/// <summary>
/// Gets the allowed type settings for virtual memory queries based on the set type flags.
/// </summary>
/// <returns>The flags of the allowed types for virtual memory queries.</returns>
public MemoryTypeEnum GetAllowedTypeSettings()
{
MemoryTypeEnum result = 0;
if (Settings.Default.MemoryTypeNone)
{
result |= MemoryTypeEnum.None;
}
if (Settings.Default.MemoryTypePrivate)
{
result |= MemoryTypeEnum.Private;
}
if (Settings.Default.MemoryTypeImage)
{
result |= MemoryTypeEnum.Image;
}
if (Settings.Default.MemoryTypeMapped)
{
result |= MemoryTypeEnum.Mapped;
}
return(result);
}
/// <summary>
/// Creates a snapshot from all usermode memory. Will not read any memory.
/// </summary>
/// <returns>A snapshot created from usermode memory.</returns>
private static Snapshot CreateSnapshotFromUsermodeMemory(Process process)
{
MemoryProtectionEnum requiredPageFlags = 0;
MemoryProtectionEnum excludedPageFlags = 0;
MemoryTypeEnum allowedTypeFlags = MemoryTypeEnum.None | MemoryTypeEnum.Private | MemoryTypeEnum.Image;
UInt64 startAddress = 0;
UInt64 endAddress = MemoryQueryer.Instance.GetMaxUsermodeAddress(process);
List <ReadGroup> memoryRegions = new List <ReadGroup>();
IEnumerable <NormalizedRegion> virtualPages = MemoryQueryer.Instance.GetVirtualPages(
process,
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
foreach (NormalizedRegion virtualPage in virtualPages)
{
virtualPage.Align(ScanSettings.Alignment);
memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize));
}
return(new Snapshot(null, memoryRegions));
}
/// <summary>
/// Creates a new snapshot of memory in the target process. Will not read any memory.
/// </summary>
/// <returns>The snapshot of memory taken in the target process.</returns>
private Snapshot CreateSnapshotFromSettings()
{
MemoryProtectionEnum requiredPageFlags = SettingsViewModel.GetInstance().GetRequiredProtectionSettings();
MemoryProtectionEnum excludedPageFlags = SettingsViewModel.GetInstance().GetExcludedProtectionSettings();
MemoryTypeEnum allowedTypeFlags = SettingsViewModel.GetInstance().GetAllowedTypeSettings();
IntPtr startAddress, endAddress;
if (SettingsViewModel.GetInstance().IsUserMode)
{
startAddress = IntPtr.Zero;
endAddress = EngineCore.GetInstance().VirtualMemory.GetMaxUsermodeAddress().ToIntPtr();
}
else
{
startAddress = SettingsViewModel.GetInstance().StartAddress.ToIntPtr();
endAddress = SettingsViewModel.GetInstance().EndAddress.ToIntPtr();
}
List <ReadGroup> memoryRegions = new List <ReadGroup>();
IEnumerable <NormalizedRegion> virtualPages = EngineCore.GetInstance().VirtualMemory.GetVirtualPages(
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
// Convert each virtual page to a snapshot region
foreach (NormalizedRegion virtualPage in virtualPages)
{
memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize));
}
return(new Snapshot(null, memoryRegions));
}
/// <summary>
/// Creates a snapshot from modules in the selected process.
/// </summary>
/// <returns>The created snapshot.</returns>
private static Snapshot CreateSnapshotFromHeaps(Process process)
{
// TODO: This currently grabs all usermode memory and excludes modules. A better implementation would involve actually grabbing heaps.
Snapshot snapshot = SnapshotQuery.CreateSnapshotFromUsermodeMemory(process);
IEnumerable <NormalizedModule> modules = MemoryQueryer.Instance.GetModules(process);
MemoryProtectionEnum requiredPageFlags = 0;
MemoryProtectionEnum excludedPageFlags = 0;
MemoryTypeEnum allowedTypeFlags = MemoryTypeEnum.None | MemoryTypeEnum.Private | MemoryTypeEnum.Image;
UInt64 startAddress = 0;
UInt64 endAddress = MemoryQueryer.Instance.GetMaxUsermodeAddress(process);
List <ReadGroup> memoryRegions = new List <ReadGroup>();
IEnumerable <NormalizedRegion> virtualPages = MemoryQueryer.Instance.GetVirtualPages(
process,
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
foreach (NormalizedRegion virtualPage in virtualPages)
{
if (modules.Any(x => x.BaseAddress == virtualPage.BaseAddress))
{
continue;
}
virtualPage.Align(ScanSettings.Alignment);
memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize));
}
return(new Snapshot(null, memoryRegions));
}
/// <summary>
/// Creates a new snapshot of memory in the target process. Will not read any memory.
/// </summary>
/// <returns>The snapshot of memory taken in the target process.</returns>
public Snapshot CreateSnapshotFromSettings()
{
MemoryProtectionEnum requiredPageFlags = SettingsViewModel.GetInstance().GetRequiredProtectionSettings();
MemoryProtectionEnum excludedPageFlags = SettingsViewModel.GetInstance().GetExcludedProtectionSettings();
MemoryTypeEnum allowedTypeFlags = SettingsViewModel.GetInstance().GetAllowedTypeSettings();
IntPtr startAddress, endAddress;
if (SettingsViewModel.GetInstance().IsUserMode)
{
startAddress = IntPtr.Zero;
endAddress = EngineCore.GetInstance().VirtualMemory.GetUserModeRegion().EndAddress;
}
else
{
startAddress = SettingsViewModel.GetInstance().StartAddress.ToIntPtr();
endAddress = SettingsViewModel.GetInstance().EndAddress.ToIntPtr();
}
List <SnapshotRegion> memoryRegions = new List <SnapshotRegion>();
IEnumerable <NormalizedRegion> virtualPages = EngineCore.GetInstance().VirtualMemory.GetVirtualPages(
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
// Convert each virtual page to a snapshot region (a more condensed representation of the information)
foreach (NormalizedRegion virtualPage in virtualPages)
{
memoryRegions.Add(new SnapshotRegion(virtualPage.BaseAddress, virtualPage.RegionSize));
}
return(new Snapshot(memoryRegions));
}
/// <summary>
/// Gets regions of memory allocated in the remote process based on provided parameters
/// </summary>
/// <param name="requiredProtection">Protection flags required to be present</param>
/// <param name="excludedProtection">Protection flags that must not be present</param>
/// <param name="allowedTypes">Memory types that can be present</param>
/// <param name="startAddress">The start address of the query range</param>
/// <param name="endAddress">The end address of the query range</param>
/// <returns>A collection of pointers to virtual pages in the target process</returns>
public IEnumerable <NormalizedRegion> GetVirtualPages(
MemoryProtectionEnum requiredProtection,
MemoryProtectionEnum excludedProtection,
MemoryTypeEnum allowedTypes,
IntPtr startAddress,
IntPtr endAddress)
{
MemoryProtectionFlags requiredFlags = 0;
MemoryProtectionFlags excludedFlags = 0;
if ((requiredProtection & MemoryProtectionEnum.Write) != 0)
{
requiredFlags |= MemoryProtectionFlags.ExecuteReadWrite;
requiredFlags |= MemoryProtectionFlags.ReadWrite;
}
if ((requiredProtection & MemoryProtectionEnum.Execute) != 0)
{
requiredFlags |= MemoryProtectionFlags.Execute;
requiredFlags |= MemoryProtectionFlags.ExecuteRead;
requiredFlags |= MemoryProtectionFlags.ExecuteReadWrite;
requiredFlags |= MemoryProtectionFlags.ExecuteWriteCopy;
}
if ((requiredProtection & MemoryProtectionEnum.CopyOnWrite) != 0)
{
requiredFlags |= MemoryProtectionFlags.WriteCopy;
requiredFlags |= MemoryProtectionFlags.ExecuteWriteCopy;
}
if ((excludedProtection & MemoryProtectionEnum.Write) != 0)
{
excludedFlags |= MemoryProtectionFlags.ExecuteReadWrite;
excludedFlags |= MemoryProtectionFlags.ReadWrite;
}
if ((excludedProtection & MemoryProtectionEnum.Execute) != 0)
{
excludedFlags |= MemoryProtectionFlags.Execute;
excludedFlags |= MemoryProtectionFlags.ExecuteRead;
excludedFlags |= MemoryProtectionFlags.ExecuteReadWrite;
excludedFlags |= MemoryProtectionFlags.ExecuteWriteCopy;
}
if ((excludedProtection & MemoryProtectionEnum.CopyOnWrite) != 0)
{
excludedFlags |= MemoryProtectionFlags.WriteCopy;
excludedFlags |= MemoryProtectionFlags.ExecuteWriteCopy;
}
return(Memory.VirtualPages(this.SystemProcess == null ? IntPtr.Zero : this.SystemProcess.Handle, startAddress, endAddress, requiredFlags, excludedFlags, allowedTypes)
.Select(x => new NormalizedRegion(x.BaseAddress, x.RegionSize.ToUInt64())));
}
/// <summary>
/// Creates a new snapshot of memory in the target process. Will not read any memory.
/// </summary>
/// <returns>The snapshot of memory taken in the target process.</returns>
private static Snapshot CreateSnapshotFromSettings(Process process)
{
MemoryProtectionEnum requiredPageFlags = SnapshotQuery.GetRequiredProtectionSettings();
MemoryProtectionEnum excludedPageFlags = SnapshotQuery.GetExcludedProtectionSettings();
MemoryTypeEnum allowedTypeFlags = SnapshotQuery.GetAllowedTypeSettings();
UInt64 startAddress;
UInt64 endAddress;
if (ScanSettings.IsUserMode)
{
startAddress = 0;
endAddress = MemoryQueryer.Instance.GetMaxUsermodeAddress(process);
}
else
{
startAddress = ScanSettings.StartAddress;
endAddress = ScanSettings.EndAddress;
}
List <ReadGroup> memoryRegions = new List <ReadGroup>();
IEnumerable <NormalizedRegion> virtualPages = MemoryQueryer.Instance.GetVirtualPages(
process,
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
// Convert each virtual page to a snapshot region
foreach (NormalizedRegion virtualPage in virtualPages)
{
virtualPage.Align(ScanSettings.Alignment);
memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize));
}
return(new Snapshot(null, memoryRegions));
}
/// <summary>
/// Creates a snapshot from all usermode memory. Will not read any memory.
/// </summary>
/// <returns>A snapshot created from usermode memory.</returns>
private Snapshot CreateSnapshotFromUsermodeMemory()
{
MemoryProtectionEnum requiredPageFlags = 0;
MemoryProtectionEnum excludedPageFlags = 0;
MemoryTypeEnum allowedTypeFlags = MemoryTypeEnum.None | MemoryTypeEnum.Private | MemoryTypeEnum.Image;
IntPtr startAddress = IntPtr.Zero;
IntPtr endAddress = EngineCore.GetInstance().VirtualMemory.GetMaxUsermodeAddress().ToIntPtr();
List <ReadGroup> memoryRegions = new List <ReadGroup>();
IEnumerable <NormalizedRegion> virtualPages = EngineCore.GetInstance().VirtualMemory.GetVirtualPages(
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
foreach (NormalizedRegion virtualPage in virtualPages)
{
memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize));
}
return(new Snapshot(null, memoryRegions));
}
public Snapshot CreateSnapshotFromUsermodeMemory()
{
MemoryProtectionEnum requiredPageFlags = 0;
MemoryProtectionEnum excludedPageFlags = 0;
MemoryTypeEnum allowedTypeFlags = MemoryTypeEnum.None | MemoryTypeEnum.Private | MemoryTypeEnum.Image | MemoryTypeEnum.Mapped;
IntPtr startAddress = IntPtr.Zero;
IntPtr endAddress = EngineCore.GetInstance().VirtualMemory.GetUserModeRegion().EndAddress;
List <SnapshotRegion> memoryRegions = new List <SnapshotRegion>();
IEnumerable <NormalizedRegion> virtualPages = EngineCore.GetInstance().VirtualMemory.GetVirtualPages(
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
foreach (NormalizedRegion virtualPage in virtualPages)
{
memoryRegions.Add(new SnapshotRegion(virtualPage.BaseAddress, virtualPage.RegionSize));
}
return(new Snapshot(memoryRegions));
}
/// <summary>
/// Retrieves information about a range of pages within the virtual address space of a specified process.
/// </summary>
/// <param name="processHandle">A handle to the process whose memory information is queried.</param>
/// <param name="startAddress">A pointer to the starting address of the region of pages to be queried.</param>
/// <param name="endAddress">A pointer to the ending address of the region of pages to be queried.</param>
/// <param name="requiredProtection">Protection flags required to be present.</param>
/// <param name="excludedProtection">Protection flags that must not be present.</param>
/// <param name="allowedTypes">Memory types that can be present.</param>
/// <returns>
/// A collection of <see cref="MemoryBasicInformation64"/> structures containing info about all virtual pages in the target process.
/// </returns>
public static IEnumerable <MemoryBasicInformation64> VirtualPages(
IntPtr processHandle,
IntPtr startAddress,
IntPtr endAddress,
MemoryProtectionFlags requiredProtection,
MemoryProtectionFlags excludedProtection,
MemoryTypeEnum allowedTypes)
{
if (startAddress.ToUInt64() >= endAddress.ToUInt64())
{
yield return(new MemoryBasicInformation64());
}
Boolean wrappedAround = false;
Int32 queryResult;
// Enumerate the memory pages
do
{
// Allocate the structure to store information of memory
MemoryBasicInformation64 memoryInfo = new MemoryBasicInformation64();
if (!Environment.Is64BitProcess)
{
// 32 Bit struct is not the same
MemoryBasicInformation32 memoryInfo32 = new MemoryBasicInformation32();
// Query the memory region (32 bit native method)
queryResult = NativeMethods.VirtualQueryEx(processHandle, startAddress, out memoryInfo32, Marshal.SizeOf(memoryInfo32));
// Copy from the 32 bit struct to the 64 bit struct
memoryInfo.AllocationBase = memoryInfo32.AllocationBase;
memoryInfo.AllocationProtect = memoryInfo32.AllocationProtect;
memoryInfo.BaseAddress = memoryInfo32.BaseAddress;
memoryInfo.Protect = memoryInfo32.Protect;
memoryInfo.RegionSize = memoryInfo32.RegionSize;
memoryInfo.State = memoryInfo32.State;
memoryInfo.Type = memoryInfo32.Type;
}
else
{
// Query the memory region (64 bit native method)
queryResult = NativeMethods.VirtualQueryEx(processHandle, startAddress, out memoryInfo, Marshal.SizeOf(memoryInfo));
}
// Increment the starting address with the size of the page
IntPtr previousFrom = startAddress;
startAddress = startAddress.Add(memoryInfo.RegionSize);
if (previousFrom.ToUInt64() > startAddress.ToUInt64())
{
wrappedAround = true;
}
// Ignore free memory. These are unallocated memory regions.
if ((memoryInfo.State & MemoryStateFlags.Free) != 0)
{
continue;
}
// At least one readable memory flag is required
if ((memoryInfo.Protect & MemoryProtectionFlags.ReadOnly) == 0 && (memoryInfo.Protect & MemoryProtectionFlags.ExecuteRead) == 0 &&
(memoryInfo.Protect & MemoryProtectionFlags.ExecuteReadWrite) == 0 && (memoryInfo.Protect & MemoryProtectionFlags.ReadWrite) == 0)
{
continue;
}
// Do not bother with this shit, this memory is not worth scanning
if ((memoryInfo.Protect & MemoryProtectionFlags.ZeroAccess) != 0 || (memoryInfo.Protect & MemoryProtectionFlags.NoAccess) != 0 || (memoryInfo.Protect & MemoryProtectionFlags.Guard) != 0)
{
continue;
}
// Enforce allowed types
switch (memoryInfo.Type)
{
case MemoryTypeFlags.None:
if ((allowedTypes & MemoryTypeEnum.None) == 0)
{
continue;
}
break;
case MemoryTypeFlags.Private:
if ((allowedTypes & MemoryTypeEnum.Private) == 0)
{
continue;
}
break;
case MemoryTypeFlags.Image:
if ((allowedTypes & MemoryTypeEnum.Image) == 0)
{
continue;
}
break;
case MemoryTypeFlags.Mapped:
if ((allowedTypes & MemoryTypeEnum.Mapped) == 0)
{
continue;
}
break;
}
// Ensure at least one required protection flag is set
if (requiredProtection != 0 && (memoryInfo.Protect & requiredProtection) == 0)
{
continue;
}
// Ensure no ignored protection flags are set
if (excludedProtection != 0 && (memoryInfo.Protect & excludedProtection) != 0)
{
continue;
}
// Return the memory page
yield return(memoryInfo);
}while (startAddress.ToUInt64() < endAddress.ToUInt64() && queryResult != 0 && !wrappedAround);
}
/// <summary>
/// Gets regions of memory allocated in the remote process based on provided parameters.
/// </summary>
/// <param name="requiredProtection">Protection flags required to be present.</param>
/// <param name="excludedProtection">Protection flags that must not be present.</param>
/// <param name="allowedTypes">Memory types that can be present.</param>
/// <param name="startAddress">The start address of the query range.</param>
/// <param name="endAddress">The end address of the query range.</param>
/// <returns>A collection of pointers to virtual pages in the target process.</returns>
public IEnumerable <NormalizedRegion> GetVirtualPages(
Process process,
MemoryProtectionEnum requiredProtection,
MemoryProtectionEnum excludedProtection,
MemoryTypeEnum allowedTypes,
UInt64 startAddress,
UInt64 endAddress)
{
MemoryProtectionFlags requiredFlags = 0;
MemoryProtectionFlags excludedFlags = 0;
if ((requiredProtection & MemoryProtectionEnum.Write) != 0)
{
requiredFlags |= MemoryProtectionFlags.ExecuteReadWrite;
requiredFlags |= MemoryProtectionFlags.ReadWrite;
}
if ((requiredProtection & MemoryProtectionEnum.Execute) != 0)
{
requiredFlags |= MemoryProtectionFlags.Execute;
requiredFlags |= MemoryProtectionFlags.ExecuteRead;
requiredFlags |= MemoryProtectionFlags.ExecuteReadWrite;
requiredFlags |= MemoryProtectionFlags.ExecuteWriteCopy;
}
if ((requiredProtection & MemoryProtectionEnum.CopyOnWrite) != 0)
{
requiredFlags |= MemoryProtectionFlags.WriteCopy;
requiredFlags |= MemoryProtectionFlags.ExecuteWriteCopy;
}
if ((excludedProtection & MemoryProtectionEnum.Write) != 0)
{
excludedFlags |= MemoryProtectionFlags.ExecuteReadWrite;
excludedFlags |= MemoryProtectionFlags.ReadWrite;
}
if ((excludedProtection & MemoryProtectionEnum.Execute) != 0)
{
excludedFlags |= MemoryProtectionFlags.Execute;
excludedFlags |= MemoryProtectionFlags.ExecuteRead;
excludedFlags |= MemoryProtectionFlags.ExecuteReadWrite;
excludedFlags |= MemoryProtectionFlags.ExecuteWriteCopy;
}
if ((excludedProtection & MemoryProtectionEnum.CopyOnWrite) != 0)
{
excludedFlags |= MemoryProtectionFlags.WriteCopy;
excludedFlags |= MemoryProtectionFlags.ExecuteWriteCopy;
}
IEnumerable <MemoryBasicInformation64> memoryInfo = WindowsMemoryQuery.VirtualPages(process == null ? IntPtr.Zero : process.Handle, startAddress, endAddress, requiredFlags, excludedFlags, allowedTypes);
IList <NormalizedRegion> regions = new List <NormalizedRegion>();
foreach (MemoryBasicInformation64 next in memoryInfo)
{
if (next.RegionSize < ChunkSize)
{
regions.Add(new NormalizedRegion(next.BaseAddress.ToUInt64(), next.RegionSize.ToInt32()));
}
else
{
// This region requires chunking
Int64 remaining = next.RegionSize;
UInt64 currentBaseAddress = next.BaseAddress.ToUInt64();
while (remaining >= ChunkSize)
{
regions.Add(new NormalizedRegion(currentBaseAddress, ChunkSize));
remaining -= ChunkSize;
currentBaseAddress = currentBaseAddress.Add(ChunkSize, wrapAround: false);
}
if (remaining > 0)
{
regions.Add(new NormalizedRegion(currentBaseAddress, remaining.ToInt32()));
}
}
}
return(regions);
}
/// <summary>
/// Gets all virtual pages in the opened process.
/// </summary>
/// <returns>A collection of regions in the process.</returns>
public IEnumerable <NormalizedRegion> GetAllVirtualPages(Process process)
{
MemoryTypeEnum flags = MemoryTypeEnum.None | MemoryTypeEnum.Private | MemoryTypeEnum.Image | MemoryTypeEnum.Mapped;
return(this.GetVirtualPages(process, 0, 0, flags, 0, this.GetMaximumAddress(process)));
}
public HRESULT readMemory([NativeTypeName("enum MemoryTypeEnum")] MemoryTypeEnum type, [NativeTypeName("ULONGLONG")] ulong va, [NativeTypeName("DWORD")] uint cbData, [NativeTypeName("DWORD *")] uint *pcbData, byte *pbData)
{
return(((delegate * unmanaged <IDiaStackWalkFrame *, MemoryTypeEnum, ulong, uint, uint *, byte *, int>)(lpVtbl[5]))((IDiaStackWalkFrame *)Unsafe.AsPointer(ref this), type, va, cbData, pcbData, pbData));
}
int IDiaStackWalkHelper.readMemory(MemoryTypeEnum type, ulong va, uint cbData, out uint pcbData, byte[] pbData)
{
MemoryAccessor.ReadBytes((IntPtr)va, cbData, pbData);
pcbData = cbData;
return(S_OK);
}
