public UIntPtr VirtualQueryEx(IntPtr hProcess, UIntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer) { UIntPtr retVal; // TODO: Need to change this to only check once. if (mProc.Is64Bit || IntPtr.Size == 8) { // 64 bit MEMORY_BASIC_INFORMATION64 tmp64 = new MEMORY_BASIC_INFORMATION64(); retVal = Native_VirtualQueryEx(hProcess, lpAddress, out tmp64, new UIntPtr((uint)Marshal.SizeOf(tmp64))); lpBuffer.BaseAddress = tmp64.BaseAddress; lpBuffer.AllocationBase = tmp64.AllocationBase; lpBuffer.AllocationProtect = tmp64.AllocationProtect; lpBuffer.RegionSize = (long)tmp64.RegionSize; lpBuffer.State = tmp64.State; lpBuffer.Protect = tmp64.Protect; lpBuffer.Type = tmp64.Type; return(retVal); } MEMORY_BASIC_INFORMATION32 tmp32 = new MEMORY_BASIC_INFORMATION32(); retVal = Native_VirtualQueryEx(hProcess, lpAddress, out tmp32, new UIntPtr((uint)Marshal.SizeOf(tmp32))); lpBuffer.BaseAddress = tmp32.BaseAddress; lpBuffer.AllocationBase = tmp32.AllocationBase; lpBuffer.AllocationProtect = tmp32.AllocationProtect; lpBuffer.RegionSize = tmp32.RegionSize; lpBuffer.State = tmp32.State; lpBuffer.Protect = tmp32.Protect; lpBuffer.Type = tmp32.Type; return(retVal); }
public static MEMORY_BASIC_INFORMATION64 GetMemInfo32(IntPtr ProcessHandle, IntPtr MinAddress) { var MemInfo = new MEMORY_BASIC_INFORMATION32(); int QueryResult = VirtualQueryEx(ProcessHandle, MinAddress, out MemInfo, (uint)Marshal.SizeOf(typeof(MEMORY_BASIC_INFORMATION32))); if (QueryResult == 0) { Debug.WriteLine("Error on VirtualQueryEx, returned 0!"); } return(MapMemInfo(MemInfo)); }
private static MEMORY_BASIC_INFORMATION64 MapMemInfo(MEMORY_BASIC_INFORMATION32 memInfo) { MEMORY_BASIC_INFORMATION64 result = new MEMORY_BASIC_INFORMATION64(); result.AllocationBase = (ulong)memInfo.AllocationBase; result.AllocationProtect = (uint)memInfo.AllocationProtect; result.BaseAddress = (ulong)memInfo.BaseAddress; result.Protect = (uint)memInfo.Protect; result.RegionSize = (ulong)memInfo.RegionSize; result.State = (uint)memInfo.State; result.Type = (uint)memInfo.Type; return(result); }
private string GetMemoryProtectFlags(IntPtr offset) { try { System.Text.StringBuilder sb = new System.Text.StringBuilder(); #if x64 MEMORY_BASIC_INFORMATION64 memBasicInfo = new MEMORY_BASIC_INFORMATION64(); VirtualQueryEx(ProcessHandle, offset, out memBasicInfo, memoryBasicInfoSize); sb.AppendLine("[MEMORY_BASIC_INFORMATION64]"); sb.AppendFormat("BaseAddress: {0}\r\n", memBasicInfo.BaseAddress); sb.AppendFormat("AllocationBase: {0}\r\n", memBasicInfo.AllocationBase); sb.AppendFormat("AllocationProtect: {0}\r\n", memBasicInfo.AllocationProtect); sb.AppendFormat("__alignment1: {0}\r\n", memBasicInfo.__alignment1); sb.AppendFormat("RegionSize: {0}\r\n", memBasicInfo.RegionSize); sb.AppendFormat("State: {0}\r\n", memBasicInfo.State); sb.AppendFormat("Protect: {0}\r\n", memBasicInfo.Protect); sb.AppendFormat("Type: {0}\r\n", memBasicInfo.Type); sb.AppendFormat("__alignment2: {0}\r\n", memBasicInfo.__alignment2); #else MEMORY_BASIC_INFORMATION32 memBasicInfo = new MEMORY_BASIC_INFORMATION32(); VirtualQueryEx(ProcessHandle, offset, out memBasicInfo, memoryBasicInfoSize); sb.AppendLine("[MEMORY_BASIC_INFORMATION32]"); sb.AppendFormat("BaseAddress: {0}\r\n", memBasicInfo.BaseAddress); sb.AppendFormat("AllocationBase: {0}\r\n", memBasicInfo.AllocationBase); sb.AppendFormat("AllocationProtect: {0}\r\n", memBasicInfo.AllocationProtect); sb.AppendFormat("RegionSize: {0}\r\n", memBasicInfo.RegionSize); sb.AppendFormat("State: {0}\r\n", memBasicInfo.State); sb.AppendFormat("Protect: {0}\r\n", memBasicInfo.Protect); sb.AppendFormat("Type: {0}\r\n", memBasicInfo.Type); #endif return(sb.ToString()); } catch (Exception ex) { return(string.Format("[GetMemoryProtectFlags EXCEPTION: {0}]", ex.ToString())); } }
public static UIntPtr VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer, bool x64) { UIntPtr retVal; if (x64) { // 64 bit var tmp64 = new MEMORY_BASIC_INFORMATION64(); retVal = Native_VirtualQueryEx(hProcess, lpAddress, out tmp64, new UIntPtr((uint)Marshal.SizeOf(tmp64))); lpBuffer.BaseAddress = tmp64.BaseAddress; lpBuffer.AllocationBase = tmp64.AllocationBase; lpBuffer.AllocationProtect = tmp64.AllocationProtect; lpBuffer.RegionSize = (long)tmp64.RegionSize; lpBuffer.State = tmp64.State; lpBuffer.Protect = tmp64.Protect; lpBuffer.Type = tmp64.Type; return(retVal); } var tmp32 = new MEMORY_BASIC_INFORMATION32(); retVal = Native_VirtualQueryEx(hProcess, lpAddress, out tmp32, new UIntPtr((uint)Marshal.SizeOf(tmp32))); lpBuffer.BaseAddress = tmp32.BaseAddress; lpBuffer.AllocationBase = tmp32.AllocationBase; lpBuffer.AllocationProtect = tmp32.AllocationProtect; lpBuffer.RegionSize = tmp32.RegionSize; lpBuffer.State = tmp32.State; lpBuffer.Protect = tmp32.Protect; lpBuffer.Type = tmp32.Type; return(retVal); }
public static extern UIntPtr Native_VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION32 lpBuffer, UIntPtr dwLength);
public static extern Int32 VirtualQueryEx32(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION32 lpBuffer, UInt32 dwLength);
public static extern int VirtualQueryEx(Int32 hProcess, Int32 lpAddress, out MEMORY_BASIC_INFORMATION32 lpBuffer, uint dwLength);
private static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION32 lpBuffer, int dwLength);
private void searchValue(ulong value, bool newSearch) { byte[] pattern = new byte[4]; pattern[0] = (byte)(value & 0x000000FF); pattern[1] = (byte)((value & 0x0000FF00) >> 8); pattern[2] = (byte)((value & 0x00FF0000) >> 16); pattern[3] = (byte)((value & 0xFF000000) >> 24); MEMORY_BASIC_INFORMATION32 mbi = new MEMORY_BASIC_INFORMATION32(); int mbiSize = Marshal.SizeOf(typeof(MEMORY_BASIC_INFORMATION32)); SYSTEM_INFO si = new SYSTEM_INFO(); GetSystemInfo(out si); if (newSearch) { IntPtr currentAddress = si.MinimumApplicationAddress; while ((long)currentAddress < (long)si.MaximumApplicationAddress) { if (VirtualQueryEx(hProc, currentAddress, out mbi, mbiSize) == mbiSize) { if (mbi.State == MEM_COMMIT && mbi.Protect != PAGE_READONLY && mbi.Protect != PAGE_EXECUTE_READ && mbi.Protect != PAGE_GUARD && mbi.Protect != PAGE_NOACCESS && (long)mbi.RegionSize > 0) { if (byteBuffer.Length < (long)mbi.RegionSize) { byteBuffer = new byte[(long)mbi.RegionSize]; } int bytesRead; ReadProcessMemory(hProc, mbi.BaseAddress, byteBuffer, (uint)mbi.RegionSize, out bytesRead); int offset = 0; while (offset < (long)mbi.RegionSize) { int p = pos(byteBuffer, pattern, offset, (int)mbi.RegionSize); if (p < 0) { break; } else { addrList.Add((long)mbi.BaseAddress + p); offset = p + 1; } } } } currentAddress = (IntPtr)((long)mbi.BaseAddress + (long)mbi.RegionSize); backgroundWorker.ReportProgress((int)(((long)currentAddress * 100) / (long)(si.MaximumApplicationAddress))); } } else { int k = addrList.Count; for (int i = addrList.Count - 1; i >= 0; i--) { int bytesRead; ReadProcessMemory(hProc, (IntPtr)addrList[i], byteBuffer, 4, out bytesRead); if (pos(byteBuffer, pattern, 0, 4) < 0) { addrList.RemoveAt(i); } backgroundWorker.ReportProgress((100 * (k - i)) / k); } } }