/// <summary>
/// Performs a pointer scan for a given address.
/// </summary>
/// <param name="address">The address for which to perform a pointer scan.</param>
/// <param name="maxOffset">The maximum pointer offset.</param>
/// <param name="depth">The maximum pointer search depth.</param>
/// <param name="alignment">The pointer scan alignment.</param>
/// <param name="taskIdentifier">The unique identifier to prevent duplicate tasks.</param>
/// <returns>Atrackable task that returns the scan results.</returns>
public static TrackableTask <PointerBag> Scan(UInt64 newAddress, Int32 alignment, PointerBag oldPointerBag, String taskIdentifier = null)
{
try
{
return(TrackableTask <PointerBag>
.Create(PointerRetargetScan.Name, taskIdentifier, out UpdateProgress updateProgress, out CancellationToken cancellationToken)
.With(Task <PointerBag> .Run(() =>
{
try
{
cancellationToken.ThrowIfCancellationRequested();
Stopwatch stopwatch = new Stopwatch();
stopwatch.Start();
// Step 1) Create a snapshot of the new target address
Snapshot targetAddress = new Snapshot(new SnapshotRegion[] { new SnapshotRegion(new ReadGroup(newAddress, oldPointerBag.PointerSize.ToSize(), oldPointerBag.PointerSize.ToDataType(), alignment), 0, oldPointerBag.PointerSize.ToSize()) });
// Step 2) Collect heap pointers
Snapshot heapPointers = SnapshotManager.GetSnapshot(Snapshot.SnapshotRetrievalMode.FromHeaps, oldPointerBag.PointerSize.ToDataType());
TrackableTask <Snapshot> heapValueCollector = ValueCollector.CollectValues(heapPointers);
heapPointers = heapValueCollector.Result;
// Step 3) Rebuild levels
IList <Level> levels = new List <Level>();
if (oldPointerBag.Depth > 0)
{
// Create 1st level with target address and previous static pointers
levels.Add(new Level(targetAddress, oldPointerBag.Levels.First().StaticPointers));
// Copy over all old static pointers, and replace the heaps with a full heap
foreach (Level level in oldPointerBag.Levels.Skip(1))
{
levels.Add(new Level(heapPointers, level.StaticPointers));
}
}
// Exit if canceled
cancellationToken.ThrowIfCancellationRequested();
// Step 4) Perform a rebase from the old static addresses onto the new heaps
PointerBag newPointerBag = new PointerBag(levels, oldPointerBag.MaxOffset, oldPointerBag.PointerSize);
TrackableTask <PointerBag> pointerRebaseTask = PointerRebase.Scan(newPointerBag, readMemory: true, performUnchangedScan: true);
PointerBag rebasedPointerBag = pointerRebaseTask.Result;
stopwatch.Stop();
Logger.Log(LogLevel.Info, "Pointer retarget complete in: " + stopwatch.Elapsed);
return rebasedPointerBag;
}
catch (OperationCanceledException ex)
{
Logger.Log(LogLevel.Warn, "Pointer retarget canceled", ex);
}
catch (Exception ex)
{
Logger.Log(LogLevel.Error, "Error performing pointer retarget", ex);
}
return null;
}, cancellationToken)));
}
catch (TaskConflictException ex)
{
Logger.Log(LogLevel.Warn, "A pointer scan is already scheduled.");
throw ex;
}
}
/// <summary>
/// Performs a pointer scan for a given address.
/// </summary>
/// <param name="address">The address for which to perform a pointer scan.</param>
/// <param name="maxOffset">The maximum pointer offset.</param>
/// <param name="depth">The maximum pointer search depth.</param>
/// <param name="alignment">The pointer scan alignment.</param>
/// <returns>Atrackable task that returns the scan results.</returns>
public static TrackableTask <PointerBag> Scan(UInt64 address, UInt32 maxOffset, Int32 depth, Int32 alignment)
{
TrackableTask <PointerBag> pointerScanTask = TrackableTask <PointerBag> .Create(PointerScan.Name, out UpdateProgress updateProgress, out CancellationToken cancellationToken);
return(pointerScanTask.With(Task.Factory.StartNew <PointerBag>(() =>
{
try
{
cancellationToken.ThrowIfCancellationRequested();
PointerSize pointerSize = Processes.Default.IsOpenedProcess32Bit() ? PointerSize.Byte4 : PointerSize.Byte8;
Stopwatch stopwatch = new Stopwatch();
stopwatch.Start();
// Step 1) Create a snapshot of the target address
Snapshot targetAddress = new Snapshot(new SnapshotRegion[] { new SnapshotRegion(new ReadGroup(address, pointerSize.ToSize(), pointerSize.ToDataType(), alignment), 0, pointerSize.ToSize()) });
// Step 2) Collect static pointers
Snapshot staticPointers = SnapshotManager.GetSnapshot(Snapshot.SnapshotRetrievalMode.FromModules, pointerSize.ToDataType());
TrackableTask <Snapshot> valueCollector = ValueCollector.CollectValues(staticPointers);
staticPointers = valueCollector.Result;
// Step 3) Collect heap pointers
Snapshot heapPointers = SnapshotManager.GetSnapshot(Snapshot.SnapshotRetrievalMode.FromHeaps, pointerSize.ToDataType());
TrackableTask <Snapshot> heapValueCollector = ValueCollector.CollectValues(heapPointers);
heapPointers = heapValueCollector.Result;
// Step 3) Build levels
IList <Level> levels = new List <Level>();
if (depth > 0)
{
// Create 1st level with target address and static pointers
levels.Add(new Level(targetAddress, staticPointers));
// Initialize each level with all static addresses and all heap addresses
for (Int32 index = 0; index < depth - 1; index++)
{
levels.Add(new Level(heapPointers, staticPointers));
}
}
// Exit if canceled
cancellationToken.ThrowIfCancellationRequested();
// Step 4) Rebase to filter out unwanted pointers
PointerBag newPointerBag = new PointerBag(levels, maxOffset, pointerSize);
TrackableTask <PointerBag> pointerRebaseTask = PointerRebase.Scan(newPointerBag, readMemory: false, performUnchangedScan: false);
PointerBag rebasedPointerBag = pointerRebaseTask.Result;
// Exit if canceled
cancellationToken.ThrowIfCancellationRequested();
stopwatch.Stop();
Logger.Log(LogLevel.Info, "Pointer scan complete in: " + stopwatch.Elapsed);
return rebasedPointerBag;
}
catch (OperationCanceledException ex)
{
Logger.Log(LogLevel.Warn, "Pointer scan canceled", ex);
}
catch (Exception ex)
{
Logger.Log(LogLevel.Error, "Error performing pointer scan", ex);
}
return null;
}, cancellationToken)));
}
/// <summary>
/// Performs a pointer scan for a given address.
/// </summary>
/// <param name="address">The address for which to perform a pointer scan.</param>
/// <param name="maxOffset">The maximum pointer offset.</param>
/// <param name="depth">The maximum pointer search depth.</param>
/// <param name="alignment">The pointer scan alignment.</param>
/// <param name="taskIdentifier">The unique identifier to prevent duplicate tasks.</param>
/// <returns>Atrackable task that returns the scan results.</returns>
public static TrackableTask <PointerBag> Scan(Process process, UInt64 address, UInt32 maxOffset, Int32 depth, Int32 alignment, PointerSize pointerSize, String taskIdentifier = null)
{
try
{
return(TrackableTask <PointerBag>
.Create(PointerScan.Name, taskIdentifier, out UpdateProgress updateProgress, out CancellationToken cancellationToken)
.With(Task <PointerBag> .Run(() =>
{
try
{
cancellationToken.ThrowIfCancellationRequested();
Stopwatch stopwatch = new Stopwatch();
stopwatch.Start();
// Step 1) Create a snapshot of the target address
Snapshot targetAddress = new Snapshot(new SnapshotRegion[] { new SnapshotRegion(new ReadGroup(address, pointerSize.ToSize()), 0, pointerSize.ToSize()) });
// Step 2) Collect static pointers
Snapshot staticPointers = SnapshotQuery.GetSnapshot(process, SnapshotQuery.SnapshotRetrievalMode.FromModules);
TrackableTask <Snapshot> valueCollector = ValueCollector.CollectValues(process, staticPointers);
staticPointers = valueCollector.Result;
// Step 3) Collect heap pointers
Snapshot heapPointers = SnapshotQuery.GetSnapshot(process, SnapshotQuery.SnapshotRetrievalMode.FromHeaps);
TrackableTask <Snapshot> heapValueCollector = ValueCollector.CollectValues(process, heapPointers);
heapPointers = heapValueCollector.Result;
// Step 4) Build levels
IList <Level> levels = new List <Level>();
if (depth > 0)
{
// Create 1st level with target address and static pointers
levels.Add(new Level(targetAddress, staticPointers));
// Initialize each level with all static addresses and all heap addresses
for (Int32 index = 0; index < depth - 1; index++)
{
levels.Add(new Level(heapPointers, staticPointers));
}
}
// Exit if canceled
cancellationToken.ThrowIfCancellationRequested();
// Step 4) Rebase to filter out unwanted pointers
PointerBag newPointerBag = new PointerBag(levels, maxOffset, pointerSize);
TrackableTask <PointerBag> pointerRebaseTask = PointerRebase.Scan(process, newPointerBag, readMemory: false, performUnchangedScan: false);
PointerBag rebasedPointerBag = pointerRebaseTask.Result;
// Exit if canceled
cancellationToken.ThrowIfCancellationRequested();
stopwatch.Stop();
Logger.Log(LogLevel.Info, "Pointer scan complete in: " + stopwatch.Elapsed);
return rebasedPointerBag;
}
catch (OperationCanceledException ex)
{
Logger.Log(LogLevel.Warn, "Pointer scan canceled", ex);
}
catch (Exception ex)
{
Logger.Log(LogLevel.Error, "Error performing pointer scan", ex);
}
return null;
}, cancellationToken)));
}
catch (TaskConflictException ex)
{
Logger.Log(LogLevel.Warn, "A pointer scan is already scheduled.");
throw ex;
}
}