/// <summary>
/// Creates a snapshot from modules in the selected process.
/// </summary>
/// <returns>The created snapshot.</returns>
private static Snapshot CreateSnapshotFromHeaps(Process process)
{
// TODO: This currently grabs all usermode memory and excludes modules. A better implementation would involve actually grabbing heaps.
Snapshot snapshot = SnapshotQuery.CreateSnapshotFromUsermodeMemory(process);
IEnumerable <NormalizedModule> modules = MemoryQueryer.Instance.GetModules(process);
MemoryProtectionEnum requiredPageFlags = 0;
MemoryProtectionEnum excludedPageFlags = 0;
MemoryTypeEnum allowedTypeFlags = MemoryTypeEnum.None | MemoryTypeEnum.Private | MemoryTypeEnum.Image;
UInt64 startAddress = 0;
UInt64 endAddress = MemoryQueryer.Instance.GetMaxUsermodeAddress(process);
List <ReadGroup> memoryRegions = new List <ReadGroup>();
IEnumerable <NormalizedRegion> virtualPages = MemoryQueryer.Instance.GetVirtualPages(
process,
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
foreach (NormalizedRegion virtualPage in virtualPages)
{
if (modules.Any(x => x.BaseAddress == virtualPage.BaseAddress))
{
continue;
}
virtualPage.Align(ScanSettings.Alignment);
memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize));
}
return(new Snapshot(null, memoryRegions));
}
/// <summary>
/// Returns the memory regions associated with the current snapshot. If none exist, a query will be done. Will not read any memory.
/// </summary>
/// <returns>The current active snapshot of memory in the target process.</returns>
public Snapshot GetActiveSnapshotCreateIfNone(Process process)
{
lock (this.AccessLock)
{
if (this.Snapshots.Count == 0 || this.Snapshots.Peek() == null || this.Snapshots.Peek().ElementCount == 0)
{
Snapshot snapshot = SnapshotQuery.GetSnapshot(process, SnapshotQuery.SnapshotRetrievalMode.FromSettings);
snapshot.Align(ScanSettings.Alignment);
return(snapshot);
}
// Return the snapshot
return(this.Snapshots.Peek());
}
}
/// <summary>
/// Creates a new snapshot of memory in the target process. Will not read any memory.
/// </summary>
/// <returns>The snapshot of memory taken in the target process.</returns>
private static Snapshot CreateSnapshotFromSettings(Process process)
{
MemoryProtectionEnum requiredPageFlags = SnapshotQuery.GetRequiredProtectionSettings();
MemoryProtectionEnum excludedPageFlags = SnapshotQuery.GetExcludedProtectionSettings();
MemoryTypeEnum allowedTypeFlags = SnapshotQuery.GetAllowedTypeSettings();
UInt64 startAddress;
UInt64 endAddress;
if (ScanSettings.IsUserMode)
{
startAddress = 0;
endAddress = MemoryQueryer.Instance.GetMaxUsermodeAddress(process);
}
else
{
startAddress = ScanSettings.StartAddress;
endAddress = ScanSettings.EndAddress;
}
List <ReadGroup> memoryRegions = new List <ReadGroup>();
IEnumerable <NormalizedRegion> virtualPages = MemoryQueryer.Instance.GetVirtualPages(
process,
requiredPageFlags,
excludedPageFlags,
allowedTypeFlags,
startAddress,
endAddress);
// Convert each virtual page to a snapshot region
foreach (NormalizedRegion virtualPage in virtualPages)
{
virtualPage.Align(ScanSettings.Alignment);
memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize));
}
return(new Snapshot(null, memoryRegions));
}
/// <summary>
/// Gets a snapshot based on the provided mode. Will not read any memory.
/// </summary>
/// <param name="snapshotCreationMode">The method of snapshot retrieval.</param>
/// <returns>The collected snapshot.</returns>
public static Snapshot GetSnapshot(Process process, SnapshotRetrievalMode snapshotCreationMode)
{
switch (snapshotCreationMode)
{
case SnapshotRetrievalMode.FromSettings:
return(SnapshotQuery.CreateSnapshotFromSettings(process));
case SnapshotRetrievalMode.FromUserModeMemory:
return(SnapshotQuery.CreateSnapshotFromUsermodeMemory(process));
case SnapshotRetrievalMode.FromModules:
return(SnapshotQuery.CreateSnapshotFromModules(process));
case SnapshotRetrievalMode.FromHeaps:
return(SnapshotQuery.CreateSnapshotFromHeaps(process));
case SnapshotRetrievalMode.FromStack:
throw new NotImplementedException();
default:
Logger.Log(LogLevel.Error, "Unknown snapshot retrieval mode");
return(null);
}
}