/// <summary>
/// Read a number of bytes from a processes memory into a byte array
/// </summary>
/// <param name="pInfo"></param>
/// <param name="address"></param>
/// <param name="bytes"></param>
/// <returns>bytes read</returns>
public static byte[] ReadBytesFromMemory(ProcessInfo pInfo, IntPtr address, int bytes)
{
int bytesRead = 0;
byte[] buf = new byte[bytes];
switch (Environment.OSVersion.Platform)
{
case PlatformID.MacOSX:
case PlatformID.Unix:
IntPtr ptr;
int ret = MacOSAPI.vm_read_wrapper(pInfo.Task, (ulong)address, (ulong)bytes, out ptr, out bytesRead);
//Logger.Log(bytes.ToString() + " " + bytesRead.ToString() + " " + ret.ToString());
if (ret == 0)
{
Marshal.Copy(ptr, buf, 0, bytesRead);
MacOSAPI.vm_deallocate_wrapper(pInfo.Task, (ulong)ptr, (ulong)bytesRead);
}
MacOSAPI.free_wrapper(ptr);
break;
default:
Win32API.ReadProcessMemory((int)pInfo.rsProcessHandle, (int)address, buf, bytes, ref bytesRead);
break;
}
return(buf);
}
/// <summary>
/// get all memory regions of a process
/// </summary>
/// <param name="pInfo"></param>
/// <param name="begin"></param>
/// <param name="end"></param>
/// <returns></returns>
public static List <MacOSAPI.Region> GetAllRegionsMacOS(ProcessInfo pInfo, ulong begin, ulong end)
{
List <MacOSAPI.Region> Regions = new List <MacOSAPI.Region>();
ulong address = 0;
while (true)
{
ulong size = 0;
int protection = 0;
int ret = MacOSAPI.mach_vm_region_wrapper(pInfo.Task, out address, out size, out protection);
if (ret != 0)
{
break;
}
//Logger.Log(string.Format("Ret: {0} Address: {1} Size: {2}", ret, address, size));
MacOSAPI.Region reg = new MacOSAPI.Region()
{
Address = address,
Size = size,
Protection = protection
};
if (reg.Address < end && (reg.Address + size) > begin && ((reg.Protection & 0x02) == 2)) /* writable protection */
{
Regions.Add(reg);
}
address += size;
}
return(Regions);
}
public static ulong ScanMemChar(ProcessInfo pInfo, IntPtr ptr, int bytesRead, ulong dataIndex, byte[] b1, byte[] b2, int region)
{
ulong ret = MacOSAPI.scan_mem_char(pInfo.Task, (ulong)ptr, (ulong)bytesRead,
dataIndex, b1, b1.Length, b2, b2.Length, region);
return(ret);
}
/// <summary>
/// get user_tag associated with a memory region
/// </summary>
/// <param name="pInfo"></param>
/// <param name="Address"></param>
/// <param name="size"></param>
/// <returns></returns>
public static UInt32 GetUserTag(ProcessInfo pInfo, ulong Address, ulong size)
{
UInt32 userTag = 0;
int ret = MacOSAPI.mach_vm_region_recurse_wrapper(pInfo.Task, out Address, out size, out userTag);
return(userTag);
}
/// <summary>
/// Read a number of bytes from a processes memory into given byte array buffer
/// </summary>
/// <param name="processHandle"></param>
/// <param name="address"></param>
/// <param name="bytes"></param>
/// <returns>bytes read</returns>
public static int ReadBytesFromMemory(ProcessInfo pInfo, IntPtr address, int bytes, ref byte[] buffer)
{
int bytesRead = 0;
switch (Environment.OSVersion.Platform)
{
case PlatformID.MacOSX:
case PlatformID.Unix:
IntPtr ptr;
int ret = MacOSAPI.vm_read_wrapper(pInfo.Task, (ulong)address, (ulong)bytes, out ptr, out bytesRead);
if (ret == 0)
{
Marshal.Copy(ptr, buffer, 0, bytesRead);
MacOSAPI.vm_deallocate_wrapper(pInfo.Task, (ulong)ptr, (ulong)bytesRead);
}
break;
default:
Win32API.ReadProcessMemory((int)pInfo.rsProcessHandle, (int)address, buffer, bytes, ref bytesRead);
break;
}
return(bytesRead);
}
/* Scan Memory pointed by ptr for the magic int */
public static ulong ScanMem(ProcessInfo pInfo, IntPtr ptr, int bytesRead, ulong dataIndex, int magic)
{
return(MacOSAPI.scan_mem(pInfo.Task, (ulong)ptr, (ulong)bytesRead, dataIndex, magic));
}
