-
Notifications
You must be signed in to change notification settings - Fork 102
/
main.cpp
executable file
·217 lines (175 loc) · 4.87 KB
/
main.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
/*
Copyright 2012-2013 Michael Cohen <[email protected]>
Authors: Michael Cohen <[email protected]>, Viviane Zwanger
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#include "winpmem.h"
#define Log(x, ...) wprintf(x, __VA_ARGS__)
void help(TCHAR* ExeName)
{
Log(L"Winpmem - A memory imager for windows.\n"
L"Copyright Michael Cohen ([email protected]) 2012-2014.\n\n");
Log(L"Version %s\n", version);
Log(L"Usage:\n");
Log(L" %s [option] [output path]\n", ExeName);
Log(L"\nOption:\n");
Log(L" -l Load the driver and exit.\n"
L" -u Unload the driver and exit.\n"
L" -d [filename]\n"
L" Extract driver to this file (Default use random name).\n"
L" -h Display this help.\n"
L" -w Turn on write mode.\n"
L" -0 Use MmMapIoSpace method.\n"
L" -1 Use \\\\Device\\PhysicalMemory method (Default for 32bit OS).\n"
L" -2 Use PTE remapping (AMD64 only - Default for 64bit OS).\n"
// L" -3 Use PTE remapping with PCI instrospection (AMD64 Only).\n"
// L" -e Produce an ELF core dump.\n"
// L" -p Also acquire the pagefile. \n"
// L" This flag may be followed by the pagefile path.\n"
L"\n");
Log(L"NOTE: an output filename of - will write the image to STDOUT.\n");
Log(L"\nExamples:\n");
Log(L"%s physmem.raw\nWrites an image to physmem.raw\n", ExeName);
// Log(L"\n%s -e - | nc 192.168.1.1 80\n", ExeName);
// Log(L"Writes an elf coredump to netcat for network transport.\n");
}
/* Create the corrent WinPmem object. Currently this selects between
32/64 bit implementations.
*/
WinPmem* WinPmemFactory()
{
SYSTEM_INFO sys_info;
ZeroMemory(&sys_info, sizeof(sys_info));
GetNativeSystemInfo(&sys_info);
switch (sys_info.wProcessorArchitecture)
{
case PROCESSOR_ARCHITECTURE_AMD64:
Log(L"WinPmem64\n");
return new WinPmem64();
case PROCESSOR_ARCHITECTURE_INTEL:
Log(L"WinPmem32\n");
return new WinPmem32();
default:
return NULL;
}
}
int _tmain(int argc, _TCHAR* argv[])
{
__int64 i, status;
unsigned __int32 mode = PMEM_MODE_PTE;
__int64 write_mode = 0;
__int64 only_load_driver = 0;
__int64 only_unload_driver = 0;
WinPmem* pmem_handle = WinPmemFactory();
TCHAR* driver_filename = NULL;
if (argc < 2)
{
goto error;
}
for (i = 1; i < argc; i++)
{
if (argv[i][0] == '-' && argv[i][1] != 0)
{
switch (argv[i][1])
{
case 'l':
{
only_load_driver = 1;
break;
}
case 'u':
{
only_unload_driver = 1;
break;
}
case 'd':
{
i++;
driver_filename = argv[i];
if (!driver_filename) goto error;
}
break;
case '0':
{
mode = PMEM_MODE_IOSPACE;
break;
}
case '1':
{
mode = PMEM_MODE_PHYSICAL;
break;
}
case '2':
{
mode = PMEM_MODE_PTE;
break;
}
case 'w':
{
Log(TEXT("Enabling write mode.\n"));
write_mode = 1;
break;
}
default:
{
goto error;
}
} // Switch.
}
else break; //First option without - means end of options.
}
// Now run what the user wanted.
if (driver_filename)
{
pmem_handle->set_driver_filename(driver_filename);
}
if (only_load_driver)
{
status = pmem_handle->install_driver();
if (status > 0)
{
pmem_handle->set_acquisition_mode(mode);
if (write_mode)
{
pmem_handle->set_write_enabled();
}
}
}
else if (only_unload_driver)
{
status = pmem_handle->uninstall_driver();
}
else if (argv[i])
{
pmem_handle->set_driver_filename(driver_filename);
status = pmem_handle->create_output_file(argv[i]);
if ((status) && (pmem_handle->install_driver() > 0) && (pmem_handle->set_acquisition_mode(mode) > 0))
{
status = pmem_handle->write_raw_image();
}
pmem_handle->uninstall_driver();
// Just extract the driver and exit.
}
else if (driver_filename)
{
status = pmem_handle->extract_driver(driver_filename);
}
else goto error;
delete pmem_handle;
return (int)status;
error:
if (pmem_handle)
{
delete pmem_handle;
}
help(argv[0]);
return -1;
}