/// <summary>
/// Creates a new snapshot of memory in the target process. Will not read any memory.
/// </summary>
/// <returns>The snapshot of memory taken in the target process.</returns>
private Snapshot CreateSnapshotFromSettings()
{
MemoryProtectionEnum requiredPageFlags = SettingsViewModel.GetInstance().GetRequiredProtectionSettings();
MemoryProtectionEnum excludedPageFlags = SettingsViewModel.GetInstance().GetExcludedProtectionSettings();
MemoryTypeEnum allowedTypeFlags = SettingsViewModel.GetInstance().GetAllowedTypeSettings();
IntPtr startAddress, endAddress;
if (SettingsViewModel.GetInstance().IsUserMode)
{
startAddress = IntPtr.Zero;
endAddress = EngineCore.GetInstance().VirtualMemory.GetMaxUsermodeAddress().ToIntPtr();
}
else
{
startAddress = SettingsViewModel.GetInstance().StartAddress.ToIntPtr();
endAddress = SettingsViewModel.GetInstance().EndAddress.ToIntPtr();
}
List <ReadGroup> memoryRegions = new List <ReadGroup>();
IEnumerable <NormalizedRegion> virtualPages = EngineCore.GetInstance().VirtualMemory.GetVirtualPages(
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
// Convert each virtual page to a snapshot region
foreach (NormalizedRegion virtualPage in virtualPages)
{
memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize));
}
return(new Snapshot(null, memoryRegions));
}
/// <summary>
/// Creates a snapshot from all usermode memory. Will not read any memory.
/// </summary>
/// <returns>A snapshot created from usermode memory.</returns>
private static Snapshot CreateSnapshotFromUsermodeMemory(Process process)
{
MemoryProtectionEnum requiredPageFlags = 0;
MemoryProtectionEnum excludedPageFlags = 0;
MemoryTypeEnum allowedTypeFlags = MemoryTypeEnum.None | MemoryTypeEnum.Private | MemoryTypeEnum.Image;
UInt64 startAddress = 0;
UInt64 endAddress = MemoryQueryer.Instance.GetMaxUsermodeAddress(process);
List <ReadGroup> memoryRegions = new List <ReadGroup>();
IEnumerable <NormalizedRegion> virtualPages = MemoryQueryer.Instance.GetVirtualPages(
process,
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
foreach (NormalizedRegion virtualPage in virtualPages)
{
virtualPage.Align(ScanSettings.Alignment);
memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize));
}
return(new Snapshot(null, memoryRegions));
}
/// <summary>
/// Creates a snapshot from modules in the selected process.
/// </summary>
/// <returns>The created snapshot.</returns>
private static Snapshot CreateSnapshotFromHeaps(Process process)
{
// TODO: This currently grabs all usermode memory and excludes modules. A better implementation would involve actually grabbing heaps.
Snapshot snapshot = SnapshotQuery.CreateSnapshotFromUsermodeMemory(process);
IEnumerable <NormalizedModule> modules = MemoryQueryer.Instance.GetModules(process);
MemoryProtectionEnum requiredPageFlags = 0;
MemoryProtectionEnum excludedPageFlags = 0;
MemoryTypeEnum allowedTypeFlags = MemoryTypeEnum.None | MemoryTypeEnum.Private | MemoryTypeEnum.Image;
UInt64 startAddress = 0;
UInt64 endAddress = MemoryQueryer.Instance.GetMaxUsermodeAddress(process);
List <ReadGroup> memoryRegions = new List <ReadGroup>();
IEnumerable <NormalizedRegion> virtualPages = MemoryQueryer.Instance.GetVirtualPages(
process,
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
foreach (NormalizedRegion virtualPage in virtualPages)
{
if (modules.Any(x => x.BaseAddress == virtualPage.BaseAddress))
{
continue;
}
virtualPage.Align(ScanSettings.Alignment);
memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize));
}
return(new Snapshot(null, memoryRegions));
}
/// <summary>
/// Creates a new snapshot of memory in the target process. Will not read any memory.
/// </summary>
/// <returns>The snapshot of memory taken in the target process.</returns>
public Snapshot CreateSnapshotFromSettings()
{
MemoryProtectionEnum requiredPageFlags = SettingsViewModel.GetInstance().GetRequiredProtectionSettings();
MemoryProtectionEnum excludedPageFlags = SettingsViewModel.GetInstance().GetExcludedProtectionSettings();
MemoryTypeEnum allowedTypeFlags = SettingsViewModel.GetInstance().GetAllowedTypeSettings();
IntPtr startAddress, endAddress;
if (SettingsViewModel.GetInstance().IsUserMode)
{
startAddress = IntPtr.Zero;
endAddress = EngineCore.GetInstance().VirtualMemory.GetUserModeRegion().EndAddress;
}
else
{
startAddress = SettingsViewModel.GetInstance().StartAddress.ToIntPtr();
endAddress = SettingsViewModel.GetInstance().EndAddress.ToIntPtr();
}
List <SnapshotRegion> memoryRegions = new List <SnapshotRegion>();
IEnumerable <NormalizedRegion> virtualPages = EngineCore.GetInstance().VirtualMemory.GetVirtualPages(
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
// Convert each virtual page to a snapshot region (a more condensed representation of the information)
foreach (NormalizedRegion virtualPage in virtualPages)
{
memoryRegions.Add(new SnapshotRegion(virtualPage.BaseAddress, virtualPage.RegionSize));
}
return(new Snapshot(memoryRegions));
}
/// <summary>
/// Gets regions of memory allocated in the remote process based on provided parameters
/// </summary>
/// <param name="requiredProtection">Protection flags required to be present</param>
/// <param name="excludedProtection">Protection flags that must not be present</param>
/// <param name="allowedTypes">Memory types that can be present</param>
/// <param name="startAddress">The start address of the query range</param>
/// <param name="endAddress">The end address of the query range</param>
/// <returns>A collection of pointers to virtual pages in the target process</returns>
public IEnumerable <NormalizedRegion> GetVirtualPages(
MemoryProtectionEnum requiredProtection,
MemoryProtectionEnum excludedProtection,
MemoryTypeEnum allowedTypes,
IntPtr startAddress,
IntPtr endAddress)
{
MemoryProtectionFlags requiredFlags = 0;
MemoryProtectionFlags excludedFlags = 0;
if ((requiredProtection & MemoryProtectionEnum.Write) != 0)
{
requiredFlags |= MemoryProtectionFlags.ExecuteReadWrite;
requiredFlags |= MemoryProtectionFlags.ReadWrite;
}
if ((requiredProtection & MemoryProtectionEnum.Execute) != 0)
{
requiredFlags |= MemoryProtectionFlags.Execute;
requiredFlags |= MemoryProtectionFlags.ExecuteRead;
requiredFlags |= MemoryProtectionFlags.ExecuteReadWrite;
requiredFlags |= MemoryProtectionFlags.ExecuteWriteCopy;
}
if ((requiredProtection & MemoryProtectionEnum.CopyOnWrite) != 0)
{
requiredFlags |= MemoryProtectionFlags.WriteCopy;
requiredFlags |= MemoryProtectionFlags.ExecuteWriteCopy;
}
if ((excludedProtection & MemoryProtectionEnum.Write) != 0)
{
excludedFlags |= MemoryProtectionFlags.ExecuteReadWrite;
excludedFlags |= MemoryProtectionFlags.ReadWrite;
}
if ((excludedProtection & MemoryProtectionEnum.Execute) != 0)
{
excludedFlags |= MemoryProtectionFlags.Execute;
excludedFlags |= MemoryProtectionFlags.ExecuteRead;
excludedFlags |= MemoryProtectionFlags.ExecuteReadWrite;
excludedFlags |= MemoryProtectionFlags.ExecuteWriteCopy;
}
if ((excludedProtection & MemoryProtectionEnum.CopyOnWrite) != 0)
{
excludedFlags |= MemoryProtectionFlags.WriteCopy;
excludedFlags |= MemoryProtectionFlags.ExecuteWriteCopy;
}
return(Memory.VirtualPages(this.SystemProcess == null ? IntPtr.Zero : this.SystemProcess.Handle, startAddress, endAddress, requiredFlags, excludedFlags, allowedTypes)
.Select(x => new NormalizedRegion(x.BaseAddress, x.RegionSize.ToUInt64())));
}
/// <summary>
/// Gets the excluded protection settings for virtual memory queries based on the set type flags.
/// </summary>
/// <returns>The flags of the excluded protections for virtual memory queries.</returns>
public MemoryProtectionEnum GetExcludedProtectionSettings()
{
MemoryProtectionEnum result = 0;
if (Settings.Default.ExcludedWrite)
{
result |= MemoryProtectionEnum.Write;
}
if (Settings.Default.ExcludedExecute)
{
result |= MemoryProtectionEnum.Execute;
}
if (Settings.Default.ExcludedCopyOnWrite)
{
result |= MemoryProtectionEnum.CopyOnWrite;
}
return(result);
}
/// <summary>
/// Gets the excluded protection settings for virtual memory queries based on the set type flags.
/// </summary>
/// <returns>The flags of the excluded protections for virtual memory queries.</returns>
private static MemoryProtectionEnum GetExcludedProtectionSettings()
{
MemoryProtectionEnum result = 0;
if (ScanSettings.ExcludedWrite)
{
result |= MemoryProtectionEnum.Write;
}
if (ScanSettings.ExcludedExecute)
{
result |= MemoryProtectionEnum.Execute;
}
if (ScanSettings.ExcludedCopyOnWrite)
{
result |= MemoryProtectionEnum.CopyOnWrite;
}
return(result);
}
/// <summary>
/// Creates a new snapshot of memory in the target process. Will not read any memory.
/// </summary>
/// <returns>The snapshot of memory taken in the target process.</returns>
private static Snapshot CreateSnapshotFromSettings(Process process)
{
MemoryProtectionEnum requiredPageFlags = SnapshotQuery.GetRequiredProtectionSettings();
MemoryProtectionEnum excludedPageFlags = SnapshotQuery.GetExcludedProtectionSettings();
MemoryTypeEnum allowedTypeFlags = SnapshotQuery.GetAllowedTypeSettings();
UInt64 startAddress;
UInt64 endAddress;
if (ScanSettings.IsUserMode)
{
startAddress = 0;
endAddress = MemoryQueryer.Instance.GetMaxUsermodeAddress(process);
}
else
{
startAddress = ScanSettings.StartAddress;
endAddress = ScanSettings.EndAddress;
}
List <ReadGroup> memoryRegions = new List <ReadGroup>();
IEnumerable <NormalizedRegion> virtualPages = MemoryQueryer.Instance.GetVirtualPages(
process,
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
// Convert each virtual page to a snapshot region
foreach (NormalizedRegion virtualPage in virtualPages)
{
virtualPage.Align(ScanSettings.Alignment);
memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize));
}
return(new Snapshot(null, memoryRegions));
}
/// <summary>
/// Creates a snapshot from all usermode memory. Will not read any memory.
/// </summary>
/// <returns>A snapshot created from usermode memory.</returns>
private Snapshot CreateSnapshotFromUsermodeMemory()
{
MemoryProtectionEnum requiredPageFlags = 0;
MemoryProtectionEnum excludedPageFlags = 0;
MemoryTypeEnum allowedTypeFlags = MemoryTypeEnum.None | MemoryTypeEnum.Private | MemoryTypeEnum.Image;
IntPtr startAddress = IntPtr.Zero;
IntPtr endAddress = EngineCore.GetInstance().VirtualMemory.GetMaxUsermodeAddress().ToIntPtr();
List <ReadGroup> memoryRegions = new List <ReadGroup>();
IEnumerable <NormalizedRegion> virtualPages = EngineCore.GetInstance().VirtualMemory.GetVirtualPages(
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
foreach (NormalizedRegion virtualPage in virtualPages)
{
memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize));
}
return(new Snapshot(null, memoryRegions));
}
public Snapshot CreateSnapshotFromUsermodeMemory()
{
MemoryProtectionEnum requiredPageFlags = 0;
MemoryProtectionEnum excludedPageFlags = 0;
MemoryTypeEnum allowedTypeFlags = MemoryTypeEnum.None | MemoryTypeEnum.Private | MemoryTypeEnum.Image | MemoryTypeEnum.Mapped;
IntPtr startAddress = IntPtr.Zero;
IntPtr endAddress = EngineCore.GetInstance().VirtualMemory.GetUserModeRegion().EndAddress;
List <SnapshotRegion> memoryRegions = new List <SnapshotRegion>();
IEnumerable <NormalizedRegion> virtualPages = EngineCore.GetInstance().VirtualMemory.GetVirtualPages(
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
foreach (NormalizedRegion virtualPage in virtualPages)
{
memoryRegions.Add(new SnapshotRegion(virtualPage.BaseAddress, virtualPage.RegionSize));
}
return(new Snapshot(memoryRegions));
}
/// <summary>
/// Gets regions of memory allocated in the remote process based on provided parameters.
/// </summary>
/// <param name="requiredProtection">Protection flags required to be present.</param>
/// <param name="excludedProtection">Protection flags that must not be present.</param>
/// <param name="allowedTypes">Memory types that can be present.</param>
/// <param name="startAddress">The start address of the query range.</param>
/// <param name="endAddress">The end address of the query range.</param>
/// <returns>A collection of pointers to virtual pages in the target process.</returns>
public IEnumerable <NormalizedRegion> GetVirtualPages(
Process process,
MemoryProtectionEnum requiredProtection,
MemoryProtectionEnum excludedProtection,
MemoryTypeEnum allowedTypes,
UInt64 startAddress,
UInt64 endAddress)
{
MemoryProtectionFlags requiredFlags = 0;
MemoryProtectionFlags excludedFlags = 0;
if ((requiredProtection & MemoryProtectionEnum.Write) != 0)
{
requiredFlags |= MemoryProtectionFlags.ExecuteReadWrite;
requiredFlags |= MemoryProtectionFlags.ReadWrite;
}
if ((requiredProtection & MemoryProtectionEnum.Execute) != 0)
{
requiredFlags |= MemoryProtectionFlags.Execute;
requiredFlags |= MemoryProtectionFlags.ExecuteRead;
requiredFlags |= MemoryProtectionFlags.ExecuteReadWrite;
requiredFlags |= MemoryProtectionFlags.ExecuteWriteCopy;
}
if ((requiredProtection & MemoryProtectionEnum.CopyOnWrite) != 0)
{
requiredFlags |= MemoryProtectionFlags.WriteCopy;
requiredFlags |= MemoryProtectionFlags.ExecuteWriteCopy;
}
if ((excludedProtection & MemoryProtectionEnum.Write) != 0)
{
excludedFlags |= MemoryProtectionFlags.ExecuteReadWrite;
excludedFlags |= MemoryProtectionFlags.ReadWrite;
}
if ((excludedProtection & MemoryProtectionEnum.Execute) != 0)
{
excludedFlags |= MemoryProtectionFlags.Execute;
excludedFlags |= MemoryProtectionFlags.ExecuteRead;
excludedFlags |= MemoryProtectionFlags.ExecuteReadWrite;
excludedFlags |= MemoryProtectionFlags.ExecuteWriteCopy;
}
if ((excludedProtection & MemoryProtectionEnum.CopyOnWrite) != 0)
{
excludedFlags |= MemoryProtectionFlags.WriteCopy;
excludedFlags |= MemoryProtectionFlags.ExecuteWriteCopy;
}
IEnumerable <MemoryBasicInformation64> memoryInfo = WindowsMemoryQuery.VirtualPages(process == null ? IntPtr.Zero : process.Handle, startAddress, endAddress, requiredFlags, excludedFlags, allowedTypes);
IList <NormalizedRegion> regions = new List <NormalizedRegion>();
foreach (MemoryBasicInformation64 next in memoryInfo)
{
if (next.RegionSize < ChunkSize)
{
regions.Add(new NormalizedRegion(next.BaseAddress.ToUInt64(), next.RegionSize.ToInt32()));
}
else
{
// This region requires chunking
Int64 remaining = next.RegionSize;
UInt64 currentBaseAddress = next.BaseAddress.ToUInt64();
while (remaining >= ChunkSize)
{
regions.Add(new NormalizedRegion(currentBaseAddress, ChunkSize));
remaining -= ChunkSize;
currentBaseAddress = currentBaseAddress.Add(ChunkSize, wrapAround: false);
}
if (remaining > 0)
{
regions.Add(new NormalizedRegion(currentBaseAddress, remaining.ToInt32()));
}
}
}
return(regions);
}
