/// <summary> /// Gets a snapshot based on the provided mode. Will not read any memory. /// </summary> /// <param name="snapshotCreationMode">The method of snapshot retrieval.</param> /// <returns>The collected snapshot.</returns> public static Snapshot GetSnapshot(Snapshot.SnapshotRetrievalMode snapshotCreationMode, DataType dataType) { switch (snapshotCreationMode) { case Snapshot.SnapshotRetrievalMode.FromActiveSnapshot: return(SnapshotManager.GetActiveSnapshot()); case Snapshot.SnapshotRetrievalMode.FromActiveSnapshotOrPrefilter: return(SnapshotManager.GetActiveSnapshotCreateIfNone(dataType)); case Snapshot.SnapshotRetrievalMode.FromSettings: return(SnapshotManager.CreateSnapshotFromSettings(dataType)); case Snapshot.SnapshotRetrievalMode.FromUserModeMemory: return(SnapshotManager.CreateSnapshotFromUsermodeMemory(dataType)); case Snapshot.SnapshotRetrievalMode.FromModules: return(SnapshotManager.CreateSnapshotFromModules(dataType)); case Snapshot.SnapshotRetrievalMode.FromHeaps: return(SnapshotManager.CreateSnapshotFromHeaps(dataType)); case Snapshot.SnapshotRetrievalMode.FromStack: throw new NotImplementedException(); default: Logger.Log(LogLevel.Error, "Unknown snapshot retrieval mode"); return(null); } }
/// <summary> /// Creates a snapshot from modules in the selected process. /// </summary> /// <returns>The created snapshot.</returns> private static Snapshot CreateSnapshotFromHeaps(DataType dataType) { // TODO: This currently grabs all usermode memory and excludes modules. A better implementation would involve actually grabbing heaps. Snapshot snapshot = SnapshotManager.CreateSnapshotFromUsermodeMemory(dataType); IEnumerable <NormalizedModule> modules = Query.Default.GetModules(); MemoryProtectionEnum requiredPageFlags = 0; MemoryProtectionEnum excludedPageFlags = 0; MemoryTypeEnum allowedTypeFlags = MemoryTypeEnum.None | MemoryTypeEnum.Private | MemoryTypeEnum.Image; UInt64 startAddress = 0; UInt64 endAddress = Query.Default.GetMaxUsermodeAddress(); List <ReadGroup> memoryRegions = new List <ReadGroup>(); IEnumerable <NormalizedRegion> virtualPages = Query.Default.GetVirtualPages( requiredPageFlags, excludedPageFlags, allowedTypeFlags, startAddress, endAddress); foreach (NormalizedRegion virtualPage in virtualPages) { if (modules.Any(x => x.BaseAddress == virtualPage.BaseAddress)) { continue; } memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize, dataType, ScanSettings.Default.Alignment)); } return(new Snapshot(null, memoryRegions)); }