SIZE_T ProcessAccessHelp::getSizeOfImageProcess(HANDLE processHandle, DWORD_PTR moduleBase)
{
SIZE_T sizeOfImage = 0, sizeOfImageNative = 0;
MEMORY_BASIC_INFORMATION lpBuffer = {0};
sizeOfImageNative = getSizeOfImageProcessNative(processHandle, moduleBase);
if (sizeOfImageNative)
{
return sizeOfImageNative;
}
WCHAR filenameOriginal[MAX_PATH*2] = {0};
WCHAR filenameTest[MAX_PATH*2] = {0};
GetMappedFileNameW(processHandle, (LPVOID)moduleBase, filenameOriginal, _countof(filenameOriginal));
do
{
moduleBase = (DWORD_PTR)((SIZE_T)moduleBase + lpBuffer.RegionSize);
sizeOfImage += lpBuffer.RegionSize;
if (!VirtualQueryEx(processHandle, (LPCVOID)moduleBase, &lpBuffer, sizeof(MEMORY_BASIC_INFORMATION)))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"getSizeOfImageProcess :: VirtualQuery failed %X", GetLastError());
#endif
lpBuffer.Type = 0;
sizeOfImage = 0;
}
GetMappedFileNameW(processHandle, (LPVOID)moduleBase, filenameTest, _countof(filenameTest));
if (_wcsicmp(filenameOriginal,filenameTest) != 0)//problem: 2 modules without free space
{
break;
}
} while (lpBuffer.Type == MEM_IMAGE);
//if (sizeOfImage != sizeOfImageNative)
//{
// WCHAR temp[1000] = {0};
// wsprintfW(temp, L"0x%X sizeofimage\n0x%X sizeOfImageNative", sizeOfImage, sizeOfImageNative);
// MessageBoxW(0, temp, L"Test", 0);
//}
return sizeOfImage;
}
bool
HandleToFilename(HANDLE aHandle, const LARGE_INTEGER& aOffset,
nsAString& aFilename)
{
aFilename.Truncate();
// This implementation is nice because it uses fully documented APIs that
// are available on all Windows versions that we support.
nsAutoHandle fileMapping(CreateFileMapping(aHandle, nullptr, PAGE_READONLY,
0, 1, nullptr));
if (!fileMapping) {
return false;
}
ScopedMappedView view(MapViewOfFile(fileMapping, FILE_MAP_READ,
aOffset.HighPart, aOffset.LowPart, 1));
if (!view) {
return false;
}
nsAutoString mappedFilename;
DWORD len = 0;
SetLastError(ERROR_SUCCESS);
do {
mappedFilename.SetLength(mappedFilename.Length() + MAX_PATH);
len = GetMappedFileNameW(GetCurrentProcess(), view,
wwc(mappedFilename.BeginWriting()),
mappedFilename.Length());
} while (!len && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
if (!len) {
return false;
}
mappedFilename.Truncate(len);
return NtPathToDosPath(mappedFilename, aFilename);
}
bool ProcessAccessHelp::getProcessModules(HANDLE hProcess, std::vector<ModuleInfo> &moduleList)
{
ModuleInfo module;
WCHAR filename[MAX_PATH*2] = {0};
DWORD cbNeeded = 0;
bool retVal = false;
DeviceNameResolver deviceNameResolver;
moduleList.reserve(20);
EnumProcessModules(hProcess, 0, 0, &cbNeeded);
HMODULE* hMods=(HMODULE*)malloc(cbNeeded*sizeof(HMODULE));
if (hMods)
{
if(EnumProcessModules(hProcess, hMods, cbNeeded, &cbNeeded))
{
for(unsigned int i = 1; i < (cbNeeded/sizeof(HMODULE)); i++) //skip first module!
{
module.modBaseAddr = (DWORD_PTR)hMods[i];
module.modBaseSize = (DWORD)getSizeOfImageProcess(hProcess, module.modBaseAddr);
module.isAlreadyParsed = false;
module.parsing = false;
filename[0] = 0;
module.fullPath[0] = 0;
if (GetMappedFileNameW(hProcess, (LPVOID)module.modBaseAddr, filename, _countof(filename)) > 0)
{
if (!deviceNameResolver.resolveDeviceLongNameToShort(filename, module.fullPath))
{
if (!GetModuleFileNameExW(hProcess, (HMODULE)module.modBaseAddr, module.fullPath, _countof(module.fullPath)))
{
wcscpy_s(module.fullPath, filename);
}
}
}
else
{
GetModuleFileNameExW(hProcess, (HMODULE)module.modBaseAddr, module.fullPath, _countof(module.fullPath));
}
moduleList.push_back(module);
}
retVal = true;
}
free(hMods);
}
return retVal;
}
bool DumpMemoryGui::getMappedFilename( Memory* memory )
{
WCHAR filename[MAX_PATH] = {0};
//TODO replace with Nt direct syscall
if (GetMappedFileNameW(ProcessAccessHelp::hProcess, (LPVOID)memory->address, filename, _countof(filename)) > 0)
{
return deviceNameResolver->resolveDeviceLongNameToShort(filename, memory->mappedFilename);
}
return false;
}
LONG WINAPI HandleUnknownException(struct _EXCEPTION_POINTERS *ExceptionInfo)
{
WCHAR registerInfo[220];
WCHAR filepath[MAX_PATH] = {0};
WCHAR file[MAX_PATH] = {0};
WCHAR message[MAX_PATH + 200 + _countof(registerInfo)];
WCHAR osInfo[100];
DWORD_PTR baseAddress = 0;
DWORD_PTR address = (DWORD_PTR)ExceptionInfo->ExceptionRecord->ExceptionAddress;
wcscpy_s(filepath, L"unknown");
wcscpy_s(file, L"unknown");
if (GetMappedFileNameW(GetCurrentProcess(), (LPVOID)address, filepath, _countof(filepath)) > 0)
{
WCHAR *temp = wcsrchr(filepath, '\\');
if (temp)
{
temp++;
wcscpy_s(file, temp);
}
}
swprintf_s(osInfo, _countof(osInfo), TEXT("Exception! Please report it! OS: %X"), GetVersion());
DWORD_PTR moduleBase = (DWORD_PTR)GetModuleHandleW(file);
swprintf_s(message, _countof(message), TEXT("ExceptionCode %08X\r\nExceptionFlags %08X\r\nNumberParameters %08X\r\nExceptionAddress VA ")TEXT(PRINTF_DWORD_PTR_FULL_S)TEXT(" - Base ")TEXT(PRINTF_DWORD_PTR_FULL_S)TEXT("\r\nExceptionAddress module %s\r\n\r\n"),
ExceptionInfo->ExceptionRecord->ExceptionCode,
ExceptionInfo->ExceptionRecord->ExceptionFlags,
ExceptionInfo->ExceptionRecord->NumberParameters,
address,
moduleBase,
file);
#ifdef _WIN64
swprintf_s(registerInfo, _countof(registerInfo),TEXT("rax=0x%p, rbx=0x%p, rdx=0x%p, rcx=0x%p, rsi=0x%p, rdi=0x%p, rbp=0x%p, rsp=0x%p, rip=0x%p"),
ExceptionInfo->ContextRecord->Rax,
ExceptionInfo->ContextRecord->Rbx,
ExceptionInfo->ContextRecord->Rdx,
ExceptionInfo->ContextRecord->Rcx,
ExceptionInfo->ContextRecord->Rsi,
ExceptionInfo->ContextRecord->Rdi,
ExceptionInfo->ContextRecord->Rbp,
ExceptionInfo->ContextRecord->Rsp,
ExceptionInfo->ContextRecord->Rip
);
#else
swprintf_s(registerInfo, _countof(registerInfo),TEXT("eax=0x%p, ebx=0x%p, edx=0x%p, ecx=0x%p, esi=0x%p, edi=0x%p, ebp=0x%p, esp=0x%p, eip=0x%p"),
ExceptionInfo->ContextRecord->Eax,
ExceptionInfo->ContextRecord->Ebx,
ExceptionInfo->ContextRecord->Edx,
ExceptionInfo->ContextRecord->Ecx,
ExceptionInfo->ContextRecord->Esi,
ExceptionInfo->ContextRecord->Edi,
ExceptionInfo->ContextRecord->Ebp,
ExceptionInfo->ContextRecord->Esp,
ExceptionInfo->ContextRecord->Eip
);
#endif
wcscat_s(message, _countof(message), registerInfo);
MessageBox(0, message, osInfo, MB_ICONERROR);
return EXCEPTION_CONTINUE_SEARCH;
}
/**
* @brief wrapper function for GetMappedFileName()
* @param
* @see http://msdn.microsoft.com/en-us/library/windows/desktop/ms683195(v=vs.85).aspx
* @remarks
* @code
* @endcode
* @return true if succeeded.
* @return file_name is nt device name (e.g. Device\HarddiskVolume2\Windows\System32\drivers\etc\hosts)
* @return if you want use dos device name, use nt_name_to_dos_name() function.
**/
bool
get_mapped_file_name(
_In_ HANDLE process_handle,
_In_ const void* mapped_addr,
_Out_ std::wstring& file_name
)
{
bool ret = false;
DWORD ret_cch_buf = 0;
DWORD cch_buf = MAX_PATH;
wchar_t* buf = NULL;
for(;;)
{
if (NULL != buf) free(buf);
buf = (wchar_t*) malloc((cch_buf + 1) * sizeof(wchar_t)); // add NULL
if (NULL == buf)
{
//log_err
// "insufficient memory, malloc( %u )",
// (cch_buf + 1) * sizeof(wchar_t)
//log_end
return false;
}
ret_cch_buf = GetMappedFileNameW(
process_handle,
const_cast<void*>(mapped_addr),
buf,
cch_buf
);
if (0 == ret_cch_buf)
{
//log_err
// "GetMappedFileNameW( process handle = 0x%08x, addr = 0x%p ), gle = %u",
// process_handle,
// mapped_addr,
// GetLastError()
//log_end
break;
}
if (ret_cch_buf < cch_buf)
{
// OK!
ret = true;
buf[ret_cch_buf] = L'\0';
break;
}
else if (ret_cch_buf == cch_buf)
{
// we need more buffer
cch_buf *= 2;
continue;
}
else
{
//log_err
// "unexpected ret_cch_buf(%u) : cch_buf(%u), GetMappedFileNameW()",
// ret_cch_buf,
// cch_buf
//log_end
break;
}
}
if(true == ret) file_name = buf;
free(buf); buf = NULL;
return ret;
}
int
main (int argc, char** argv)
{
MEMORY_BASIC_INFORMATION mbi;
char* region = 0;
const char* type;
wchar_t namebuf[4096];
DWORD winpid = (argv[1] ? atoi (argv[1]) : GetCurrentProcessId ());
HANDLE proc = OpenProcess (PROCESS_ALL_ACCESS, FALSE, winpid);
if (!proc)
{
fprintf (stderr, "OpenProcess(%lu): 0x%lx\n",
winpid, GetLastError ());
return 1;
}
var_in_data = 43;
for (;; region += mbi.RegionSize)
{
if (!VirtualQueryEx (proc, region, &mbi, sizeof (mbi)))
{
if (GetLastError () != ERROR_INVALID_PARAMETER)
fprintf (stderr, "VirtualQuery: 0x%lx\n", GetLastError ());
break;
}
if (mbi.State == MEM_FREE)
continue;
#if 0
if (mbi.Type == MEM_IMAGE)
continue;
#endif
if (mbi.State == MEM_FREE)
type = "free";
else if (mbi.Type == MEM_IMAGE)
type = "image";
else if (mbi.Type == MEM_MAPPED)
type = "mapped";
else if (mbi.Type == MEM_PRIVATE)
type = "private";
else
type = "unknown";
printf ("0x%08lx %-9s %010lu %-8s %s\n",
(unsigned long) region,
mbi.State == MEM_COMMIT ? "commit" : "reserved",
mbi.RegionSize,
type,
describe_protection (mbi.Protect)
);
if (winpid == GetCurrentProcessId ())
{
if (region <= (char*) &var_in_bss &&
(char*) &var_in_bss < (region + mbi.RegionSize))
{
printf (" ^^^^ BSS\n");
}
if (region <= (char*) &var_in_data &&
(char*) &var_in_data < (region + mbi.RegionSize))
{
printf (" ^^^^ DATA\n");
}
if (mbi.Type == MEM_MAPPED)
{
namebuf[0] = L'\0';
wcscpy (namebuf, L"[unknown]");
GetMappedFileNameW (GetCurrentProcess (),
region,
&namebuf[0],
countof (namebuf));
printf (" ^^^^ - %S\n", namebuf);
}
}
}
}
