static bool IsLoaderAccessedPage(IReferenceSetAccessedPage page)
{
if (page.Page.Category == ResidentSetPageCategory.Image || page.Page.Category == ResidentSetPageCategory.CopyOnWriteImage)
{
if (page.AccessingStack != null)
{
foreach (var frame in page.AccessingStack.Frames)
{
var frameImage = frame?.Image?.FileName;
var frameFunction = frame?.Symbol?.FunctionName;
if (frameImage != null &&
frameImage.Contains("ntdll") &&
frameFunction != null &&
(frameFunction.Contains("LdrpPrepareModuleForExecution") ||
frameFunction.Contains("LdrUnloadDll") ||
frameFunction.Contains("LdrpDrainWorkQueue")))
{
return(true);
}
}
}
}
return(false);
}
public static string GetSectionNameFromPage(IReferenceSetAccessedPage accessedPage, IImage passedInImageData, IImageSectionDataSource imageSections, IProcess processContext)
{
string sectionName = "Unknown";
if (accessedPage.Page.Category == ResidentSetPageCategory.Image ||
accessedPage.Page.Category == ResidentSetPageCategory.CopyOnWriteImage ||
accessedPage.Page.Category == ResidentSetPageCategory.SessionCopyOnWriteImage ||
accessedPage.Page.Category == ResidentSetPageCategory.Driver)
{
//
// Look up the section name based on the file offset being accessed.
//
if (accessedPage?.Page != null)
{
ulong offset = accessedPage?.Page?.FileOffset ?? 0;
if (offset == 0)
{
sectionName = "ImageHeader";
}
else
{
if (passedInImageData.Pdb != null && passedInImageData.Pdb.IsLoaded)
{
var sections = passedInImageData.GetImageSections(imageSections);
foreach (var s in sections)
{
var sectionRange = s.FileAddressRange;
if (offset >= sectionRange.BaseAddress.Value &&
offset < sectionRange.LimitAddress.Value)
{
return(s.Name);
}
}
}
}
}
}
return(sectionName);
}