public UIntPtr VirtualQueryEx(IntPtr hProcess, UIntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer)
{
UIntPtr retVal;
// TODO: Need to change this to only check once.
if (mProc.Is64Bit || IntPtr.Size == 8)
{
// 64 bit
MEMORY_BASIC_INFORMATION64 tmp64 = new MEMORY_BASIC_INFORMATION64();
retVal = Native_VirtualQueryEx(hProcess, lpAddress, out tmp64, new UIntPtr((uint)Marshal.SizeOf(tmp64)));
lpBuffer.BaseAddress = tmp64.BaseAddress;
lpBuffer.AllocationBase = tmp64.AllocationBase;
lpBuffer.AllocationProtect = tmp64.AllocationProtect;
lpBuffer.RegionSize = (long)tmp64.RegionSize;
lpBuffer.State = tmp64.State;
lpBuffer.Protect = tmp64.Protect;
lpBuffer.Type = tmp64.Type;
return(retVal);
}
MEMORY_BASIC_INFORMATION32 tmp32 = new MEMORY_BASIC_INFORMATION32();
retVal = Native_VirtualQueryEx(hProcess, lpAddress, out tmp32, new UIntPtr((uint)Marshal.SizeOf(tmp32)));
lpBuffer.BaseAddress = tmp32.BaseAddress;
lpBuffer.AllocationBase = tmp32.AllocationBase;
lpBuffer.AllocationProtect = tmp32.AllocationProtect;
lpBuffer.RegionSize = tmp32.RegionSize;
lpBuffer.State = tmp32.State;
lpBuffer.Protect = tmp32.Protect;
lpBuffer.Type = tmp32.Type;
return(retVal);
}
public static MEMORY_BASIC_INFORMATION64 GetMemInfo32(IntPtr ProcessHandle, IntPtr MinAddress)
{
var MemInfo = new MEMORY_BASIC_INFORMATION32();
int QueryResult = VirtualQueryEx(ProcessHandle, MinAddress, out MemInfo, (uint)Marshal.SizeOf(typeof(MEMORY_BASIC_INFORMATION32)));
if (QueryResult == 0)
{
Debug.WriteLine("Error on VirtualQueryEx, returned 0!");
}
return(MapMemInfo(MemInfo));
}
private static MEMORY_BASIC_INFORMATION64 MapMemInfo(MEMORY_BASIC_INFORMATION32 memInfo)
{
MEMORY_BASIC_INFORMATION64 result = new MEMORY_BASIC_INFORMATION64();
result.AllocationBase = (ulong)memInfo.AllocationBase;
result.AllocationProtect = (uint)memInfo.AllocationProtect;
result.BaseAddress = (ulong)memInfo.BaseAddress;
result.Protect = (uint)memInfo.Protect;
result.RegionSize = (ulong)memInfo.RegionSize;
result.State = (uint)memInfo.State;
result.Type = (uint)memInfo.Type;
return(result);
}
private string GetMemoryProtectFlags(IntPtr offset)
{
try
{
System.Text.StringBuilder sb = new System.Text.StringBuilder();
#if x64
MEMORY_BASIC_INFORMATION64 memBasicInfo = new MEMORY_BASIC_INFORMATION64();
VirtualQueryEx(ProcessHandle, offset, out memBasicInfo, memoryBasicInfoSize);
sb.AppendLine("[MEMORY_BASIC_INFORMATION64]");
sb.AppendFormat("BaseAddress: {0}\r\n", memBasicInfo.BaseAddress);
sb.AppendFormat("AllocationBase: {0}\r\n", memBasicInfo.AllocationBase);
sb.AppendFormat("AllocationProtect: {0}\r\n", memBasicInfo.AllocationProtect);
sb.AppendFormat("__alignment1: {0}\r\n", memBasicInfo.__alignment1);
sb.AppendFormat("RegionSize: {0}\r\n", memBasicInfo.RegionSize);
sb.AppendFormat("State: {0}\r\n", memBasicInfo.State);
sb.AppendFormat("Protect: {0}\r\n", memBasicInfo.Protect);
sb.AppendFormat("Type: {0}\r\n", memBasicInfo.Type);
sb.AppendFormat("__alignment2: {0}\r\n", memBasicInfo.__alignment2);
#else
MEMORY_BASIC_INFORMATION32 memBasicInfo = new MEMORY_BASIC_INFORMATION32();
VirtualQueryEx(ProcessHandle, offset, out memBasicInfo, memoryBasicInfoSize);
sb.AppendLine("[MEMORY_BASIC_INFORMATION32]");
sb.AppendFormat("BaseAddress: {0}\r\n", memBasicInfo.BaseAddress);
sb.AppendFormat("AllocationBase: {0}\r\n", memBasicInfo.AllocationBase);
sb.AppendFormat("AllocationProtect: {0}\r\n", memBasicInfo.AllocationProtect);
sb.AppendFormat("RegionSize: {0}\r\n", memBasicInfo.RegionSize);
sb.AppendFormat("State: {0}\r\n", memBasicInfo.State);
sb.AppendFormat("Protect: {0}\r\n", memBasicInfo.Protect);
sb.AppendFormat("Type: {0}\r\n", memBasicInfo.Type);
#endif
return(sb.ToString());
}
catch (Exception ex)
{
return(string.Format("[GetMemoryProtectFlags EXCEPTION: {0}]", ex.ToString()));
}
}
public static UIntPtr VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress,
out MEMORY_BASIC_INFORMATION lpBuffer, bool x64)
{
UIntPtr retVal;
if (x64)
{
// 64 bit
var tmp64 = new MEMORY_BASIC_INFORMATION64();
retVal = Native_VirtualQueryEx(hProcess, lpAddress, out tmp64,
new UIntPtr((uint)Marshal.SizeOf(tmp64)));
lpBuffer.BaseAddress = tmp64.BaseAddress;
lpBuffer.AllocationBase = tmp64.AllocationBase;
lpBuffer.AllocationProtect = tmp64.AllocationProtect;
lpBuffer.RegionSize = (long)tmp64.RegionSize;
lpBuffer.State = tmp64.State;
lpBuffer.Protect = tmp64.Protect;
lpBuffer.Type = tmp64.Type;
return(retVal);
}
var tmp32 = new MEMORY_BASIC_INFORMATION32();
retVal = Native_VirtualQueryEx(hProcess, lpAddress, out tmp32, new UIntPtr((uint)Marshal.SizeOf(tmp32)));
lpBuffer.BaseAddress = tmp32.BaseAddress;
lpBuffer.AllocationBase = tmp32.AllocationBase;
lpBuffer.AllocationProtect = tmp32.AllocationProtect;
lpBuffer.RegionSize = tmp32.RegionSize;
lpBuffer.State = tmp32.State;
lpBuffer.Protect = tmp32.Protect;
lpBuffer.Type = tmp32.Type;
return(retVal);
}
public static extern UIntPtr Native_VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress,
out MEMORY_BASIC_INFORMATION32 lpBuffer, UIntPtr dwLength);
public static extern Int32 VirtualQueryEx32(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION32 lpBuffer, UInt32 dwLength);
public static extern int VirtualQueryEx(Int32 hProcess, Int32 lpAddress, out MEMORY_BASIC_INFORMATION32 lpBuffer, uint dwLength);
public static extern int VirtualQueryEx(Int32 hProcess, Int32 lpAddress, out MEMORY_BASIC_INFORMATION32 lpBuffer, uint dwLength);
private static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION32 lpBuffer, int dwLength);
private void searchValue(ulong value, bool newSearch)
{
byte[] pattern = new byte[4];
pattern[0] = (byte)(value & 0x000000FF);
pattern[1] = (byte)((value & 0x0000FF00) >> 8);
pattern[2] = (byte)((value & 0x00FF0000) >> 16);
pattern[3] = (byte)((value & 0xFF000000) >> 24);
MEMORY_BASIC_INFORMATION32 mbi = new MEMORY_BASIC_INFORMATION32();
int mbiSize = Marshal.SizeOf(typeof(MEMORY_BASIC_INFORMATION32));
SYSTEM_INFO si = new SYSTEM_INFO();
GetSystemInfo(out si);
if (newSearch)
{
IntPtr currentAddress = si.MinimumApplicationAddress;
while ((long)currentAddress < (long)si.MaximumApplicationAddress)
{
if (VirtualQueryEx(hProc, currentAddress, out mbi, mbiSize) == mbiSize)
{
if (mbi.State == MEM_COMMIT && mbi.Protect != PAGE_READONLY && mbi.Protect != PAGE_EXECUTE_READ && mbi.Protect != PAGE_GUARD && mbi.Protect != PAGE_NOACCESS && (long)mbi.RegionSize > 0)
{
if (byteBuffer.Length < (long)mbi.RegionSize)
{
byteBuffer = new byte[(long)mbi.RegionSize];
}
int bytesRead;
ReadProcessMemory(hProc, mbi.BaseAddress, byteBuffer, (uint)mbi.RegionSize, out bytesRead);
int offset = 0;
while (offset < (long)mbi.RegionSize)
{
int p = pos(byteBuffer, pattern, offset, (int)mbi.RegionSize);
if (p < 0)
{
break;
}
else
{
addrList.Add((long)mbi.BaseAddress + p);
offset = p + 1;
}
}
}
}
currentAddress = (IntPtr)((long)mbi.BaseAddress + (long)mbi.RegionSize);
backgroundWorker.ReportProgress((int)(((long)currentAddress * 100) / (long)(si.MaximumApplicationAddress)));
}
}
else
{
int k = addrList.Count;
for (int i = addrList.Count - 1; i >= 0; i--)
{
int bytesRead;
ReadProcessMemory(hProc, (IntPtr)addrList[i], byteBuffer, 4, out bytesRead);
if (pos(byteBuffer, pattern, 0, 4) < 0)
{
addrList.RemoveAt(i);
}
backgroundWorker.ReportProgress((100 * (k - i)) / k);
}
}
}
