/// <summary> /// Searches through the target process's memory and identifies regions that are of interest, when scanning. /// Creates a Region and saves it to the list of Regions for future scans. /// </summary> /// <param name="minAddress">The minimum address that should be used, during this search.</param> /// <param name="maxAddress">The maximum address that should be used, during this search.</param> /// <returns>Returns true on successfully identifying regions in the target's memory.</returns> public bool IdentifyRegions(ulong minAddress = 0, ulong maxAddress = 0) { if (!this.IsOpen) { this.Status.Log( "Unable to identify regions, because the target process has not been opened.", Logger.Level.HIGH); return(false); } if (maxAddress == 0) { maxAddress = (ulong)SysInteractor.MaxAddress; } WinApi.MEMORY_BASIC_INFORMATION mbi = new WinApi.MEMORY_BASIC_INFORMATION(); ulong address = minAddress; bool result = true; this.Regions.Clear(); while (address < maxAddress) { result = WinApi.VirtualQueryEx(Proc.Handle, (IntPtr)address, out mbi, (uint)Marshal.SizeOf(mbi)); if (result && IsReadable(mbi)) { Region r = new Region((IntPtr)address, (uint)mbi.RegionSize, mbi.Protect, mbi.Type); this.Regions.Add(r); } address += (ulong)mbi.RegionSize; } return(this.Regions.Count > 0); }
/// <summary> /// Determines if the provided address is readable for the specified number of bytes. /// </summary> /// <param name="mbi">The memory basic information variable containing data about the target region.</param> /// <returns>Returns true if the provided address is readable for the specified number of bytes.</returns> public bool IsReadable(WinApi.MEMORY_BASIC_INFORMATION mbi) { if (!this.IsOpen) { this.Status.Log( "Unable to determine memory range readability, because the target process has not been opened.", Logger.Level.HIGH); return(false); } return ((mbi.Protect == WinApi.MemoryProtect.PAGE_READWRITE || mbi.Protect == WinApi.MemoryProtect.PAGE_EXECUTE_READWRITE || mbi.Protect == WinApi.MemoryProtect.PAGE_WRITECOPY || mbi.Protect == WinApi.MemoryProtect.PAGE_READONLY || mbi.Protect == WinApi.MemoryProtect.PAGE_EXECUTE_READ) && (mbi.Type != WinApi.MemoryType.MEM_MAPPED)); }
/// <summary> /// Determines if the page in which address appears is readable. /// </summary> /// <param name="address">The address to test for readability.</param> /// <returns>Returns true if the provided address is readable for the specified number of bytes.</returns> public bool IsReadable(IntPtr address) { if (!this.IsOpen) { this.Status.Log( "Unable to determine memory range readability, because the target process has not been opened.", Logger.Level.HIGH); return(false); } WinApi.MEMORY_BASIC_INFORMATION mbi = new WinApi.MEMORY_BASIC_INFORMATION(); if (WinApi.VirtualQueryEx(this.ProcHandle, address, out mbi, (uint)Marshal.SizeOf(mbi))) { this.Status.Log( "Unable to determine memory range readability, because the target memory range could not be " + "analyzed with VirtualQueryEx.", Logger.Level.HIGH); return(false); } return(this.IsReadable(mbi)); }