/// <summary>
/// Gets a snapshot based on the provided mode. Will not read any memory.
/// </summary>
/// <param name="snapshotCreationMode">The method of snapshot retrieval.</param>
/// <returns>The collected snapshot.</returns>
public static Snapshot GetSnapshot(Snapshot.SnapshotRetrievalMode snapshotCreationMode, DataType dataType)
{
switch (snapshotCreationMode)
{
case Snapshot.SnapshotRetrievalMode.FromActiveSnapshot:
return(SnapshotManager.GetActiveSnapshot());
case Snapshot.SnapshotRetrievalMode.FromActiveSnapshotOrPrefilter:
return(SnapshotManager.GetActiveSnapshotCreateIfNone(dataType));
case Snapshot.SnapshotRetrievalMode.FromSettings:
return(SnapshotManager.CreateSnapshotFromSettings(dataType));
case Snapshot.SnapshotRetrievalMode.FromUserModeMemory:
return(SnapshotManager.CreateSnapshotFromUsermodeMemory(dataType));
case Snapshot.SnapshotRetrievalMode.FromModules:
return(SnapshotManager.CreateSnapshotFromModules(dataType));
case Snapshot.SnapshotRetrievalMode.FromHeaps:
return(SnapshotManager.CreateSnapshotFromHeaps(dataType));
case Snapshot.SnapshotRetrievalMode.FromStack:
throw new NotImplementedException();
default:
Logger.Log(LogLevel.Error, "Unknown snapshot retrieval mode");
return(null);
}
}
/// <summary>
/// Creates a snapshot from modules in the selected process.
/// </summary>
/// <returns>The created snapshot.</returns>
private static Snapshot CreateSnapshotFromHeaps(DataType dataType)
{
// TODO: This currently grabs all usermode memory and excludes modules. A better implementation would involve actually grabbing heaps.
Snapshot snapshot = SnapshotManager.CreateSnapshotFromUsermodeMemory(dataType);
IEnumerable <NormalizedModule> modules = Query.Default.GetModules();
MemoryProtectionEnum requiredPageFlags = 0;
MemoryProtectionEnum excludedPageFlags = 0;
MemoryTypeEnum allowedTypeFlags = MemoryTypeEnum.None | MemoryTypeEnum.Private | MemoryTypeEnum.Image;
UInt64 startAddress = 0;
UInt64 endAddress = Query.Default.GetMaxUsermodeAddress();
List <ReadGroup> memoryRegions = new List <ReadGroup>();
IEnumerable <NormalizedRegion> virtualPages = Query.Default.GetVirtualPages(
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
foreach (NormalizedRegion virtualPage in virtualPages)
{
if (modules.Any(x => x.BaseAddress == virtualPage.BaseAddress))
{
continue;
}
memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize, dataType, ScanSettings.Default.Alignment));
}
return(new Snapshot(null, memoryRegions));
}
