/// <summary> /// Read a number of bytes from a processes memory into a byte array /// </summary> /// <param name="pInfo"></param> /// <param name="address"></param> /// <param name="bytes"></param> /// <returns>bytes read</returns> public static byte[] ReadBytesFromMemory(ProcessInfo pInfo, IntPtr address, int bytes) { int bytesRead = 0; byte[] buf = new byte[bytes]; switch (Environment.OSVersion.Platform) { case PlatformID.MacOSX: case PlatformID.Unix: IntPtr ptr; int ret = MacOSAPI.vm_read_wrapper(pInfo.Task, (ulong)address, (ulong)bytes, out ptr, out bytesRead); //Logger.Log(bytes.ToString() + " " + bytesRead.ToString() + " " + ret.ToString()); if (ret == 0) { Marshal.Copy(ptr, buf, 0, bytesRead); MacOSAPI.vm_deallocate_wrapper(pInfo.Task, (ulong)ptr, (ulong)bytesRead); } MacOSAPI.free_wrapper(ptr); break; default: Win32API.ReadProcessMemory((int)pInfo.rsProcessHandle, (int)address, buf, bytes, ref bytesRead); break; } return(buf); }
/// <summary> /// get all memory regions of a process /// </summary> /// <param name="pInfo"></param> /// <param name="begin"></param> /// <param name="end"></param> /// <returns></returns> public static List <MacOSAPI.Region> GetAllRegionsMacOS(ProcessInfo pInfo, ulong begin, ulong end) { List <MacOSAPI.Region> Regions = new List <MacOSAPI.Region>(); ulong address = 0; while (true) { ulong size = 0; int protection = 0; int ret = MacOSAPI.mach_vm_region_wrapper(pInfo.Task, out address, out size, out protection); if (ret != 0) { break; } //Logger.Log(string.Format("Ret: {0} Address: {1} Size: {2}", ret, address, size)); MacOSAPI.Region reg = new MacOSAPI.Region() { Address = address, Size = size, Protection = protection }; if (reg.Address < end && (reg.Address + size) > begin && ((reg.Protection & 0x02) == 2)) /* writable protection */ { Regions.Add(reg); } address += size; } return(Regions); }
public static ulong ScanMemChar(ProcessInfo pInfo, IntPtr ptr, int bytesRead, ulong dataIndex, byte[] b1, byte[] b2, int region) { ulong ret = MacOSAPI.scan_mem_char(pInfo.Task, (ulong)ptr, (ulong)bytesRead, dataIndex, b1, b1.Length, b2, b2.Length, region); return(ret); }
/// <summary> /// get user_tag associated with a memory region /// </summary> /// <param name="pInfo"></param> /// <param name="Address"></param> /// <param name="size"></param> /// <returns></returns> public static UInt32 GetUserTag(ProcessInfo pInfo, ulong Address, ulong size) { UInt32 userTag = 0; int ret = MacOSAPI.mach_vm_region_recurse_wrapper(pInfo.Task, out Address, out size, out userTag); return(userTag); }
/// <summary> /// Read a number of bytes from a processes memory into given byte array buffer /// </summary> /// <param name="processHandle"></param> /// <param name="address"></param> /// <param name="bytes"></param> /// <returns>bytes read</returns> public static int ReadBytesFromMemory(ProcessInfo pInfo, IntPtr address, int bytes, ref byte[] buffer) { int bytesRead = 0; switch (Environment.OSVersion.Platform) { case PlatformID.MacOSX: case PlatformID.Unix: IntPtr ptr; int ret = MacOSAPI.vm_read_wrapper(pInfo.Task, (ulong)address, (ulong)bytes, out ptr, out bytesRead); if (ret == 0) { Marshal.Copy(ptr, buffer, 0, bytesRead); MacOSAPI.vm_deallocate_wrapper(pInfo.Task, (ulong)ptr, (ulong)bytesRead); } break; default: Win32API.ReadProcessMemory((int)pInfo.rsProcessHandle, (int)address, buffer, bytes, ref bytesRead); break; } return(bytesRead); }
/* Scan Memory pointed by ptr for the magic int */ public static ulong ScanMem(ProcessInfo pInfo, IntPtr ptr, int bytesRead, ulong dataIndex, int magic) { return(MacOSAPI.scan_mem(pInfo.Task, (ulong)ptr, (ulong)bytesRead, dataIndex, magic)); }