0000 0000 0000 0100 1000 0000
                // 
                if (((ulong)block[0x1fe] & 0xFFFF000000000480) == 0)
                {
                    if (!DetectedProcesses.ContainsKey(offset))
                    {
                        var dp = new DetectedProc { CR3Value = shifted, FileOffset = offset, Diff = diff, Mode = 2, PageTableType = PTType.HyperV, TrueOffset = TrueOffset };
                        for (int p = 0; p < 0x200; p++)
                        {
                            if (block[p] != 0)
                                dp.TopPageTablePage.Add(p, block[p]);
                        }

                        DetectedProcesses.TryAdd(offset, dp);
                        if (Vtero.VerboseOutput)
                            WriteColor(ConsoleColor.Cyan, ConsoleColor.Black, dp.ToString());
                        Candidate = true;
                    }
                }
            }
            return Candidate;
        }
Scanner
Analyze
BackwardsValueScan
FreeBSD
Generic
HV
HexScan
LinuxS
MapScanFile
NetBSD
OpenBSD
Scanner
VMCS
Windows