SIZE_T ProcessAccessHelp::getSizeOfImageProcess(HANDLE processHandle, DWORD_PTR moduleBase) { SIZE_T sizeOfImage = 0, sizeOfImageNative = 0; MEMORY_BASIC_INFORMATION lpBuffer = {0}; sizeOfImageNative = getSizeOfImageProcessNative(processHandle, moduleBase); if (sizeOfImageNative) { return sizeOfImageNative; } WCHAR filenameOriginal[MAX_PATH*2] = {0}; WCHAR filenameTest[MAX_PATH*2] = {0}; GetMappedFileNameW(processHandle, (LPVOID)moduleBase, filenameOriginal, _countof(filenameOriginal)); do { moduleBase = (DWORD_PTR)((SIZE_T)moduleBase + lpBuffer.RegionSize); sizeOfImage += lpBuffer.RegionSize; if (!VirtualQueryEx(processHandle, (LPCVOID)moduleBase, &lpBuffer, sizeof(MEMORY_BASIC_INFORMATION))) { #ifdef DEBUG_COMMENTS Scylla::debugLog.log(L"getSizeOfImageProcess :: VirtualQuery failed %X", GetLastError()); #endif lpBuffer.Type = 0; sizeOfImage = 0; } GetMappedFileNameW(processHandle, (LPVOID)moduleBase, filenameTest, _countof(filenameTest)); if (_wcsicmp(filenameOriginal,filenameTest) != 0)//problem: 2 modules without free space { break; } } while (lpBuffer.Type == MEM_IMAGE); //if (sizeOfImage != sizeOfImageNative) //{ // WCHAR temp[1000] = {0}; // wsprintfW(temp, L"0x%X sizeofimage\n0x%X sizeOfImageNative", sizeOfImage, sizeOfImageNative); // MessageBoxW(0, temp, L"Test", 0); //} return sizeOfImage; }
bool HandleToFilename(HANDLE aHandle, const LARGE_INTEGER& aOffset, nsAString& aFilename) { aFilename.Truncate(); // This implementation is nice because it uses fully documented APIs that // are available on all Windows versions that we support. nsAutoHandle fileMapping(CreateFileMapping(aHandle, nullptr, PAGE_READONLY, 0, 1, nullptr)); if (!fileMapping) { return false; } ScopedMappedView view(MapViewOfFile(fileMapping, FILE_MAP_READ, aOffset.HighPart, aOffset.LowPart, 1)); if (!view) { return false; } nsAutoString mappedFilename; DWORD len = 0; SetLastError(ERROR_SUCCESS); do { mappedFilename.SetLength(mappedFilename.Length() + MAX_PATH); len = GetMappedFileNameW(GetCurrentProcess(), view, wwc(mappedFilename.BeginWriting()), mappedFilename.Length()); } while (!len && GetLastError() == ERROR_INSUFFICIENT_BUFFER); if (!len) { return false; } mappedFilename.Truncate(len); return NtPathToDosPath(mappedFilename, aFilename); }
bool ProcessAccessHelp::getProcessModules(HANDLE hProcess, std::vector<ModuleInfo> &moduleList) { ModuleInfo module; WCHAR filename[MAX_PATH*2] = {0}; DWORD cbNeeded = 0; bool retVal = false; DeviceNameResolver deviceNameResolver; moduleList.reserve(20); EnumProcessModules(hProcess, 0, 0, &cbNeeded); HMODULE* hMods=(HMODULE*)malloc(cbNeeded*sizeof(HMODULE)); if (hMods) { if(EnumProcessModules(hProcess, hMods, cbNeeded, &cbNeeded)) { for(unsigned int i = 1; i < (cbNeeded/sizeof(HMODULE)); i++) //skip first module! { module.modBaseAddr = (DWORD_PTR)hMods[i]; module.modBaseSize = (DWORD)getSizeOfImageProcess(hProcess, module.modBaseAddr); module.isAlreadyParsed = false; module.parsing = false; filename[0] = 0; module.fullPath[0] = 0; if (GetMappedFileNameW(hProcess, (LPVOID)module.modBaseAddr, filename, _countof(filename)) > 0) { if (!deviceNameResolver.resolveDeviceLongNameToShort(filename, module.fullPath)) { if (!GetModuleFileNameExW(hProcess, (HMODULE)module.modBaseAddr, module.fullPath, _countof(module.fullPath))) { wcscpy_s(module.fullPath, filename); } } } else { GetModuleFileNameExW(hProcess, (HMODULE)module.modBaseAddr, module.fullPath, _countof(module.fullPath)); } moduleList.push_back(module); } retVal = true; } free(hMods); } return retVal; }
bool DumpMemoryGui::getMappedFilename( Memory* memory ) { WCHAR filename[MAX_PATH] = {0}; //TODO replace with Nt direct syscall if (GetMappedFileNameW(ProcessAccessHelp::hProcess, (LPVOID)memory->address, filename, _countof(filename)) > 0) { return deviceNameResolver->resolveDeviceLongNameToShort(filename, memory->mappedFilename); } return false; }
LONG WINAPI HandleUnknownException(struct _EXCEPTION_POINTERS *ExceptionInfo) { WCHAR registerInfo[220]; WCHAR filepath[MAX_PATH] = {0}; WCHAR file[MAX_PATH] = {0}; WCHAR message[MAX_PATH + 200 + _countof(registerInfo)]; WCHAR osInfo[100]; DWORD_PTR baseAddress = 0; DWORD_PTR address = (DWORD_PTR)ExceptionInfo->ExceptionRecord->ExceptionAddress; wcscpy_s(filepath, L"unknown"); wcscpy_s(file, L"unknown"); if (GetMappedFileNameW(GetCurrentProcess(), (LPVOID)address, filepath, _countof(filepath)) > 0) { WCHAR *temp = wcsrchr(filepath, '\\'); if (temp) { temp++; wcscpy_s(file, temp); } } swprintf_s(osInfo, _countof(osInfo), TEXT("Exception! Please report it! OS: %X"), GetVersion()); DWORD_PTR moduleBase = (DWORD_PTR)GetModuleHandleW(file); swprintf_s(message, _countof(message), TEXT("ExceptionCode %08X\r\nExceptionFlags %08X\r\nNumberParameters %08X\r\nExceptionAddress VA ")TEXT(PRINTF_DWORD_PTR_FULL_S)TEXT(" - Base ")TEXT(PRINTF_DWORD_PTR_FULL_S)TEXT("\r\nExceptionAddress module %s\r\n\r\n"), ExceptionInfo->ExceptionRecord->ExceptionCode, ExceptionInfo->ExceptionRecord->ExceptionFlags, ExceptionInfo->ExceptionRecord->NumberParameters, address, moduleBase, file); #ifdef _WIN64 swprintf_s(registerInfo, _countof(registerInfo),TEXT("rax=0x%p, rbx=0x%p, rdx=0x%p, rcx=0x%p, rsi=0x%p, rdi=0x%p, rbp=0x%p, rsp=0x%p, rip=0x%p"), ExceptionInfo->ContextRecord->Rax, ExceptionInfo->ContextRecord->Rbx, ExceptionInfo->ContextRecord->Rdx, ExceptionInfo->ContextRecord->Rcx, ExceptionInfo->ContextRecord->Rsi, ExceptionInfo->ContextRecord->Rdi, ExceptionInfo->ContextRecord->Rbp, ExceptionInfo->ContextRecord->Rsp, ExceptionInfo->ContextRecord->Rip ); #else swprintf_s(registerInfo, _countof(registerInfo),TEXT("eax=0x%p, ebx=0x%p, edx=0x%p, ecx=0x%p, esi=0x%p, edi=0x%p, ebp=0x%p, esp=0x%p, eip=0x%p"), ExceptionInfo->ContextRecord->Eax, ExceptionInfo->ContextRecord->Ebx, ExceptionInfo->ContextRecord->Edx, ExceptionInfo->ContextRecord->Ecx, ExceptionInfo->ContextRecord->Esi, ExceptionInfo->ContextRecord->Edi, ExceptionInfo->ContextRecord->Ebp, ExceptionInfo->ContextRecord->Esp, ExceptionInfo->ContextRecord->Eip ); #endif wcscat_s(message, _countof(message), registerInfo); MessageBox(0, message, osInfo, MB_ICONERROR); return EXCEPTION_CONTINUE_SEARCH; }
/** * @brief wrapper function for GetMappedFileName() * @param * @see http://msdn.microsoft.com/en-us/library/windows/desktop/ms683195(v=vs.85).aspx * @remarks * @code * @endcode * @return true if succeeded. * @return file_name is nt device name (e.g. Device\HarddiskVolume2\Windows\System32\drivers\etc\hosts) * @return if you want use dos device name, use nt_name_to_dos_name() function. **/ bool get_mapped_file_name( _In_ HANDLE process_handle, _In_ const void* mapped_addr, _Out_ std::wstring& file_name ) { bool ret = false; DWORD ret_cch_buf = 0; DWORD cch_buf = MAX_PATH; wchar_t* buf = NULL; for(;;) { if (NULL != buf) free(buf); buf = (wchar_t*) malloc((cch_buf + 1) * sizeof(wchar_t)); // add NULL if (NULL == buf) { //log_err // "insufficient memory, malloc( %u )", // (cch_buf + 1) * sizeof(wchar_t) //log_end return false; } ret_cch_buf = GetMappedFileNameW( process_handle, const_cast<void*>(mapped_addr), buf, cch_buf ); if (0 == ret_cch_buf) { //log_err // "GetMappedFileNameW( process handle = 0x%08x, addr = 0x%p ), gle = %u", // process_handle, // mapped_addr, // GetLastError() //log_end break; } if (ret_cch_buf < cch_buf) { // OK! ret = true; buf[ret_cch_buf] = L'\0'; break; } else if (ret_cch_buf == cch_buf) { // we need more buffer cch_buf *= 2; continue; } else { //log_err // "unexpected ret_cch_buf(%u) : cch_buf(%u), GetMappedFileNameW()", // ret_cch_buf, // cch_buf //log_end break; } } if(true == ret) file_name = buf; free(buf); buf = NULL; return ret; }
int main (int argc, char** argv) { MEMORY_BASIC_INFORMATION mbi; char* region = 0; const char* type; wchar_t namebuf[4096]; DWORD winpid = (argv[1] ? atoi (argv[1]) : GetCurrentProcessId ()); HANDLE proc = OpenProcess (PROCESS_ALL_ACCESS, FALSE, winpid); if (!proc) { fprintf (stderr, "OpenProcess(%lu): 0x%lx\n", winpid, GetLastError ()); return 1; } var_in_data = 43; for (;; region += mbi.RegionSize) { if (!VirtualQueryEx (proc, region, &mbi, sizeof (mbi))) { if (GetLastError () != ERROR_INVALID_PARAMETER) fprintf (stderr, "VirtualQuery: 0x%lx\n", GetLastError ()); break; } if (mbi.State == MEM_FREE) continue; #if 0 if (mbi.Type == MEM_IMAGE) continue; #endif if (mbi.State == MEM_FREE) type = "free"; else if (mbi.Type == MEM_IMAGE) type = "image"; else if (mbi.Type == MEM_MAPPED) type = "mapped"; else if (mbi.Type == MEM_PRIVATE) type = "private"; else type = "unknown"; printf ("0x%08lx %-9s %010lu %-8s %s\n", (unsigned long) region, mbi.State == MEM_COMMIT ? "commit" : "reserved", mbi.RegionSize, type, describe_protection (mbi.Protect) ); if (winpid == GetCurrentProcessId ()) { if (region <= (char*) &var_in_bss && (char*) &var_in_bss < (region + mbi.RegionSize)) { printf (" ^^^^ BSS\n"); } if (region <= (char*) &var_in_data && (char*) &var_in_data < (region + mbi.RegionSize)) { printf (" ^^^^ DATA\n"); } if (mbi.Type == MEM_MAPPED) { namebuf[0] = L'\0'; wcscpy (namebuf, L"[unknown]"); GetMappedFileNameW (GetCurrentProcess (), region, &namebuf[0], countof (namebuf)); printf (" ^^^^ - %S\n", namebuf); } } } }