-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathWinMemory.js
More file actions
118 lines (105 loc) · 3.03 KB
/
WinMemory.js
File metadata and controls
118 lines (105 loc) · 3.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
/**
Copyright (c) 2018 Torajiro Aida
This software is released under the MIT License.
http://opensource.org/licenses/mit-license.php
*/
const ffi = require('ffi')
const ref = require('ref')
const Struct = require('ref-struct')
// 32 bit
// let RegionInfo = Struct({
// 'BaseAddress': 'ulong',
// 'AllocationBase': 'ulong',
// 'AllocationProtect': 'ulong',
// 'RegionSize': 'ulong',
// 'State': 'ulong',
// 'Protect': 'ulong',
// 'Type': 'ulong'
// })
// 64 bit
const RegionInfo = Struct({
BaseAddress: 'ulonglong',
AllocationBase: 'ulonglong',
AllocationProtect: 'ulong',
__alignment1: 'ulong',
RegionSize: 'ulonglong',
State: 'ulong',
Protect: 'ulong',
Type: 'ulong'
})
const SystemInfo = Struct({
dwOemId: 'ulonglong',
wProcessorArchitecture: 'ulong',
wReserved: 'ulong',
dwPageSize: 'ulonglong',
lpMinimumApplicationAddress: 'ulonglong',
lpMaximumApplicationAddress: 'ulonglong',
dwActiveProcessorMask: 'ulonglong*',
dwNumberOfProcessors: 'ulonglong',
dwProcessorType: 'ulonglong',
dwAllocationGranularity: 'ulonglong',
wProcessorLevel: 'ulong',
wProcessorRevision: 'ulong'
})
// 32 bit
// let Kernel32 = ffi.Library('Kernel32', {
// 'ReadProcessMemory': ['bool', ['ulong', 'ulong', 'void *', 'ulong']],
// 'OpenProcess': ['ulong', ['ulong', 'bool', 'ulong']],
// 'VirtualQueryEx': ['ulong', ['ulong', 'ulong', 'void *', 'ulong']]
// })
// 64 bit
const Kernel32 = ffi.Library('Kernel32', {
ReadProcessMemory: ['bool', ['ulong', 'ulonglong', 'void *', 'ulonglong', 'ulonglong']],
OpenProcess: ['ulong', ['ulong', 'bool', 'ulong']],
VirtualQueryEx: ['ulong', ['ulong', 'ulonglong', 'void *', 'ulong']],
IsWow64Process: ['bool', ['ulong', 'bool *']],
GetSystemInfo: ['void', ['void *']]
})
let MIN_ADDR//, MAX_ADDR
{
const info = new SystemInfo()
Kernel32.GetSystemInfo(info.ref())
MIN_ADDR = info.lpMinimumApplicationAddress
// MAX_ADDR = info.lpMaximumApplicationAddress
}
class Memory {
constructor (pid) {
this.handle = Kernel32.OpenProcess(0x0410, false, pid)
if (this.handle === 0) {
throw new Error('OpenProcess errored')
}
const iswow64 = ref.alloc('bool')
if (!Kernel32.IsWow64Process(this.handle, iswow64)) {
throw new Error('IsWow64Process errored')
}
this.iswow64 = iswow64.deref()
}
getRegions () {
const info = new RegionInfo()
let current = MIN_ADDR
const regions = []
while (current < 0x7FFFFFFFFF) {
const ret = Kernel32.VirtualQueryEx(this.handle, current, info.ref(), info.ref().length)
if (info.State === 0x1000) {
regions.push([current, info.RegionSize])
}
if (ret !== 48) {
console.log(info)
break
}
current += info.RegionSize
}
return regions
}
read (address, length) {
const buf = Buffer.alloc(length)
const ret = Kernel32.ReadProcessMemory(this.handle, address, buf, length, 0)
if (ret === false) {
throw new Error('ReadProcessMemory errored')
}
return buf
}
readAsync (address, length) {
}
}
module.exports = Memory