def ScanDump(MemoryDump, copts):
MemoryDumpSize = FileInfo(MemoryDump).Length
copts.FileName = MemoryDump
# Check StopWatch
runTime = Stopwatch.StartNew()
# since we are not ignoring SaveData, this just get's our state from
# the underlying protobuf, pretty fast
vtero = Scan.Scanit(copts)
proc_arr = vtero.Processes.ToArray()
low_proc = proc_arr[0]
for proc in proc_arr:
if proc.CR3Value < low_proc.CR3Value:
low_proc = proc
proc = low_proc
print "Assumed Kernel Proc: " + proc.ToString()
vtero.KernelProc = proc
#vtero.CheckpointSaveState()
proc.MemAccess = Mem(vtero.MemAccess)
#swModScan = Stopwatch.StartNew()
# by default this will scan for kernel symbols
if vtero.KVS is None:
kvs = proc.ScanAndLoadModules()
vtero.KVS = kvs
vtero.CheckpointSaveState()
else:
proc.LoadSymbols()
#apply some setup
kMinorVer = proc.GetSymValueLong("NtBuildNumber") & 0xffff
Console.ForegroundColor = ConsoleColor.Cyan
print "kernel build: " + kMinorVer.ToString()
# Use dynamic typing to walk EPROCES
logicalList = vtero.WalkProcList(proc)
print "Physical Proc Count: " + proc_arr.Count.ToString()
#for pproc in proc_arr:
# print pproc
if logicalList is not None:
print "Logical Proc Count: " + logicalList.Count.ToString()
for proc in logicalList:
# This is due to a structure member name change pre win 8
if proc.Dictionary.ContainsKey("VadRoot.BalancedRoot.RightChild"):
proc.VadRoot = proc.Dictionary[
"VadRoot.BalancedRoot.RightChild"]
print proc.ImagePath + " : " + proc.Dictionary[
"Pcb.DirectoryTableBase"].ToString(
"X") + " : " + proc.VadRoot.ToString(
"X") + " : " + proc.UniqueProcessId.ToString("X")
Console.ForegroundColor = ConsoleColor.Green
print "checking that all logical processes exist in the physical list."
# Miss list mostly bad for yellow printing
for proc in logicalList:
found = False
for hwproc in proc_arr:
if proc.Dictionary[
"Pcb.DirectoryTableBase"] == hwproc.CR3Value:
found = True
#print "Found logical proc[" + hwproc.CR3Value.ToString("X") + "] in physical array"
if found == False:
Console.ForegroundColor = ConsoleColor.Yellow
if proc.VadRoot == 0:
Console.ForegroundColor = ConsoleColor.Green
print "An expected, ",
print "Logical miss for " + proc.ImagePath + " : " + proc.Dictionary[
"Pcb.DirectoryTableBase"].ToString(
"X") + " : " + proc.VadRoot.ToString(
"X") + " : " + proc.UniqueProcessId.ToString("X")
print "Checking that all physical processes exist in the logical list"
for hwproc in proc_arr:
found = False
for proc in logicalList:
if proc.Dictionary[
"Pcb.DirectoryTableBase"] == hwproc.CR3Value:
found = True
#print "Found physical proc[" + proc.Dictionary["Pcb.DirectoryTableBase"].ToString("X") + "] in logical array"
if found == False:
Console.ForegroundColor = ConsoleColor.Yellow
hwmiss.append(hwproc)
print "physical miss for " + hwproc.ToString()
Console.ForegroundColor = ConsoleColor.White
print "PART RUNTIME: " + runTime.Elapsed.ToString(
) + " (seconds), INPUT DUMP SIZE: " + MemoryDumpSize.ToString(
"N") + " bytes."
print "SPEED: " + ((MemoryDumpSize / 1024) /
((runTime.ElapsedMilliseconds / 1000) + 1)).ToString(
"N0") + " KB / second (all phases aggregate time)"
return vtero
Found = False
for proc in logicalList:
if proc.Dictionary["Pcb.DirectoryTableBase"] == hwproc.CR3Value:
found = True
if found == False:
Console.ForegroundColor = ConsoleColor.Yellow
if proc.VadRoot == 0:
Console.ForegroundColor = ConsoleColor.Green
print "An expected, ",
print "physical miss for " + proc.ImagePath + " : " + proc.Dictionary[
"Pcb.DirectoryTableBase"].ToString(
"X") + " : " + proc.VadRoot.ToString(
"X") + " : " + proc.UniqueProcessId.ToString("X")
print "TOTAL RUNTIME: " + runTime.Elapsed.ToString(
) + " (seconds), INPUT DUMP SIZE: " + MemoryDumpSize.ToString("N") + " bytes."
print "SPEED: " + ((MemoryDumpSize / 1024) /
((runTime.ElapsedMilliseconds / 1000) + 1)).ToString(
"N0") + " KB / second (all phases aggregate time)"
print "ALL DONE... Please explore!"
# Get detected symbol file to use for loaded vtero
symFile = ""
for pdb in vtero.KernelProc.PDBFiles:
if pdb.Contains("ntkrnlmp"):
symFile = pdb
def ListVAD(VadRoot):
if VadRoot == 0:
return