예제 #1
0
 void AddToList(MWFound p)
 {
     this.Invoke((MethodInvoker)delegate()
     {
         if (!ContailsAlredy(p))
         {
             ListViewItem i = new ListViewItem(p.Proc.ProcessName);
             i.SubItems.Add(p.DisplayMember);
             i.SubItems.Add(p.Proc.Id.ToString());
             try
             {
                 i.SubItems.Add(p.Proc.Modules[0].FileName);
             }
             catch
             {
                 i.SubItems.Add("Access denied.");
             }
             i.Tag = p;
             listView1.Items.Add(i);
         }
     });
 }
예제 #2
0
        void seekMemThread()
        {
            int blocksize = 1000;
            Process[] currentProcesses = Process.GetProcesses();
            MEMORY_BASIC_INFORMATION mi;
            uint memoryScanned = 0;
            byte[] buffer = new byte[blocksize];
            int t_int;
            bool is64;

            int longestSig = 0;
            foreach (var swSig in sigDatabase)
            {
                if (swSig.Value.Length > longestSig)
                    longestSig = swSig.Value.Length;
            }
            if (longestSig <= blocksize)
                blocksize = longestSig + 1;

            foreach (Process p in currentProcesses)
            {
                memoryScanned = 0;
                try
                {
                    IsWow64Process(p.Handle, out is64);
                    if (p.Handle == IntPtr.Zero)
                    {
                        // Console.WriteLine("Ignred process {0}", p.ProcessName);
                        continue;
                    }
                }
                catch
                {
                    continue;
                }
                //Console.WriteLine("[{0}] Scanning...", p.Id);
                mi = new MEMORY_BASIC_INFORMATION();
                try
                {
                    bool breakProc = false;
                    while (VirtualQueryEx(p.Handle, (IntPtr)memoryScanned, out mi, (uint)blocksize) != 0)
                    {
                        breakProc = false;
                        if ((mi.Type == (int)AccessType.MEM_PRIVATE || mi.Type == (int)AccessType.MEM_MAPPED) && mi.State == (int)AccessType.COMMIT && mi.Protect != (int)AccessType.PAGE_NOACCESS)
                        {
                            for (int i = (int)mi.BaseAddress; i < (int)mi.BaseAddress + mi.RegionSize; i += blocksize - longestSig)
                            {
                                if (ReadProcessMemory(p.Handle, (IntPtr)i, buffer, blocksize, out t_int))
                                {
                                    foreach (var swSig in sigDatabase)
                                    {
                                        if (System.Text.Encoding.UTF8.GetString(buffer).ToLower().Contains(swSig.Value.ToLower()))
                                        {
                                            MWFound m = new MWFound();
                                            m.Proc = p;
                                            m.DisplayMember = swSig.Key;
                                            AddToList(m);
                                            breakProc = true;
                                            break;
                                        }
                                    }
                                }
                            }
                            if (breakProc)
                                break;
                        }
                        memoryScanned += mi.RegionSize;
                    }
                }
                catch
                {
                    continue;
                }
            }
            SetButtonness(true);
        }
예제 #3
0
 bool ContailsAlredy(MWFound p)
 {
     foreach (ListViewItem i in listView1.Items)
     {
         MWFound mw = (MWFound)i.Tag;
         if (mw.Proc.Id == p.Proc.Id)
             return true;
     }
     return false;
 }