/// <summary> /// Creates a snapshot from modules in the selected process. /// </summary> /// <returns>The created snapshot.</returns> private static Snapshot CreateSnapshotFromHeaps(Process process) { // TODO: This currently grabs all usermode memory and excludes modules. A better implementation would involve actually grabbing heaps. Snapshot snapshot = SnapshotQuery.CreateSnapshotFromUsermodeMemory(process); IEnumerable <NormalizedModule> modules = MemoryQueryer.Instance.GetModules(process); MemoryProtectionEnum requiredPageFlags = 0; MemoryProtectionEnum excludedPageFlags = 0; MemoryTypeEnum allowedTypeFlags = MemoryTypeEnum.None | MemoryTypeEnum.Private | MemoryTypeEnum.Image; UInt64 startAddress = 0; UInt64 endAddress = MemoryQueryer.Instance.GetMaxUsermodeAddress(process); List <ReadGroup> memoryRegions = new List <ReadGroup>(); IEnumerable <NormalizedRegion> virtualPages = MemoryQueryer.Instance.GetVirtualPages( process, requiredPageFlags, excludedPageFlags, allowedTypeFlags, startAddress, endAddress); foreach (NormalizedRegion virtualPage in virtualPages) { if (modules.Any(x => x.BaseAddress == virtualPage.BaseAddress)) { continue; } virtualPage.Align(ScanSettings.Alignment); memoryRegions.Add(new ReadGroup(virtualPage.BaseAddress, virtualPage.RegionSize)); } return(new Snapshot(null, memoryRegions)); }
/// <summary> /// Gets a snapshot based on the provided mode. Will not read any memory. /// </summary> /// <param name="snapshotCreationMode">The method of snapshot retrieval.</param> /// <returns>The collected snapshot.</returns> public static Snapshot GetSnapshot(Process process, SnapshotRetrievalMode snapshotCreationMode) { switch (snapshotCreationMode) { case SnapshotRetrievalMode.FromSettings: return(SnapshotQuery.CreateSnapshotFromSettings(process)); case SnapshotRetrievalMode.FromUserModeMemory: return(SnapshotQuery.CreateSnapshotFromUsermodeMemory(process)); case SnapshotRetrievalMode.FromModules: return(SnapshotQuery.CreateSnapshotFromModules(process)); case SnapshotRetrievalMode.FromHeaps: return(SnapshotQuery.CreateSnapshotFromHeaps(process)); case SnapshotRetrievalMode.FromStack: throw new NotImplementedException(); default: Logger.Log(LogLevel.Error, "Unknown snapshot retrieval mode"); return(null); } }