| public Analyze ( int ExitAfter ) : int | ||
| ExitAfter | int | Optionally stop checking or exit early after this many candidates. 0 does not exit early. |
| return | int | |
public int Analyze(int ExitAfter = 0)
{
CurrWindowBase = 0;
mapSize = (64 * 1024 * 1024);
long RunShift = 0;
if (File.Exists(Filename))
{
using (var fs = new FileStream(Filename, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
{
var mapName = Path.GetFileNameWithoutExtension(Filename) + DateTime.Now.ToBinary().ToString("X16");
using (var mmap =
MemoryMappedFile.CreateFromFile(fs,
mapName,
0,
MemoryMappedFileAccess.Read,
null,
HandleInheritability.Inheritable,
false))
{
if (FileSize == 0)
FileSize = new FileInfo(Filename).Length;
// TODO: Clean up all the shifts
while (CurrWindowBase < FileSize)
{
using (var reader = mmap.CreateViewAccessor(CurrWindowBase, mapSize, MemoryMappedFileAccess.Read))
{
CurrMapBase = 0;
reader.ReadArray(CurrMapBase, buffers[filled], 0, 512);
while (CurrMapBase < mapSize)
{
// Adjust for known memory run / extents mappings.
var offset = TrueOffset = CurrWindowBase + CurrMapBase;
var offset_pfn = offset >> MagicNumbers.PAGE_SHIFT;
// next page, may be faster with larger chunks but it's simple to view 1 page at a time
long IndexedOffset_pfn = 0;
do
{
IndexedOffset_pfn = vtero.MemAccess.OffsetToMemIndex(offset_pfn + RunShift);
if (IndexedOffset_pfn == -1)
{
RunShift++;
continue;
}
if (IndexedOffset_pfn == -2)
return DetectedProcesses.Count();
} while (IndexedOffset_pfn < 0);
// found shift, accumulate indexes
CurrMapBase += 4096;
offset_pfn += RunShift;
IndexedOffset_pfn = IndexedOffset_pfn >> MagicNumbers.PAGE_SHIFT;
// Calculate DIFF
var diff_off_pfn = offset < IndexedOffset_pfn ? IndexedOffset_pfn - offset_pfn : offset_pfn - IndexedOffset_pfn;
// Skew Offset
offset += (diff_off_pfn << MagicNumbers.PAGE_SHIFT);
// setup buffers for parallel load/read
block = buffers[filled];
filled ^= 1;
#pragma warning disable HeapAnalyzerImplicitParamsRule // Array allocation for params parameter
Parallel.Invoke(() =>
Parallel.ForEach<Func<long, bool>>(CheckMethods, (check) =>
{
check(offset);
}), () =>
{
if (CurrMapBase < mapSize)
UnsafeHelp.ReadBytes(reader, CurrMapBase, ref buffers[filled]);
}
);
if (ExitAfter > 0 && (ExitAfter == DetectedProcesses.Count())) // || FoundValueOffsets.Count() >= ExitAfter))
return DetectedProcesses.Count();
var progress = Convert.ToInt32((Convert.ToDouble(CurrWindowBase) / Convert.ToDouble(FileSize) * 100.0) + 0.5);
if (progress != ProgressBarz.Progress)
ProgressBarz.RenderConsoleProgress(progress);
}
} // close current window
CurrWindowBase += CurrMapBase;
if (CurrWindowBase + mapSize > FileSize)
mapSize = FileSize - CurrWindowBase;
}
}
} // close map
} // close stream
return DetectedProcesses.Count();
}
public int ProcDetectScan(PTType Modes, int DetectOnly = 0)
{
if (Phase >= 1 && OverRidePhase)
{
return(Processes.Count());
}
scan.ScanMode = Modes;
var rv = scan.Analyze(DetectOnly);
foreach (var p in scan.DetectedProcesses.Values)
{
Processes.Add(p);
}
Phase = 2;
return(rv);
}
