Parent Directory
| 
Revision Log
| 
Patch
--- trunk/Win32/Sojaner.MemoryScanner/MemoryScanner.cs 2012/05/28 08:49:42 169
+++ trunk/Win32/Sojaner.MemoryScanner/MemoryScanner.cs 2012/05/31 07:13:43 198
@@ -38,7 +38,7 @@
private Process m_ReadProcess = null;
- private IntPtr m_hProcess = IntPtr.Zero;
+ private static IntPtr m_hProcess = IntPtr.Zero;
public void OpenProcess()
{
@@ -68,128 +68,199 @@
}
}
+ #region WriteProcessMemoryToFile
+ public bool WriteProcessMemoryToFile(string filename, uint MemoryAddress, uint bytesToRead, out int bytesRead)
+ {
+ RamDumper dumper = new RamDumper();
+ return dumper.DumpMemoryToFile(ReadProcess, filename, MemoryAddress, bytesToRead, out bytesRead);
+ }
+ #endregion
- public bool DumpMemory(Process ppid, string filename, uint MemoryAddress, uint bytesToRead, out int bytesRead)
+ #region ReadProcessMemory
+ public byte[] ReadProcessMemory(uint MemoryAddress, uint bytesToRead, out int bytesRead)
{
- logger.Info.WriteLine("Dumping memory (0x{0:x8}-0x{1:x8}) from pid=({3}) to file {2}", MemoryAddress, MemoryAddress + bytesToRead, filename, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
- bytesRead = 0;
- uint byte_alignment = 102400; // write to file in 100mb chunks
- uint address = MemoryAddress;
- uint _bytesToRead = bytesToRead;
- byte[] buffer = new byte[] { };
- try
+ RamDumper dumper = new RamDumper();
+ return dumper.DumpMemoryToByteArray(ReadProcess, MemoryAddress, bytesToRead, out bytesRead);
+ }
+ #endregion
+
+ #region WriteProcessMemory
+ public void WriteProcessMemory(UIntPtr MemoryAddress, byte byteToWrite, out int bytesWritten)
+ {
+ WriteProcessMemory(MemoryAddress, new byte[] { byteToWrite }, out bytesWritten);
+ }
+ public void WriteProcessMemory(UIntPtr MemoryAddress, byte[] bytesToWrite, out int bytesWritten)
+ {
+ IntPtr ptrBytesWritten;
+ ProcessMemoryReaderApi.WriteProcessMemory(m_hProcess, MemoryAddress, bytesToWrite, (uint)bytesToWrite.Length, out ptrBytesWritten);
+ bytesWritten = ptrBytesWritten.ToInt32();
+ }
+ #endregion
+
+ #region RamDumper
+ private interface IRamDumper
+ {
+ bool DumpMemoryToFile(Process ppid, string filename, uint MemoryAddress, uint bytesToRead, out int bytesRead);
+ byte[] DumpMemoryToByteArray(Process ppid, uint MemoryAddress, uint bytesToRead, out int bytesRead);
+ }
+ private class RamDumper : IRamDumper
+ {
+ public RamDumper() { }
+ private void InitMemoryDump(out uint byte_alignment)
{
- FileInfo fi = new FileInfo(filename);
- if (fi.Exists)
- fi.Delete();
- using (FileStream fs = new FileStream(filename, FileMode.CreateNew, FileAccess.ReadWrite, FileShare.ReadWrite))
+ byte_alignment = 102400; // get memory in 100mb chunks
+ }
+ #region IRamDumper members
+ #region DumpMemoryToFile
+ public bool DumpMemoryToFile(Process ppid, string filename, uint MemoryAddress, uint bytesToRead, out int bytesRead)
+ {
+ logger.Info.WriteLine("Dumping memory (0x{0:x8}-0x{1:x8}) from pid=({3}) to file {2}", MemoryAddress, MemoryAddress + bytesToRead, filename, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ bytesRead = 0;
+ uint byte_alignment = 0;
+ // get common init parameters
+ InitMemoryDump(out byte_alignment);
+ uint address = MemoryAddress;
+ uint _bytesToRead = bytesToRead;
+ byte[] buffer = new byte[] { };
+ try
{
- BinaryWriter bw = new BinaryWriter(fs);
- //foreach (byte b in data) { bw.Write(b); }
-
- for (uint i = 0; i <= bytesToRead;)
+ FileInfo fi = new FileInfo(filename);
+ if (fi.Exists)
+ fi.Delete();
+ using (FileStream fs = new FileStream(filename, FileMode.CreateNew, FileAccess.ReadWrite, FileShare.ReadWrite))
{
- if (_bytesToRead < byte_alignment)
- {
- _bytesToRead = bytesToRead;
- buffer = new byte[_bytesToRead];
- }
- else
- {
- _bytesToRead = byte_alignment;
- buffer = new byte[byte_alignment];
- }
- IntPtr ptrBytesRead;
- ProcessMemoryReaderApi.ReadProcessMemory(m_hProcess, (UIntPtr)address, buffer, _bytesToRead, out ptrBytesRead);
- bytesRead = ptrBytesRead.ToInt32();
- bw.Write(buffer);
- bw.Flush();
-
- if (_bytesToRead < byte_alignment)
- {
- i += _bytesToRead;
- address += _bytesToRead;
- }
- else
+ BinaryWriter bw = new BinaryWriter(fs);
+ //foreach (byte b in data) { bw.Write(b); }
+
+ for (uint i = 0; i <= bytesToRead; )
{
- i += byte_alignment;
- address += byte_alignment;
- }
+ if (_bytesToRead < byte_alignment)
+ {
+ _bytesToRead = bytesToRead;
+ buffer = new byte[_bytesToRead];
+ }
+ else
+ {
+ _bytesToRead = byte_alignment;
+ buffer = new byte[byte_alignment];
+ }
+ IntPtr ptrBytesRead;
+
+ ProcessMemoryReader.ProcessMemoryReaderApi.ReadProcessMemory(m_hProcess, (UIntPtr)address, buffer, _bytesToRead, out ptrBytesRead);
+ bytesRead = ptrBytesRead.ToInt32();
+ bw.Write(buffer);
+ bw.Flush();
+
+ if (_bytesToRead < byte_alignment)
+ {
+ i += _bytesToRead;
+ address += _bytesToRead;
+ }
+ else
+ {
+ i += byte_alignment;
+ address += byte_alignment;
+ }
+
-
+ }
+ bw.Close();
}
- bw.Close();
+ logger.Info.WriteLine("Succefully dumped memory (0x{0:x8}-0x{1:x8}) from pid=({3}) to file {2}", MemoryAddress, MemoryAddress + bytesToRead, filename, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ return true;
}
- logger.Info.WriteLine("Succefully dumped memory (0x{0:x8}-0x{1:x8}) from pid=({3}) to file {2}", MemoryAddress, MemoryAddress + bytesToRead, filename, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
- return true;
- }
- catch (OutOfMemoryException ex)
- {
- logger.Error.WriteLine("Failed to dump memory (0x{0:x8}-0x{1:x8}) from pid=({3}) to file {2}", MemoryAddress, MemoryAddress + bytesToRead, filename, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
- logger.Error.WriteLine("DumpMemory(): OutOfMemoryException");
- logger.Error.WriteLine(ex.ToString());
- }
- catch (Exception ex)
- {
- logger.Error.WriteLine("Failed to dump memory (0x{0:x8}-0x{1:x8}) from pid=({3}) to file {2}", MemoryAddress, MemoryAddress + bytesToRead, filename, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
- logger.Error.WriteLine("DumpMemory(): Exception");
- logger.Error.WriteLine(ex.ToString());
+ catch (OutOfMemoryException ex)
+ {
+ logger.Error.WriteLine("Failed to dump memory (0x{0:x8}-0x{1:x8}) from pid=({3}) to file {2}", MemoryAddress, MemoryAddress + bytesToRead, filename, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ logger.Error.WriteLine("DumpMemory(): OutOfMemoryException");
+ logger.Error.WriteLine(ex.ToString());
+ }
+ catch (Exception ex)
+ {
+ logger.Error.WriteLine("Failed to dump memory (0x{0:x8}-0x{1:x8}) from pid=({3}) to file {2}", MemoryAddress, MemoryAddress + bytesToRead, filename, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ logger.Error.WriteLine("DumpMemory(): Exception");
+ logger.Error.WriteLine(ex.ToString());
+ }
+ return false;
}
- return false;
- }
+ #endregion
+ #region DumpMemoryToByteArray
+ public byte[] DumpMemoryToByteArray(Process ppid, uint MemoryAddress, uint bytesToRead, out int bytesRead)
+ {
+ logger.Info.WriteLine("Dumping memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ bytesRead = 0;
+ uint byte_alignment = 0;
+ // get common init parameters
+ InitMemoryDump(out byte_alignment);
+ uint address = MemoryAddress;
+ uint _bytesToRead = bytesToRead;
+ byte[] buffer = new byte[] { };
+ try
+ {
+ using (MemoryStream ms = new MemoryStream())
+ {
+ BinaryWriter bw = new BinaryWriter(ms);
+ //foreach (byte b in data) { bw.Write(b); }
- public byte[] ReadProcessMemory(uint MemoryAddress, uint bytesToRead, out int bytesRead)
- {
- bytesRead = 0;
- uint address = MemoryAddress;
- List<byte[]> aligned_array_list = new List<byte[]>();
- try
- {
- uint byte_alignment = 512; // 4mb alignment
-
+ for (uint i = 0; i <= bytesToRead; )
+ {
+ if (_bytesToRead < byte_alignment)
+ {
+ _bytesToRead = bytesToRead;
+ buffer = new byte[_bytesToRead];
+ }
+ else
+ {
+ _bytesToRead = byte_alignment;
+ buffer = new byte[byte_alignment];
+ }
+ IntPtr ptrBytesRead;
+
+ ProcessMemoryReader.ProcessMemoryReaderApi.ReadProcessMemory(m_hProcess, (UIntPtr)address, buffer, _bytesToRead, out ptrBytesRead);
+ bytesRead = ptrBytesRead.ToInt32();
+ bw.Write(buffer);
+ bw.Flush();
+
+ if (_bytesToRead < byte_alignment)
+ {
+ i += _bytesToRead;
+ address += _bytesToRead;
+ }
+ else
+ {
+ i += byte_alignment;
+ address += byte_alignment;
+ }
- for (uint i = 0; i <= bytesToRead; i += byte_alignment)
+
+ }
+ bw.Close();
+ return ms.ToArray();
+ }
+ logger.Info.WriteLine("Succefully dumped memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ }
+ catch (OutOfMemoryException ex)
{
- byte[] buffer = new byte[byte_alignment];
- uint bytes_to_read = byte_alignment;
- IntPtr ptrBytesRead;
- ProcessMemoryReaderApi.ReadProcessMemory(m_hProcess, (UIntPtr)address, buffer, bytes_to_read, out ptrBytesRead);
- bytesRead = ptrBytesRead.ToInt32();
- aligned_array_list.Add(buffer);
- address += byte_alignment;
+ logger.Error.WriteLine("Failed to dump memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ logger.Error.WriteLine("DumpMemory(): OutOfMemoryException");
+ logger.Error.WriteLine(ex.ToString());
}
-
- //List<byte> big_array = new List<byte>();
- //foreach (byte[] aligned_array in aligned_array_list) { foreach (byte b in aligned_array) { big_array.Add(b); } }
-
- return new byte[] { };
- }
- catch (OutOfMemoryException ex)
- {
- logger.Error.WriteLine("ReadProcessMemory(): OutOfMemoryException");
- logger.Error.WriteLine(ex.ToString());
- }
- catch (Exception ex)
- {
- logger.Error.WriteLine("ReadProcessMemory(): Exception");
- logger.Error.WriteLine(ex.ToString());
+ catch (Exception ex)
+ {
+ logger.Error.WriteLine("Failed to dump memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ logger.Error.WriteLine("DumpMemory(): Exception");
+ logger.Error.WriteLine(ex.ToString());
+ }
+ return new byte[]{};
}
- return new byte[] { };
+ #endregion
+ #endregion
}
-
- public void WriteProcessMemory(UIntPtr MemoryAddress, byte[] bytesToWrite, out int bytesWritten)
- {
- IntPtr ptrBytesWritten;
- ProcessMemoryReaderApi.WriteProcessMemory(m_hProcess, MemoryAddress, bytesToWrite, (uint)bytesToWrite.Length, out ptrBytesWritten);
-
- bytesWritten = ptrBytesWritten.ToInt32();
- }
-
-
+ #endregion
/// <summary>
/// ProcessMemoryReader is a class that enables direct reading a process memory
/// </summary>
- class ProcessMemoryReaderApi
+ public class ProcessMemoryReaderApi
{
// constants information can be found in <winnt.h>
[Flags]
| ViewVC Help | |
| Powered by ViewVC 1.1.22 |