Skip to content

Commit

Permalink
Improvements and bug fixes in yr_process_get_memory contributed by Ro…
Browse files Browse the repository at this point in the history 
…bin Keir
  • Loading branch information
@plusvic
plusvic committed Dec 3, 2013
1 parent c97e3f9 commit 39eee48
Showing 1 changed file with 38 additions and 40 deletions.
78 changes: 38 additions & 40 deletions libyara/proc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,14 +40,14 @@ int get_process_memory(int pid, MEMORY_BLOCK** first_block)
HANDLE hProcess;
HANDLE hToken;

if( OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken) &&
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken) &&
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luidDebug))
{
tokenPriv.PrivilegeCount = 1;
tokenPriv.Privileges[0].Luid = luidDebug;
tokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tokenPriv.PrivilegeCount = 1;
tokenPriv.Privileges[0].Luid = luidDebug;
tokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, sizeof(tokenPriv), NULL, NULL);
AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, sizeof(tokenPriv), NULL, NULL);
}

hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, pid);
Expand All @@ -59,55 +59,53 @@ int get_process_memory(int pid, MEMORY_BLOCK** first_block)
return ERROR_COULD_NOT_ATTACH_TO_PROCESS;
}


GetSystemInfo(&si);

address = si.lpMinimumApplicationAddress;

while (address < si.lpMaximumApplicationAddress)
while (VirtualQueryEx(hProcess, address, &mbi, sizeof(mbi)) != 0)
{
if (VirtualQueryEx(hProcess, address, &mbi, sizeof(mbi)) != 0)
{
if (mbi.State == MEM_COMMIT && mbi.Protect != PAGE_NOACCESS)
{
data = (unsigned char*) yr_malloc(mbi.RegionSize);
if (mbi.State == MEM_COMMIT && ((mbi.Protect & PAGE_NOACCESS) == 0))
{
data = (unsigned char*) yr_malloc(mbi.RegionSize);

if (data == NULL)
return ERROR_INSUFICIENT_MEMORY;
if (data == NULL)
return ERROR_INSUFICIENT_MEMORY;

if (ReadProcessMemory(hProcess, address, data, mbi.RegionSize, &read))
{
new_block = (MEMORY_BLOCK*) yr_malloc(sizeof(MEMORY_BLOCK));
if (ReadProcessMemory(hProcess, mbi.BaseAddress, data, mbi.RegionSize, &read))
{
new_block = (MEMORY_BLOCK*) yr_malloc(sizeof(MEMORY_BLOCK));

if (new_block == NULL)
{
yr_free(data);
return ERROR_INSUFICIENT_MEMORY;
}
if (new_block == NULL)
{
yr_free(data);
return ERROR_INSUFICIENT_MEMORY;
}

if (*first_block == NULL)
*first_block = new_block;
if (*first_block == NULL)
*first_block = new_block;

new_block->base = (size_t) mbi.BaseAddress;
new_block->size = mbi.RegionSize;
new_block->data = data;
new_block->next = NULL;
new_block->base = (size_t) mbi.BaseAddress;
new_block->size = mbi.RegionSize;
new_block->data = data;
new_block->next = NULL;

if (current_block != NULL)
current_block->next = new_block;
if (current_block != NULL)
current_block->next = new_block;

current_block = new_block;
}
else
{
yr_free(data);
}
}
current_block = new_block;
}
else
{
yr_free(data);
}
}

address = (PVOID)((DWORD) mbi.BaseAddress + mbi.RegionSize);
}
}
address = (PVOID)((ULONG_PTR) mbi.BaseAddress + mbi.RegionSize);
}

return ERROR_SUCCESS;
return ERROR_SUCCESS;
}

#else
Expand Down

0 comments on commit 39eee48

Please sign in to comment.