|
|
|
@ -291,29 +291,44 @@ bool NormalProcess::getThreadIDs(vector<uint32_t> & threads )
|
|
|
|
return true;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
//FIXME: use VirtualQuery to probe for memory ranges, cross-reference with base-corrected PE segment entries
|
|
|
|
typedef struct _MEMORY_BASIC_INFORMATION
|
|
|
|
void NormalProcess::getMemRanges( vector<t_memrange> & ranges )
|
|
|
|
|
|
|
|
{
|
|
|
|
{
|
|
|
|
// code here is taken from hexsearch by Silas Dunmore.
|
|
|
|
void * BaseAddress;
|
|
|
|
// As this IMHO isn't a 'sunstantial portion' of anything, I'm not including the MIT license here
|
|
|
|
void * AllocationBase;
|
|
|
|
|
|
|
|
uint32_t AllocationProtect;
|
|
|
|
|
|
|
|
size_t RegionSize;
|
|
|
|
|
|
|
|
uint32_t State;
|
|
|
|
|
|
|
|
uint32_t Protect;
|
|
|
|
|
|
|
|
uint32_t Type;
|
|
|
|
|
|
|
|
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
|
|
|
|
|
|
|
|
|
|
|
|
//FIXME: USE THIS!
|
|
|
|
|
|
|
|
/*
|
|
|
|
// FIXME: NEEDS TESTING!
|
|
|
|
while VirtualQuery(process, info, sizeOf(info)) == sizeOf(info)
|
|
|
|
void NormalProcess::getMemRanges( vector<t_memrange> & ranges )
|
|
|
|
{
|
|
|
|
{
|
|
|
|
}
|
|
|
|
MEMORY_BASIC_INFORMATION MBI;
|
|
|
|
*/
|
|
|
|
const uint64_t PageSize = 4096;
|
|
|
|
|
|
|
|
uint64_t page = 0;
|
|
|
|
|
|
|
|
while (VirtualQuery(this->d->my_handle, page * PageSize, sizeof(MBI)) == sizeof(MBI))
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
page = MBI.RegionSize / PageSize;
|
|
|
|
|
|
|
|
if(MBI.RegionSize - MBI.RegionSize / PageSize != 0)
|
|
|
|
|
|
|
|
page ++; // skip over non-whole page
|
|
|
|
|
|
|
|
if( !(MBI.Protect & MEM_COMMIT) ) // skip empty regions
|
|
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
t_memrange temp;
|
|
|
|
t_memrange temp;
|
|
|
|
uint32_t base = d->my_descriptor->getBase();
|
|
|
|
temp.start = MBI.BaseAddress;
|
|
|
|
temp.start = base + 0x1000; // more fakery.
|
|
|
|
temp.end = MBI.BaseAddress + MBI.RegionSize;
|
|
|
|
temp.end = base + readDWord(base+readDWord(base+0x3C)+0x50)-1; // yay for magic.
|
|
|
|
temp.read = MBI.Protect & PAGE_EXECUTE_READ | MBI.Protect & PAGE_EXECUTE_READWRITE | MBI.Protect & PAGE_READONLY | MBI.Protect & PAGE_READWRITE;
|
|
|
|
temp.read = 1;
|
|
|
|
temp.write = MBI.Protect & PAGE_EXECUTE_READWRITE | MBI.Protect & PAGE_READWRITE;
|
|
|
|
temp.write = 1;
|
|
|
|
temp.execute = MBI.Protect & PAGE_EXECUTE_READ | MBI.Protect & PAGE_EXECUTE_READWRITE | MBI.Protect & PAGE_EXECUTE;
|
|
|
|
temp.execute = 0; // fake
|
|
|
|
temp.name = "N/A"; // FIXME: pull some relevant names from somewhere...
|
|
|
|
strcpy(temp.name,"pants");// that's right. I'm calling it pants. Windows can go to HELL
|
|
|
|
|
|
|
|
ranges.push_back(temp);
|
|
|
|
ranges.push_back(temp);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
uint8_t NormalProcess::readByte (const uint32_t offset)
|
|
|
|
uint8_t NormalProcess::readByte (const uint32_t offset)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
uint8_t result;
|
|
|
|
uint8_t result;
|
|
|
|
|
Petr Mrázek