public bool Generic(long offset)
{
var Candidate = false;
//var offset = CurrWindowBase + CurrMapBase;
//long bestShift = long.MaxValue, bestDiff = long.MaxValue;
//var bestOffset = long.MaxValue;
var i = 0x1ff;
if (((block[0] & 0xff) == 0x63) || (block[0] & 0xfdf) == 0x847)
{
do
{
if (((block[i] & 0xff) == 0x63 || (block[i] & 0xff) == 0x67))
{
// we disqualify entries that have these bits configured
// 111 1111 1111 1111 0000 0000 0000 0000 0000 0000 0000 0000 0000 0100 1000 0000
//
if ((block[i] & 0x7FFF000000000480) == 0)
{
var shifted = (block[i] & 0xFFFFFFFFF000);
if (shifted == offset)
{
var diff = offset - shifted;
// BUGBUG: Need to K-Means this or something cluster values to help detection of processes in sparse format
// this could be better
var dp = new DetectedProc { CR3Value = shifted, FileOffset = offset, Diff = diff, Mode = 2, PageTableType = PTType.GENERIC, TrueOffset = TrueOffset };
for (int p = 0; p < 0x200; p++)
{
if (block[p] != 0)
dp.TopPageTablePage.Add(p, block[p]);
}
DetectedProcesses.TryAdd(offset, dp);
if (Vtero.VerboseOutput)
WriteColor(ConsoleColor.Cyan, ConsoleColor.Black, dp.ToString());
Candidate = true;
}
}
}
i--;
} while (i > 0xFF);
}
// maybe some kernels keep more than 1/2 system memory
// wouldn't that be a bit greedy though!?
return Candidate;
}