AnalysisEngine.Utilities.scanProcess C# (CSharp) Method

        public static bool scanProcess(Process p)
        {
            p.Refresh();
            try
            {
                if (p.HasExited)
                {
                    return false;
                }
            }
            catch (Exception)
            {
                return false;
            }
            //Console.WriteLine("Scanning " + p.ProcessName);
            IntPtr Addy = new IntPtr();
            List<MEMORY_BASIC_INFORMATION> MemReg = new List<MEMORY_BASIC_INFORMATION>();
            while (true)
            {
                MEMORY_BASIC_INFORMATION MemInfo = new MEMORY_BASIC_INFORMATION();
                int MemDump = VirtualQueryEx(p.Handle, Addy, out  MemInfo, Marshal.SizeOf(MemInfo));
                if (MemDump == 0) break;
                if (0 != (MemInfo.State & MEM_COMMIT) && 0 != (MemInfo.Protect & WRITABLE) && 0 == (MemInfo.Protect & PAGE_GUARD))
                {
                    MemReg.Add(MemInfo);
                }
                Addy = new IntPtr(MemInfo.BaseAddress.ToInt64() + MemInfo.RegionSize.ToInt64());
            }

            for (int i = 0; i < MemReg.Count; i++)
            {
                byte[] buff = new byte[MemReg[i].RegionSize.ToInt32()];
                ReadProcessMemory(p.Handle, MemReg[i].BaseAddress, buff, MemReg[i].RegionSize.ToInt32(), IntPtr.Zero);

                for (int j = 0; j < buff.Length; j++)
                {
                    buff[j] = (byte)(buff[j] ^ 0xFF);
                }

                long Result = IndexOf(buff, metxor);
                if (Result > 0)
                {
                    buff = null;
                    GC.Collect();
                    return true;
                }

                Result = IndexOf(buff, javameter);
                if (Result > 0)
                {
                    buff = null;
                    GC.Collect();
                    return true;
                }
                buff = null;
            }
            GC.Collect();
            return false;
        }

        public void t_Elapsed(object sender, ElapsedEventArgs e, Process p, string date)
        {
            Timer t = (Timer)sender;

            t.Stop();

            if (p.ProcessName == "java")
            {
                if (Utilities.scanProcess(p))
                {
                    if (AntiPwny.PreventionMode)
                    {
                        builder.Clear();
                        builder.Append(p.ProcessName);
                        builder.Append(" Killed.");
                        p.Kill();

                        w.write(date, builder.ToString(), "Java Meterpreter");
                    }
                    else
                    {
                        builder.Clear();
                        builder.Append(p.ProcessName);
                        builder.Append(" memory contains java meterpreter signature.");

                        w.write(date, builder.ToString(), "Java Meterpreter Found");
                    }
                }
            }
            if (Utilities.scanProcess(p))
            {
                if (AntiPwny.PreventionMode)
                {
                    builder.Clear();
                    builder.Append(p.ProcessName);
                    builder.Append(" Killed.");
                    p.Kill();

                    w.write(date, builder.ToString(), "Meterpreter");
                }
                else
                {
                    builder.Clear();
                    builder.Append(p.ProcessName);
                    builder.Append(" memory contains meterpreter signature.");

                    w.write(date, builder.ToString(), "Meterpreter Found");
                }
            }
        }