private static string InspectProc(Process process, ref List <MatchInfo> lstMatch)
{
string res;
IntPtr processHandle = MInterop.OpenProcess(MInterop.PROCESS_WM_READ | MInterop.PROCESS_QUERY_INFORMATION, false, process.Id);
if (processHandle.ToInt64() == 0)
{
int err = Marshal.GetLastWin32Error();
}
res = SearchProc(processHandle, ref lstMatch, process.ProcessName);
MInterop.CloseHandle(processHandle);
return(res);
}
private static string SearchProc(IntPtr processHandle, ref List <MatchInfo> lstMatch, string processName)
{
string res = "";
MInterop.SYSTEM_INFO si = new MInterop.SYSTEM_INFO();
MInterop.GetSystemInfo(out si);
long createdSize = 1;
byte[] lpBuffer = new byte[createdSize];
Int64 total = 0;
long regionStart = si.minimumApplicationAddress.ToInt64();
bool skipRegion = false;
bool stop = false;
while (regionStart < si.maximumApplicationAddress.ToInt64() && !stop)
{
MInterop.MEMORY_BASIC_INFORMATION memInfo;
long regionRead = 0;
long regionSize;
int resulq = MInterop.VirtualQueryEx(processHandle, (IntPtr)regionStart, out memInfo, (uint)Marshal.SizeOf(typeof(MInterop.MEMORY_BASIC_INFORMATION)));
if (resulq == 0)
{
int err = Marshal.GetLastWin32Error();
Marshal.ThrowExceptionForHR(err);
break;
}
regionSize = (memInfo.BaseAddress.ToInt64() + memInfo.RegionSize.ToInt64() - regionStart);
if (MInterop.IsDataRegion(memInfo) == false)
{
}
if (skipRegion)
{
skipRegion = false;
}
else
if (MInterop.IsDataRegion(memInfo))
{
if (createdSize < regionSize)
{
createdSize = regionSize;
lpBuffer = new byte[createdSize];
}
bool resRead = false;
try
{
resRead = MInterop.ReadProcessMemory(processHandle, new IntPtr(regionStart), lpBuffer, regionSize, out regionRead);
}
catch
{
resRead = false;
}
regionSize = (int)regionRead;
if (!resRead)
{
skipRegion = true;
}
if (resRead)
{
List <string> strsTolook = new List <string>();
string str1 = UnicodeEncoding.Unicode.GetString(lpBuffer, 0, (int)regionRead);
string str11 = UnicodeEncoding.Unicode.GetString(lpBuffer, 0 + 1, (int)regionRead - 1);
string str4 = UnicodeEncoding.ASCII.GetString(lpBuffer, 0, (int)regionRead);
strsTolook.Add(str1);
strsTolook.Add(str4);
strsTolook.Add(str11);
foreach (RegexRecord regexRec in regexes)
{
foreach (string str in strsTolook)
{
MatchCollection matches3 = regexRec.Regex.Matches(str);
if (matches3.Count > 0)
{
for (int i = 0; i < matches3.Count; i++)
{
if (matches3[i].Success && IsMatchesContain(lstMatch, matches3[i].Value) == false && IsRegexRecordsContain(matches3[i].Value) == false)
{
MatchInfo m = new MatchInfo();
m.PatternName = regexRec.Name;
m.PatternMatch = matches3[i].Value;
m.ProcessName = processName;
lstMatch.Add(m);
}
}
res = matches3[0].Value;
}
}
}
}
total += regionSize;
}
regionStart += regionSize;
}
return(res);
}
