-
-
Notifications
You must be signed in to change notification settings - Fork 109
/
Copy pathProcessReader.cs
87 lines (70 loc) · 3.09 KB
/
ProcessReader.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
using System.Collections.Generic;
namespace BeaconEye {
public abstract class ProcessReader {
static readonly uint SegmentHeapSignature = 0xffeeffee;
public struct MemoryInfo {
public ulong BaseAddress { get; }
public ulong AllocationBase { get; }
public ulong RegionSize { get; }
public bool IsExecutable { get; }
public bool NoAccess { get; }
public MemoryInfo(ulong baseAddress, ulong allocationBase, ulong regionSize, bool isExecutable, bool noAccess) {
BaseAddress = baseAddress;
AllocationBase = allocationBase;
RegionSize = regionSize;
IsExecutable = isExecutable;
NoAccess = noAccess;
}
}
public abstract int ProcessId { get; }
public abstract ulong PebAddress { get; }
public abstract string Name { get; }
public abstract bool Is64Bit { get; }
public abstract T ReadMemory<T>(ulong address) where T : new();
public abstract byte[] ReadMemory(ulong address, int len);
public abstract MemoryInfo QueryMemoryInfo(ulong address);
public abstract IEnumerable<MemoryInfo> QueryAllMemoryInfo();
public long ReadPointer(ulong address) {
if (Is64Bit) {
return ReadMemory<long>(address);
} else {
return ReadMemory<int>(address);
}
}
bool IsSegmentHeap(long heapBase) {
return ReadMemory<uint>((ulong)heapBase+0x10) == SegmentHeapSignature;
}
int PointerSize() {
return (Is64Bit ? 8 : 4);
}
public List<long> Heaps { get {
int numHeaps;
long heapArray;
if (Is64Bit) {
numHeaps = ReadMemory<int>(PebAddress + 0xE8);
heapArray = ReadPointer(PebAddress + 0xF0);
} else {
numHeaps = ReadMemory<int>(PebAddress + 0x88);
heapArray = ReadPointer(PebAddress + 0x90);
}
var heaps = new List<long>();
for (int idx = 0; idx < numHeaps; ++idx) {
var heap = ReadPointer((ulong)(heapArray + (idx * PointerSize())));
if (IsSegmentHeap(heap)) {
var segmentListEntryForward = ReadPointer((ulong)heap + 0x18);
var segmentBase = ReadPointer((ulong)heap + 0x30);
while (!heaps.Contains(segmentBase)) {
heaps.Add(segmentBase);
segmentListEntryForward = ReadPointer((ulong)segmentListEntryForward + (ulong)PointerSize());
segmentBase = ReadPointer((ulong)segmentListEntryForward + 0x30);
}
} else {
//TODO: Handle Windows 10 Segment Heap
heaps.Add(heap);
}
}
return heaps;
}
}
}
}