-
Notifications
You must be signed in to change notification settings - Fork 22
/
mm.cpp
90 lines (76 loc) · 2.06 KB
/
mm.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
/*
* Module Name:
* mm.cpp
*
* Abstract:
* Generic memory manipulation routines.
*
* Authors:
* Nick Peterson <everdox@gmail.com> | http://everdox.net/
* Nemanja (Nemi) Mulasmajic <nm@triplefault.io> | http://triplefault.io/
*
*/
#include "stdafx.h"
#include "mm.h"
/*
* Gets the size of the allocation.
*/
size_t MmGetRegionSize(_In_ PVOID Region)
{
uintptr_t Current = (uintptr_t)PAGE_ALIGN(Region);
// First, get the region size for this page.
MEMORY_BASIC_INFORMATION First;
if (!VirtualQuery((PVOID)Current, &First, sizeof(First)))
return 0;
Current = (uintptr_t)First.BaseAddress + First.RegionSize;
for (MEMORY_BASIC_INFORMATION Mbi;
/* */;
Current += Mbi.RegionSize)
{
if (!VirtualQuery((PVOID)Current, &Mbi, sizeof(Mbi)))
break;
if (Mbi.State == MEM_FREE)
break;
if (Mbi.AllocationBase != First.AllocationBase)
break;
}
return (Current - (uintptr_t)Region);
}
/*
* Searches for the user-supplied byte pattern (needle) in a region of
* memory (haystack).
*
* NOTE: This version doesn't support wildcards.
*/
PVOID MmFindBytes(_In_ const uint8_t* Haystack, _In_ size_t HaystackSize, _In_ const uint8_t* Needle, _In_ size_t NeedleSize)
{
// Walk haystack.
for (size_t HaystackIndex = 0; (HaystackIndex + NeedleSize) <= HaystackSize; ++HaystackIndex)
{
// Search for needle.
if (memcmp(&Haystack[HaystackIndex], Needle, NeedleSize) == 0)
{
return (PVOID)&Haystack[HaystackIndex];
}
}
return NULL;
}
/*
* A hint to the memory manager to leave the region paged into RAM.
*/
void MmProbeAndLockPages(_In_ PVOID StartAddress, _In_ size_t RegionSize)
{
RegionSize = ROUND_TO_PAGES(RegionSize);
PBYTE Initial = (PBYTE)PAGE_ALIGN(StartAddress);
// Make sure all the pages are writable.
DWORD Old = 0;
VirtualProtect(Initial, RegionSize, PAGE_EXECUTE_READWRITE, &Old);
for (volatile PBYTE Current = Initial;
(Current < (Initial + RegionSize));
Current++)
{
// Write to the page, mapping it in.
*Current = *Current;
}
VirtualLock(Initial, RegionSize);
}