private static long GetMaxMemFileSize(IntPtr pmemAreaBaseAddr)
{
var mbi = new NativeMethods.MEMORY_BASIC_INFORMATION();
NativeMethods.VirtualQuery(ref pmemAreaBaseAddr, ref mbi, new IntPtr(Marshal.SizeOf(mbi)));
return(mbi.RegionSize.ToInt64());
}
private bool FindNeedleInMemory(List <NativeMethods.MEMORY_BASIC_INFORMATION> areas, int alignmentHint, Needle memoryNeedle, out long relativeByteOffset, out NativeMethods.MEMORY_BASIC_INFORMATION memoryPage, StatusUpdate.ProcessType updateType)
{
byte[] needle = new byte[] { (byte)memoryNeedle, 0x00, 0x00, 0x00, 0xCC, 0xCC, 0xCC, 0x3D, 0x00 };
currentStatus.Report(new StatusUpdate {
CurrentProcess = updateType, ProcessPercentage = 0.0f
});
for (int i = 0; i < areas.Count; i++)
{
currentStatus.Report(new StatusUpdate {
CurrentProcess = updateType, ProcessPercentage = i / (float)areas.Count
});
var area = areas[i];
byte[] buffer = new byte[area.RegionSize.ToInt64()];
int bytesRead = 0;
if (NativeMethods.ReadProcessMemory(processHandle, area.BaseAddress, buffer, area.RegionSize, ref bytesRead) == false)
{
int errorCode = Marshal.GetLastWin32Error();
if (errorCode == 299)
{
Trace.WriteLine("Couldn't read entire memory...");
}
else
{
Marshal.ThrowExceptionForHR(errorCode);
}
}
long startOffset = 0;
while (startOffset != -1)
{
startOffset = SearchBytes(buffer, needle, startOffset, alignmentHint);
if (startOffset != -1)
{
if (buffer[startOffset - 24] == 0x02)
{
relativeByteOffset = startOffset;
memoryPage = area;
currentStatus.Report(new StatusUpdate {
CurrentProcess = StatusUpdate.ProcessType.Done, ProcessPercentage = 1.0f, ReadyToWatch = true
});
return(true);
}
++startOffset;
}
}
}
relativeByteOffset = -1;
memoryPage = new NativeMethods.MEMORY_BASIC_INFORMATION();
currentStatus.Report(new StatusUpdate {
CurrentProcess = StatusUpdate.ProcessType.Done, ProcessPercentage = 1.0f
});
return(false);
}
private static bool HasReadAccess(IntPtr hProcess, IntPtr address, out int size)
{
size = 0;
var memInfo = new NativeMethods.MEMORY_BASIC_INFORMATION();
IntPtr result = NativeMethods.VirtualQueryEx(
hProcess,
address,
ref memInfo,
(IntPtr)Marshal.SizeOf(memInfo));
if (result == IntPtr.Zero)
{
return(false);
}
if (memInfo.Protect == NativeMethods.PAGE_NOACCESS || memInfo.Protect == NativeMethods.PAGE_EXECUTE)
{
return(false);
}
try
{
size = Convert.ToInt32(memInfo.RegionSize.ToInt64() - (address.ToInt64() - memInfo.BaseAddress.ToInt64()));
}
catch (OverflowException)
{
return(false);
}
if (size <= 0)
{
return(false);
}
return(true);
}
private long GetMaxMemFileSize(IntPtr pMemAreaBaseAddr)
{
NativeMethods.MEMORY_BASIC_INFORMATION mbi = new NativeMethods.MEMORY_BASIC_INFORMATION();
NativeMethods.VirtualQuery(ref pMemAreaBaseAddr, ref mbi, new IntPtr(Marshal.SizeOf(mbi)));
return mbi.RegionSize.ToInt64();
}
private List <NativeMethods.MEMORY_BASIC_INFORMATION> FetchMemoryPages()
{
currentStatus.Report(new StatusUpdate {
CurrentProcess = StatusUpdate.ProcessType.ReadingMemory, ProcessPercentage = 0f
});
List <NativeMethods.MEMORY_BASIC_INFORMATION> areas = new List <NativeMethods.MEMORY_BASIC_INFORMATION>();
NativeMethods.SYSTEM_INFO sys_info = new NativeMethods.SYSTEM_INFO();
NativeMethods.GetSystemInfo(out sys_info);
IntPtr proc_min_address = sys_info.minimumApplicationAddress;
IntPtr proc_max_address = sys_info.maximumApplicationAddress;
long proc_min_address_l = proc_min_address.ToInt64();
long proc_max_address_l = proc_max_address.ToInt64();
// this will store any information we get from VirtualQueryEx()
NativeMethods.MEMORY_BASIC_INFORMATION mem_basic_info = new NativeMethods.MEMORY_BASIC_INFORMATION();
long startAt = proc_min_address_l;
while (proc_min_address_l < proc_max_address_l)
{
currentStatus.Report(new StatusUpdate {
CurrentProcess = StatusUpdate.ProcessType.ReadingMemory, ProcessPercentage = 1 - (proc_max_address_l - proc_min_address_l) / (float)(proc_max_address_l - startAt)
});
// 28 = sizeof(NativeMethods.MEMORY_BASIC_INFORMATION)
NativeMethods.VirtualQueryEx(processHandle, proc_min_address, out mem_basic_info, new UIntPtr(48));
int errorCode = Marshal.GetLastWin32Error();
switch (errorCode)
{
case 0:
// intentionally void
break;
case 299:
Trace.WriteLine("Couldn't read entire memory...");
break;
default:
Marshal.ThrowExceptionForHR(errorCode);
break;
}
// if this memory chunk is accessible
long regionSize = mem_basic_info.RegionSize.ToInt64();
if (mem_basic_info.Protect == NativeMethods.AllocationProtectEnum.PAGE_READWRITE && mem_basic_info.State == NativeMethods.StateEnum.MEM_COMMIT)
{
// memory area containing our byte usually are more than 100kb big
if (mem_basic_info.RegionSize.ToInt64() >= 0x10000)
{
areas.Add(mem_basic_info);
}
}
// move to the next memory chunk
proc_min_address_l += regionSize;
proc_min_address = new IntPtr(proc_min_address_l);
}
currentStatus.Report(new StatusUpdate {
CurrentProcess = StatusUpdate.ProcessType.ReadingMemory, ProcessPercentage = 1.0f
});
return(areas);
}
private static bool HasReadAccess(IntPtr hProcess, IntPtr address, out int size)
{
size = 0;
var memInfo = new NativeMethods.MEMORY_BASIC_INFORMATION();
IntPtr result = NativeMethods.VirtualQueryEx(
hProcess,
address,
ref memInfo,
(IntPtr)Marshal.SizeOf(memInfo));
if (result == IntPtr.Zero)
{
return false;
}
if (memInfo.Protect == NativeMethods.PAGE_NOACCESS || memInfo.Protect == NativeMethods.PAGE_EXECUTE)
{
return false;
}
try
{
size = Convert.ToInt32(memInfo.RegionSize.ToInt64() - (address.ToInt64() - memInfo.BaseAddress.ToInt64()));
}
catch (OverflowException)
{
return false;
}
if (size <= 0)
{
return false;
}
return true;
}
