/// <summary> /// Creates a new snapshot of memory in the target process. Will not read any memory. /// </summary> /// <returns>The snapshot of memory taken in the target process.</returns> private Snapshot CreateSnapshotFromSettings() { MemoryProtectionEnum requiredPageFlags = SettingsViewModel.GetInstance().GetRequiredProtectionSettings(); MemoryProtectionEnum excludedPageFlags = SettingsViewModel.GetInstance().GetExcludedProtectionSettings(); MemoryTypeEnum allowedTypeFlags = SettingsViewModel.GetInstance().GetAllowedTypeSettings(); IntPtr startAddress, endAddress; if (SettingsViewModel.GetInstance().IsUserMode) { startAddress = IntPtr.Zero; endAddress = EngineCore.GetInstance().VirtualMemory.GetMaxUsermodeAddress().ToIntPtr(); } else { startAddress = SettingsViewModel.GetInstance().StartAddress.ToIntPtr(); endAddress = SettingsViewModel.GetInstance().EndAddress.ToIntPtr(); } List <ReadGroup> memoryRegions = new List <ReadGroup>(); IEnumerable <NormalizedRegion> virtualPages = EngineCore.GetInstance().VirtualMemory.GetVirtualPages( requiredPageFlags, excludedPageFlags, allowedTypeFlags, startAddress, endAddress); // Convert each virtual page to a snapshot region foreach (NormalizedRegion virtualPage in virtualPages) { memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize)); } return(new Snapshot(null, memoryRegions)); }
/// <summary> /// Creates a snapshot from all usermode memory. Will not read any memory. /// </summary> /// <returns>A snapshot created from usermode memory.</returns> private static Snapshot CreateSnapshotFromUsermodeMemory(Process process) { MemoryProtectionEnum requiredPageFlags = 0; MemoryProtectionEnum excludedPageFlags = 0; MemoryTypeEnum allowedTypeFlags = MemoryTypeEnum.None | MemoryTypeEnum.Private | MemoryTypeEnum.Image; UInt64 startAddress = 0; UInt64 endAddress = MemoryQueryer.Instance.GetMaxUsermodeAddress(process); List <ReadGroup> memoryRegions = new List <ReadGroup>(); IEnumerable <NormalizedRegion> virtualPages = MemoryQueryer.Instance.GetVirtualPages( process, requiredPageFlags, excludedPageFlags, allowedTypeFlags, startAddress, endAddress); foreach (NormalizedRegion virtualPage in virtualPages) { virtualPage.Align(ScanSettings.Alignment); memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize)); } return(new Snapshot(null, memoryRegions)); }
/// <summary> /// Creates a snapshot from modules in the selected process. /// </summary> /// <returns>The created snapshot.</returns> private static Snapshot CreateSnapshotFromHeaps(Process process) { // TODO: This currently grabs all usermode memory and excludes modules. A better implementation would involve actually grabbing heaps. Snapshot snapshot = SnapshotQuery.CreateSnapshotFromUsermodeMemory(process); IEnumerable <NormalizedModule> modules = MemoryQueryer.Instance.GetModules(process); MemoryProtectionEnum requiredPageFlags = 0; MemoryProtectionEnum excludedPageFlags = 0; MemoryTypeEnum allowedTypeFlags = MemoryTypeEnum.None | MemoryTypeEnum.Private | MemoryTypeEnum.Image; UInt64 startAddress = 0; UInt64 endAddress = MemoryQueryer.Instance.GetMaxUsermodeAddress(process); List <ReadGroup> memoryRegions = new List <ReadGroup>(); IEnumerable <NormalizedRegion> virtualPages = MemoryQueryer.Instance.GetVirtualPages( process, requiredPageFlags, excludedPageFlags, allowedTypeFlags, startAddress, endAddress); foreach (NormalizedRegion virtualPage in virtualPages) { if (modules.Any(x => x.BaseAddress == virtualPage.BaseAddress)) { continue; } virtualPage.Align(ScanSettings.Alignment); memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize)); } return(new Snapshot(null, memoryRegions)); }
/// <summary> /// Creates a new snapshot of memory in the target process. Will not read any memory. /// </summary> /// <returns>The snapshot of memory taken in the target process.</returns> public Snapshot CreateSnapshotFromSettings() { MemoryProtectionEnum requiredPageFlags = SettingsViewModel.GetInstance().GetRequiredProtectionSettings(); MemoryProtectionEnum excludedPageFlags = SettingsViewModel.GetInstance().GetExcludedProtectionSettings(); MemoryTypeEnum allowedTypeFlags = SettingsViewModel.GetInstance().GetAllowedTypeSettings(); IntPtr startAddress, endAddress; if (SettingsViewModel.GetInstance().IsUserMode) { startAddress = IntPtr.Zero; endAddress = EngineCore.GetInstance().VirtualMemory.GetUserModeRegion().EndAddress; } else { startAddress = SettingsViewModel.GetInstance().StartAddress.ToIntPtr(); endAddress = SettingsViewModel.GetInstance().EndAddress.ToIntPtr(); } List <SnapshotRegion> memoryRegions = new List <SnapshotRegion>(); IEnumerable <NormalizedRegion> virtualPages = EngineCore.GetInstance().VirtualMemory.GetVirtualPages( requiredPageFlags, excludedPageFlags, allowedTypeFlags, startAddress, endAddress); // Convert each virtual page to a snapshot region (a more condensed representation of the information) foreach (NormalizedRegion virtualPage in virtualPages) { memoryRegions.Add(new SnapshotRegion(virtualPage.BaseAddress, virtualPage.RegionSize)); } return(new Snapshot(memoryRegions)); }
/// <summary> /// Gets regions of memory allocated in the remote process based on provided parameters /// </summary> /// <param name="requiredProtection">Protection flags required to be present</param> /// <param name="excludedProtection">Protection flags that must not be present</param> /// <param name="allowedTypes">Memory types that can be present</param> /// <param name="startAddress">The start address of the query range</param> /// <param name="endAddress">The end address of the query range</param> /// <returns>A collection of pointers to virtual pages in the target process</returns> public IEnumerable <NormalizedRegion> GetVirtualPages( MemoryProtectionEnum requiredProtection, MemoryProtectionEnum excludedProtection, MemoryTypeEnum allowedTypes, IntPtr startAddress, IntPtr endAddress) { MemoryProtectionFlags requiredFlags = 0; MemoryProtectionFlags excludedFlags = 0; if ((requiredProtection & MemoryProtectionEnum.Write) != 0) { requiredFlags |= MemoryProtectionFlags.ExecuteReadWrite; requiredFlags |= MemoryProtectionFlags.ReadWrite; } if ((requiredProtection & MemoryProtectionEnum.Execute) != 0) { requiredFlags |= MemoryProtectionFlags.Execute; requiredFlags |= MemoryProtectionFlags.ExecuteRead; requiredFlags |= MemoryProtectionFlags.ExecuteReadWrite; requiredFlags |= MemoryProtectionFlags.ExecuteWriteCopy; } if ((requiredProtection & MemoryProtectionEnum.CopyOnWrite) != 0) { requiredFlags |= MemoryProtectionFlags.WriteCopy; requiredFlags |= MemoryProtectionFlags.ExecuteWriteCopy; } if ((excludedProtection & MemoryProtectionEnum.Write) != 0) { excludedFlags |= MemoryProtectionFlags.ExecuteReadWrite; excludedFlags |= MemoryProtectionFlags.ReadWrite; } if ((excludedProtection & MemoryProtectionEnum.Execute) != 0) { excludedFlags |= MemoryProtectionFlags.Execute; excludedFlags |= MemoryProtectionFlags.ExecuteRead; excludedFlags |= MemoryProtectionFlags.ExecuteReadWrite; excludedFlags |= MemoryProtectionFlags.ExecuteWriteCopy; } if ((excludedProtection & MemoryProtectionEnum.CopyOnWrite) != 0) { excludedFlags |= MemoryProtectionFlags.WriteCopy; excludedFlags |= MemoryProtectionFlags.ExecuteWriteCopy; } return(Memory.VirtualPages(this.SystemProcess == null ? IntPtr.Zero : this.SystemProcess.Handle, startAddress, endAddress, requiredFlags, excludedFlags, allowedTypes) .Select(x => new NormalizedRegion(x.BaseAddress, x.RegionSize.ToUInt64()))); }
/// <summary> /// Gets the excluded protection settings for virtual memory queries based on the set type flags. /// </summary> /// <returns>The flags of the excluded protections for virtual memory queries.</returns> public MemoryProtectionEnum GetExcludedProtectionSettings() { MemoryProtectionEnum result = 0; if (Settings.Default.ExcludedWrite) { result |= MemoryProtectionEnum.Write; } if (Settings.Default.ExcludedExecute) { result |= MemoryProtectionEnum.Execute; } if (Settings.Default.ExcludedCopyOnWrite) { result |= MemoryProtectionEnum.CopyOnWrite; } return(result); }
/// <summary> /// Gets the excluded protection settings for virtual memory queries based on the set type flags. /// </summary> /// <returns>The flags of the excluded protections for virtual memory queries.</returns> private static MemoryProtectionEnum GetExcludedProtectionSettings() { MemoryProtectionEnum result = 0; if (ScanSettings.ExcludedWrite) { result |= MemoryProtectionEnum.Write; } if (ScanSettings.ExcludedExecute) { result |= MemoryProtectionEnum.Execute; } if (ScanSettings.ExcludedCopyOnWrite) { result |= MemoryProtectionEnum.CopyOnWrite; } return(result); }
/// <summary> /// Creates a new snapshot of memory in the target process. Will not read any memory. /// </summary> /// <returns>The snapshot of memory taken in the target process.</returns> private static Snapshot CreateSnapshotFromSettings(Process process) { MemoryProtectionEnum requiredPageFlags = SnapshotQuery.GetRequiredProtectionSettings(); MemoryProtectionEnum excludedPageFlags = SnapshotQuery.GetExcludedProtectionSettings(); MemoryTypeEnum allowedTypeFlags = SnapshotQuery.GetAllowedTypeSettings(); UInt64 startAddress; UInt64 endAddress; if (ScanSettings.IsUserMode) { startAddress = 0; endAddress = MemoryQueryer.Instance.GetMaxUsermodeAddress(process); } else { startAddress = ScanSettings.StartAddress; endAddress = ScanSettings.EndAddress; } List <ReadGroup> memoryRegions = new List <ReadGroup>(); IEnumerable <NormalizedRegion> virtualPages = MemoryQueryer.Instance.GetVirtualPages( process, requiredPageFlags, excludedPageFlags, allowedTypeFlags, startAddress, endAddress); // Convert each virtual page to a snapshot region foreach (NormalizedRegion virtualPage in virtualPages) { virtualPage.Align(ScanSettings.Alignment); memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize)); } return(new Snapshot(null, memoryRegions)); }
/// <summary> /// Creates a snapshot from all usermode memory. Will not read any memory. /// </summary> /// <returns>A snapshot created from usermode memory.</returns> private Snapshot CreateSnapshotFromUsermodeMemory() { MemoryProtectionEnum requiredPageFlags = 0; MemoryProtectionEnum excludedPageFlags = 0; MemoryTypeEnum allowedTypeFlags = MemoryTypeEnum.None | MemoryTypeEnum.Private | MemoryTypeEnum.Image; IntPtr startAddress = IntPtr.Zero; IntPtr endAddress = EngineCore.GetInstance().VirtualMemory.GetMaxUsermodeAddress().ToIntPtr(); List <ReadGroup> memoryRegions = new List <ReadGroup>(); IEnumerable <NormalizedRegion> virtualPages = EngineCore.GetInstance().VirtualMemory.GetVirtualPages( requiredPageFlags, excludedPageFlags, allowedTypeFlags, startAddress, endAddress); foreach (NormalizedRegion virtualPage in virtualPages) { memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize)); } return(new Snapshot(null, memoryRegions)); }
public Snapshot CreateSnapshotFromUsermodeMemory() { MemoryProtectionEnum requiredPageFlags = 0; MemoryProtectionEnum excludedPageFlags = 0; MemoryTypeEnum allowedTypeFlags = MemoryTypeEnum.None | MemoryTypeEnum.Private | MemoryTypeEnum.Image | MemoryTypeEnum.Mapped; IntPtr startAddress = IntPtr.Zero; IntPtr endAddress = EngineCore.GetInstance().VirtualMemory.GetUserModeRegion().EndAddress; List <SnapshotRegion> memoryRegions = new List <SnapshotRegion>(); IEnumerable <NormalizedRegion> virtualPages = EngineCore.GetInstance().VirtualMemory.GetVirtualPages( requiredPageFlags, excludedPageFlags, allowedTypeFlags, startAddress, endAddress); foreach (NormalizedRegion virtualPage in virtualPages) { memoryRegions.Add(new SnapshotRegion(virtualPage.BaseAddress, virtualPage.RegionSize)); } return(new Snapshot(memoryRegions)); }
/// <summary> /// Gets regions of memory allocated in the remote process based on provided parameters. /// </summary> /// <param name="requiredProtection">Protection flags required to be present.</param> /// <param name="excludedProtection">Protection flags that must not be present.</param> /// <param name="allowedTypes">Memory types that can be present.</param> /// <param name="startAddress">The start address of the query range.</param> /// <param name="endAddress">The end address of the query range.</param> /// <returns>A collection of pointers to virtual pages in the target process.</returns> public IEnumerable <NormalizedRegion> GetVirtualPages( Process process, MemoryProtectionEnum requiredProtection, MemoryProtectionEnum excludedProtection, MemoryTypeEnum allowedTypes, UInt64 startAddress, UInt64 endAddress) { MemoryProtectionFlags requiredFlags = 0; MemoryProtectionFlags excludedFlags = 0; if ((requiredProtection & MemoryProtectionEnum.Write) != 0) { requiredFlags |= MemoryProtectionFlags.ExecuteReadWrite; requiredFlags |= MemoryProtectionFlags.ReadWrite; } if ((requiredProtection & MemoryProtectionEnum.Execute) != 0) { requiredFlags |= MemoryProtectionFlags.Execute; requiredFlags |= MemoryProtectionFlags.ExecuteRead; requiredFlags |= MemoryProtectionFlags.ExecuteReadWrite; requiredFlags |= MemoryProtectionFlags.ExecuteWriteCopy; } if ((requiredProtection & MemoryProtectionEnum.CopyOnWrite) != 0) { requiredFlags |= MemoryProtectionFlags.WriteCopy; requiredFlags |= MemoryProtectionFlags.ExecuteWriteCopy; } if ((excludedProtection & MemoryProtectionEnum.Write) != 0) { excludedFlags |= MemoryProtectionFlags.ExecuteReadWrite; excludedFlags |= MemoryProtectionFlags.ReadWrite; } if ((excludedProtection & MemoryProtectionEnum.Execute) != 0) { excludedFlags |= MemoryProtectionFlags.Execute; excludedFlags |= MemoryProtectionFlags.ExecuteRead; excludedFlags |= MemoryProtectionFlags.ExecuteReadWrite; excludedFlags |= MemoryProtectionFlags.ExecuteWriteCopy; } if ((excludedProtection & MemoryProtectionEnum.CopyOnWrite) != 0) { excludedFlags |= MemoryProtectionFlags.WriteCopy; excludedFlags |= MemoryProtectionFlags.ExecuteWriteCopy; } IEnumerable <MemoryBasicInformation64> memoryInfo = WindowsMemoryQuery.VirtualPages(process == null ? IntPtr.Zero : process.Handle, startAddress, endAddress, requiredFlags, excludedFlags, allowedTypes); IList <NormalizedRegion> regions = new List <NormalizedRegion>(); foreach (MemoryBasicInformation64 next in memoryInfo) { if (next.RegionSize < ChunkSize) { regions.Add(new NormalizedRegion(next.BaseAddress.ToUInt64(), next.RegionSize.ToInt32())); } else { // This region requires chunking Int64 remaining = next.RegionSize; UInt64 currentBaseAddress = next.BaseAddress.ToUInt64(); while (remaining >= ChunkSize) { regions.Add(new NormalizedRegion(currentBaseAddress, ChunkSize)); remaining -= ChunkSize; currentBaseAddress = currentBaseAddress.Add(ChunkSize, wrapAround: false); } if (remaining > 0) { regions.Add(new NormalizedRegion(currentBaseAddress, remaining.ToInt32())); } } } return(regions); }