Class DisplayOutput
Provides output in various human readable formats of data from the library.
Inheritance
Inherited Members
Namespace: ERC
Assembly: ERC.Net.dll
Syntax
public static class DisplayOutputMethods
AssembleOpcodes(String[], MachineType)
Converts a collection of instructions into the associated opcodes.
Declaration
public static string[] AssembleOpcodes(string[] instructions, MachineType machine)Parameters
| Type | Name | Description |
|---|---|---|
| System.String[] | instructions | An array containing either x86 or x64 instructions. |
| MachineType | machine | MachineType of the instruction set to be assembled. |
Returns
| Type | Description |
|---|---|
| System.String[] | Returns null if the method fails. |
AssembleOpcodes(String[], UInt32)
Converts a collection of instructions into the associated opcodes.
Declaration
public static string[] AssembleOpcodes(string[] instructions, uint machine)Parameters
| Type | Name | Description |
|---|---|---|
| System.String[] | instructions | An array containing either x86 or x64 instructions. |
| System.UInt32 | machine | Uint representing the machine type (x86 = 0, x64 = 1) |
Returns
| Type | Description |
|---|---|
| System.String[] | Returns null if the method fails. |
CompareByteArrayToMemoryRegion(ProcessInfo, IntPtr, Byte[])
Compares a the values contained in a memory region to the values in the supplied byte array.
Declaration
public static string[] CompareByteArrayToMemoryRegion(ProcessInfo info, IntPtr startAddress, byte[] byteArray)Parameters
| Type | Name | Description |
|---|---|---|
| ProcessInfo | info | The processInfo object that contains the memory region. |
| System.IntPtr | startAddress | The memory address to start the search at. |
| System.Byte[] | byteArray | The byte array the region will be compared against. |
Returns
| Type | Description |
|---|---|
| System.String[] | Returns a string detailing differences between the two. |
DisassembleOpcodes(Byte[], MachineType)
Converts a collection of opcodes into the associated instructions.
Declaration
public static string[] DisassembleOpcodes(byte[] opcodes, MachineType machine)Parameters
| Type | Name | Description |
|---|---|---|
| System.Byte[] | opcodes | An array containing either x86 or x64 opcodes. |
| MachineType | machine | MachineType of the instruction set to be assembled. |
Returns
| Type | Description |
|---|---|
| System.String[] | Returns null if the method fails. |
DisassembleOpcodes(Byte[], UInt32)
Converts a collection of opcodes into the associated instructions.
Declaration
public static string[] DisassembleOpcodes(byte[] opcodes, uint machine)Parameters
| Type | Name | Description |
|---|---|---|
| System.Byte[] | opcodes | An array containing either x86 or x64 opcodes. |
| System.UInt32 | machine | Uint representing the machine type (x86 = 0, x64 = 1) |
Returns
| Type | Description |
|---|---|
| System.String[] | Returns null if the method fails. |
DisplayProcessInfo(ProcessInfo, Boolean)
Displays information related to the provided ProcessInfo object.
Declaration
public static string DisplayProcessInfo(ProcessInfo info, bool outputToFile = true)Parameters
| Type | Name | Description |
|---|---|---|
| ProcessInfo | info | The ProcessInfo object of which the module information will be displayed |
| System.Boolean | outputToFile | Set to false to surpress file output. |
Returns
| Type | Description |
|---|---|
| System.String |
DisplayThreadInfo(ProcessInfo, Boolean)
Displays information about all threads related to a specific process.
Declaration
public static string DisplayThreadInfo(ProcessInfo info, bool outputToFile = true)Parameters
| Type | Name | Description |
|---|---|---|
| ProcessInfo | info | |
| System.Boolean | outputToFile |
Returns
| Type | Description |
|---|---|
| System.String |
DumpMemory(ProcessInfo, IntPtr, Int32)
Reads a set of bytes from process memory and provides a string contianing the results.
Declaration
public static ErcResult<string> DumpMemory(ProcessInfo info, IntPtr startAddress, int length)Parameters
| Type | Name | Description |
|---|---|---|
| ProcessInfo | info | ProcessInfo object |
| System.IntPtr | startAddress | The address to start reading from. |
| System.Int32 | length | The number of bytes to read. |
Returns
| Type | Description |
|---|---|
| ErcResult<System.String> | A string containing the bytes read from memroy |
GenerateByteArray(ErcCore, Byte[])
Generates an array of all possible bytes for use when identifying bad characters. Writes the output to disk in the working directory.
Declaration
public static byte[] GenerateByteArray(ErcCore core, byte[] unwantedBytes = null)Parameters
| Type | Name | Description |
|---|---|---|
| ErcCore | core | An ErcCore object |
| System.Byte[] | unwantedBytes | An array of bytes to be excluded from the final byte array |
Returns
| Type | Description |
|---|---|
| System.Byte[] | Returns a byte array of all possible bytes. |
GenerateEggHunters(ErcCore, String)
Generates a collection of EggHunter payloads.
Declaration
public static string GenerateEggHunters(ErcCore core = null, string tag = null)Parameters
| Type | Name | Description |
|---|---|---|
| ErcCore | core | (Optional) If an ErcCore object is provided the output will also be written out to the working directory |
| System.String | tag | (Optional) If a tag is provided the payloads will be altered to search for that tag, the default tag is ERCD |
Returns
| Type | Description |
|---|---|
| System.String | Returns a string containing all EggHunters |
GenerateFindNRPTable(ProcessInfo, Int32, Boolean)
Searches the memory of a process for a non repeating pattern.
Declaration
public static List<string> GenerateFindNRPTable(ProcessInfo info, int searchType = 0, bool extended = false)Parameters
| Type | Name | Description |
|---|---|---|
| ProcessInfo | info | The ProcessInfo object of the process to be searched |
| System.Int32 | searchType | Integer specifiying the format of the string: 0 = search term is in bytes\n1 = search term is in unicode\n2 = search term is in ASCII\n3 = Search term is in UTF8\n4 = Search term is in UTF7\n5 = Search term is in UTF32 |
| System.Boolean | extended | Whether the extended character range is to be used when searching for the non repeating pattern |
Returns
| Type | Description |
|---|---|
| System.Collections.Generic.List<System.String> | Returns a List of strings containing the locations the repeating pattern was identified |
GenerateModuleInfoTable(ProcessInfo, Boolean)
Aquires filename and writes out all module data to the current working directory. Requires a Process_Info object to be passed as a parameter.
Declaration
public static string GenerateModuleInfoTable(ProcessInfo info, bool outputToFile = true)Parameters
| Type | Name | Description |
|---|---|---|
| ProcessInfo | info | The ProcessInfo object of which the module information will be displayed |
| System.Boolean | outputToFile | Set to false to surpress file output. |
Returns
| Type | Description |
|---|---|
| System.String | Returns a formatted string of all results |
GeneratePattern(Int32, ErcCore, Boolean)
Creates a file in the ErcCore working directory containing a string of non repeating characters.
Declaration
public static string GeneratePattern(int length, ErcCore core, bool extended = false)Parameters
| Type | Name | Description |
|---|---|---|
| System.Int32 | length | The length of the string to be created |
| ErcCore | core | An ErcCore object |
| System.Boolean | extended | A optional boolean specifying whether to use the extended character set. Default is false. |
Returns
| Type | Description |
|---|---|
| System.String | Returns a string containing the pattern generated. |
GetSEHJumps(ProcessInfo, Boolean, Boolean, Boolean, Boolean, Boolean, Byte[], String)
Searches all memory associated with a given process and associated modules for POP X POP X RET instructions. Passing a list of module paths or names will exclude those modules from the search. Similar to Search_All_Memory_PPR however provides output in an easily readable format.
Declaration
public static List<string> GetSEHJumps(ProcessInfo info, bool aslr = false, bool safeseh = false, bool rebase = false, bool nxcompat = false, bool osdll = false, byte[] unwantedBytes = null, string protection = "exec")Parameters
| Type | Name | Description |
|---|---|---|
| ProcessInfo | info | The ProcessInfo object which will be searched for POP POP RET instructions. |
| System.Boolean | aslr | Remove ASLR libraries. |
| System.Boolean | safeseh | Remove SafeSEH libraries. |
| System.Boolean | rebase | Remove rebasable libraries. |
| System.Boolean | nxcompat | Remove NXCompat libraries. |
| System.Boolean | osdll | Remove OS Dlls. |
| System.Byte[] | unwantedBytes | Addresses containing values in this byte array will be ignored. |
| System.String | protection | String containing protection level returned pointers will. |
Returns
| Type | Description |
|---|---|
| System.Collections.Generic.List<System.String> | Returns an ErcResult containing a list of strings detailing the pointers, opcodes and base files of suitable instruction sets. |
GetSEHJumps(ProcessInfo, Byte[], List<String>)
Searches all memory associated with a given process and associated modules for POP X POP X RET instructions. Passing a list of module paths or names will exclude those modules from the search. Similar to Search_All_Memory_PPR however provides output in an easily readable format.
Declaration
public static List<string> GetSEHJumps(ProcessInfo info, byte[] ptrsToExclude, List<string> excludes = null)Parameters
| Type | Name | Description |
|---|---|---|
| ProcessInfo | info | The ProcessInfo object which will be searched for POP POP RET instructions |
| System.Byte[] | ptrsToExclude | Ptrs containing these byte values will be discarded. |
| System.Collections.Generic.List<System.String> | excludes | Modules to be ignored when searching for the instruction sets. |
Returns
| Type | Description |
|---|---|
| System.Collections.Generic.List<System.String> | Returns an ErcResult containing a list of strings detailing the pointers, opcodes and base files of suitable instruction sets. |
ListLocalProcesses()
Lists usable processes running on the local machine.
Declaration
public static string ListLocalProcesses()Returns
| Type | Description |
|---|---|
| System.String | A string containing details of processes running on the local machine. |
ListRemoteProcesses(String)
Lists usable processes running on the remote machine.
Declaration
public static string ListRemoteProcesses(string machineName)Parameters
| Type | Name | Description |
|---|---|---|
| System.String | machineName |
Returns
| Type | Description |
|---|---|
| System.String | A string containing details of processes running on the remote machine. |
RopChainGadgets32(RopChainGenerator32)
Produces output files containing information about the associated ROP chain, produces files containing ROP gadgets and the associated ROP chain.
Declaration
public static List<string> RopChainGadgets32(RopChainGenerator32 rcg)Parameters
| Type | Name | Description |
|---|---|---|
| RopChainGenerator32 | rcg | The ROP chain generator object |
Returns
| Type | Description |
|---|---|
| System.Collections.Generic.List<System.String> | Returns a List of strings |
RopChainGadgets64(RopChainGenerator64)
Produces output files containing information about the associated ROP chain, produces files containing ROP gadgets and the associated ROP chain.
Declaration
public static List<string> RopChainGadgets64(RopChainGenerator64 rcg)Parameters
| Type | Name | Description |
|---|---|---|
| RopChainGenerator64 | rcg | The ROP chain generator object |
Returns
| Type | Description |
|---|---|
| System.Collections.Generic.List<System.String> | Returns a List of strings |
SearchMemory(ProcessInfo, Int32, String, Boolean, Boolean, Boolean, Boolean, Boolean, Byte[], String)
Searches the memory of a process and it's loaded modules for a string or byte combination.
Declaration
public static List<string> SearchMemory(ProcessInfo info, int searchType, string searchString, bool aslr = false, bool safeseh = false, bool rebase = false, bool nxcompat = false, bool osdll = false, byte[] unwantedBytes = null, string protection = "exec")Parameters
| Type | Name | Description |
|---|---|---|
| ProcessInfo | info | The processInfo object for the process |
| System.Int32 | searchType | The type of data to be searched for. |
| System.String | searchString | The string to search for. |
| System.Boolean | aslr | Remove ASLR libraries. |
| System.Boolean | safeseh | Remove SafeSEH libraries. |
| System.Boolean | rebase | Remove rebasable libraries. |
| System.Boolean | nxcompat | Remove NXCompat libraries. |
| System.Boolean | osdll | Remove OS Dlls. |
| System.Byte[] | unwantedBytes | Addresses containing values in this byte array will be ignored. |
| System.String | protection | String containing protection level returned pointers will. |
Returns
| Type | Description |
|---|---|
| System.Collections.Generic.List<System.String> |
WriteToFile(String, String, String, List<String>)
Writes a list of strings to a file. Takes a directory, filename and prefix along with a List of strings.
Declaration
public static void WriteToFile(string directory, string prefix, string extension, List<string> content)Parameters
| Type | Name | Description |
|---|---|---|
| System.String | directory | The directory to be used |
| System.String | prefix | A prefix for the file name e.g. "modules_" or "Pattern_" etc |
| System.String | extension | The file extension to be used e.g. ".txt" |
| System.Collections.Generic.List<System.String> | content | A list of strings to be written to disk |