예제 #1
0
        /// <summary>
        /// Creates a snapshot from modules in the selected process.
        /// </summary>
        /// <returns>The created snapshot.</returns>
        private static Snapshot CreateSnapshotFromHeaps(Process process)
        {
            // TODO: This currently grabs all usermode memory and excludes modules. A better implementation would involve actually grabbing heaps.
            Snapshot snapshot = SnapshotQuery.CreateSnapshotFromUsermodeMemory(process);
            IEnumerable <NormalizedModule> modules = MemoryQueryer.Instance.GetModules(process);

            MemoryProtectionEnum requiredPageFlags = 0;
            MemoryProtectionEnum excludedPageFlags = 0;
            MemoryTypeEnum       allowedTypeFlags  = MemoryTypeEnum.None | MemoryTypeEnum.Private | MemoryTypeEnum.Image;

            UInt64 startAddress = 0;
            UInt64 endAddress   = MemoryQueryer.Instance.GetMaxUsermodeAddress(process);

            List <ReadGroup> memoryRegions = new List <ReadGroup>();
            IEnumerable <NormalizedRegion> virtualPages = MemoryQueryer.Instance.GetVirtualPages(
                process,
                requiredPageFlags,
                excludedPageFlags,
                allowedTypeFlags,
                startAddress,
                endAddress);

            foreach (NormalizedRegion virtualPage in virtualPages)
            {
                if (modules.Any(x => x.BaseAddress == virtualPage.BaseAddress))
                {
                    continue;
                }

                virtualPage.Align(ScanSettings.Alignment);
                memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize));
            }

            return(new Snapshot(null, memoryRegions));
        }
예제 #2
0
        /// <summary>
        /// Gets a snapshot based on the provided mode. Will not read any memory.
        /// </summary>
        /// <param name="snapshotCreationMode">The method of snapshot retrieval.</param>
        /// <returns>The collected snapshot.</returns>
        public static Snapshot GetSnapshot(Process process, SnapshotRetrievalMode snapshotCreationMode)
        {
            switch (snapshotCreationMode)
            {
            case SnapshotRetrievalMode.FromSettings:
                return(SnapshotQuery.CreateSnapshotFromSettings(process));

            case SnapshotRetrievalMode.FromUserModeMemory:
                return(SnapshotQuery.CreateSnapshotFromUsermodeMemory(process));

            case SnapshotRetrievalMode.FromModules:
                return(SnapshotQuery.CreateSnapshotFromModules(process));

            case SnapshotRetrievalMode.FromHeaps:
                return(SnapshotQuery.CreateSnapshotFromHeaps(process));

            case SnapshotRetrievalMode.FromStack:
                throw new NotImplementedException();

            default:
                Logger.Log(LogLevel.Error, "Unknown snapshot retrieval mode");
                return(null);
            }
        }