def main(): print "Process memory map" print "by Mario Vilas (mvilas at gmail.com)" print if len(sys.argv) < 2 or '-h' in sys.argv or '--help' in sys.argv: script = os.path.basename(sys.argv[0]) print "Usage:" print " %s <pid>..." % script print " %s <process.exe>..." % script return s = System() s.request_debug_privileges() s.scan_processes() targets = set() for token in sys.argv[1:]: try: pid = HexInput.integer(token) if not s.has_process(pid): print "Process not found: %s" % token return targets.add(pid) except ValueError: pl = s.find_processes_by_filename(token) if not pl: print "Process not found: %s" % token return for p, n in pl: pid = p.get_pid() targets.add(pid) targets = list(targets) targets.sort() for pid in targets: process = Process(pid) fileName = process.get_filename() memoryMap = process.get_memory_map() mappedFilenames = process.get_mapped_filenames() if fileName: print "Memory map for %d (%s):" % (pid, fileName) else: print "Memory map for %d:" % pid print ## print CrashDump.dump_memory_map(memoryMap), print CrashDump.dump_memory_map(memoryMap, mappedFilenames) readable = 0 writeable = 0 executable = 0 private = 0 mapped = 0 image = 0 total = 0 for mbi in memoryMap: size = mbi.RegionSize if not mbi.is_free(): total += size if mbi.is_readable(): readable += size if mbi.is_writeable(): writeable += size if mbi.is_executable(): executable += size if mbi.is_private(): private += size if mbi.is_mapped(): mapped += size if mbi.is_image(): image += size width = len(number(total)) print(" %%%ds bytes of readable memory" % width) % number(readable) print(" %%%ds bytes of writeable memory" % width) % number(writeable) print(" %%%ds bytes of executable memory" % width) % number(executable) print(" %%%ds bytes of private memory" % width) % number(private) print(" %%%ds bytes of mapped memory" % width) % number(mapped) print(" %%%ds bytes of image memory" % width) % number(image) print(" %%%ds bytes of total memory" % width) % number(total) print
def openProc(pid): ''' return proc maps ''' process = Process(pid) fileName = process.get_filename() memoryMap = process.get_memory_map() mappedFilenames = process.get_mapped_filenames() # 08048000-080b0000 r-xp 0804d000 fe:01 3334030 /usr/myfile lines = [] for mbi in memoryMap: if not mbi.is_readable(): continue addr = '' perm = '--- ' offset = '' device = '' inode = '' filename = '' # Address and size of memory block. BaseAddress = HexDump.address(mbi.BaseAddress) RegionSize = HexDump.address(mbi.RegionSize) # State (free or allocated). mbiState = mbi.State if mbiState == win32.MEM_RESERVE: State = "Reserved" elif mbiState == win32.MEM_COMMIT: State = "Commited" elif mbiState == win32.MEM_FREE: State = "Free" else: State = "Unknown" # Page protection bits (R/W/X/G). if mbiState != win32.MEM_COMMIT: Protect = "--- " else: mbiProtect = mbi.Protect if mbiProtect & win32.PAGE_NOACCESS: Protect = "--- " elif mbiProtect & win32.PAGE_READONLY: Protect = "R-- " elif mbiProtect & win32.PAGE_READWRITE: Protect = "RW- " elif mbiProtect & win32.PAGE_WRITECOPY: Protect = "RC- " elif mbiProtect & win32.PAGE_EXECUTE: Protect = "--X " elif mbiProtect & win32.PAGE_EXECUTE_READ: Protect = "R-X " elif mbiProtect & win32.PAGE_EXECUTE_READWRITE: Protect = "RWX " elif mbiProtect & win32.PAGE_EXECUTE_WRITECOPY: Protect = "RCX " else: Protect = "??? " ''' if mbiProtect & win32.PAGE_GUARD: Protect += "G" #else: # Protect += "-" if mbiProtect & win32.PAGE_NOCACHE: Protect += "N" #else: # Protect += "-" if mbiProtect & win32.PAGE_WRITECOMBINE: Protect += "W" #else: # Protect += "-" ''' perm = Protect # Type (file mapping, executable image, or private memory). mbiType = mbi.Type if mbiType == win32.MEM_IMAGE: Type = "Image" elif mbiType == win32.MEM_MAPPED: Type = "Mapped" elif mbiType == win32.MEM_PRIVATE: Type = "Private" elif mbiType == 0: Type = "" else: Type = "Unknown" log.debug(BaseAddress) addr = '%08x-%08x' % (int( BaseAddress, 16), int(BaseAddress, 16) + int(RegionSize, 16)) perm = perm.lower() offset = '00000000' device = 'fe:01' inode = 24422442 filename = mappedFilenames.get(mbi.BaseAddress, ' ') # 08048000-080b0000 r-xp 0804d000 fe:01 3334030 /usr/myfile lines.append('%s %s %s %s %s %s\n' % (addr, perm, offset, device, inode, filename)) log.debug('%s %s %s %s %s %s\n' % (addr, perm, offset, device, inode, filename)) ##generate_memory_snapshot(self, minAddr=None, maxAddr=None) return lines # process.suspend() # try: # snapshot = process.generate_memory_snapshot() # for mbi in snapshot: # print HexDump.hexblock(mbi.content, mbi.BaseAddress) # finally: # process.resume() # process.read_structure() process = Process(pid) fileName = process.get_filename() memoryMap = process.get_memory_map() mappedFilenames = process.get_mapped_filenames() if fileName: log.debug("MemoryHandler map for %d (%s):" % (pid, fileName)) else: log.debug("MemoryHandler map for %d:" % pid) log.debug('%d filenames' % len(mappedFilenames)) log.debug('') log.debug('%d memorymap' % len(memoryMap)) readable = 0 writeable = 0 executable = 0 private = 0 mapped = 0 image = 0 total = 0 for mbi in memoryMap: size = mbi.RegionSize if not mbi.is_free(): total += size if mbi.is_readable(): readable += size if mbi.is_writeable(): writeable += size if mbi.is_executable(): executable += size if mbi.is_private(): private += size if mbi.is_mapped(): mapped += size if mbi.is_image(): image += size width = len(str(total)) log.debug(" %%%ds bytes of readable memory" % width) % int(readable) log.debug( " %%%ds bytes of writeable memory" % width) % int(writeable) log.debug( " %%%ds bytes of executable memory" % width) % int(executable) log.debug(" %%%ds bytes of private memory" % width) % int(private) log.debug(" %%%ds bytes of mapped memory" % width) % int(mapped) log.debug(" %%%ds bytes of image memory" % width) % int(image) log.debug(" %%%ds bytes of total memory" % width) % int(total) log.debug('') return
def openProc(pid): ''' return proc maps ''' process = Process(pid) fileName = process.get_filename() memoryMap = process.get_memory_map() mappedFilenames = process.get_mapped_filenames() # 08048000-080b0000 r-xp 0804d000 fe:01 3334030 /usr/myfile lines = [] for mbi in memoryMap: if not mbi.is_readable(): continue addr = '' perm = '--- ' offset = '' device = '' inode = '' filename = '' # Address and size of memory block. BaseAddress = HexDump.address(mbi.BaseAddress) RegionSize = HexDump.address(mbi.RegionSize) # State (free or allocated). mbiState = mbi.State if mbiState == win32.MEM_RESERVE: State = "Reserved" elif mbiState == win32.MEM_COMMIT: State = "Commited" elif mbiState == win32.MEM_FREE: State = "Free" else: State = "Unknown" # Page protection bits (R/W/X/G). if mbiState != win32.MEM_COMMIT: Protect = "--- " else: mbiProtect = mbi.Protect if mbiProtect & win32.PAGE_NOACCESS: Protect = "--- " elif mbiProtect & win32.PAGE_READONLY: Protect = "R-- " elif mbiProtect & win32.PAGE_READWRITE: Protect = "RW- " elif mbiProtect & win32.PAGE_WRITECOPY: Protect = "RC- " elif mbiProtect & win32.PAGE_EXECUTE: Protect = "--X " elif mbiProtect & win32.PAGE_EXECUTE_READ: Protect = "R-X " elif mbiProtect & win32.PAGE_EXECUTE_READWRITE: Protect = "RWX " elif mbiProtect & win32.PAGE_EXECUTE_WRITECOPY: Protect = "RCX " else: Protect = "??? " ''' if mbiProtect & win32.PAGE_GUARD: Protect += "G" #else: # Protect += "-" if mbiProtect & win32.PAGE_NOCACHE: Protect += "N" #else: # Protect += "-" if mbiProtect & win32.PAGE_WRITECOMBINE: Protect += "W" #else: # Protect += "-" ''' perm = Protect # Type (file mapping, executable image, or private memory). mbiType = mbi.Type if mbiType == win32.MEM_IMAGE: Type = "Image" elif mbiType == win32.MEM_MAPPED: Type = "Mapped" elif mbiType == win32.MEM_PRIVATE: Type = "Private" elif mbiType == 0: Type = "" else: Type = "Unknown" log.debug(BaseAddress) addr = '%08x-%08x' % (int(BaseAddress, 16), int(BaseAddress, 16) + int(RegionSize, 16)) perm = perm.lower() offset = '00000000' device = 'fe:01' inode = 24422442 filename = mappedFilenames.get(mbi.BaseAddress, ' ') # 08048000-080b0000 r-xp 0804d000 fe:01 3334030 /usr/myfile lines.append( '%s %s %s %s %s %s\n' % (addr, perm, offset, device, inode, filename)) log.debug( '%s %s %s %s %s %s\n' % (addr, perm, offset, device, inode, filename)) ##generate_memory_snapshot(self, minAddr=None, maxAddr=None) return lines # process.suspend() # try: # snapshot = process.generate_memory_snapshot() # for mbi in snapshot: # print HexDump.hexblock(mbi.content, mbi.BaseAddress) # finally: # process.resume() # process.read_structure() process = Process(pid) fileName = process.get_filename() memoryMap = process.get_memory_map() mappedFilenames = process.get_mapped_filenames() if fileName: log.debug("MemoryHandler map for %d (%s):" % (pid, fileName)) else: log.debug("MemoryHandler map for %d:" % pid) log.debug('%d filenames' % len(mappedFilenames)) log.debug('') log.debug('%d memorymap' % len(memoryMap)) readable = 0 writeable = 0 executable = 0 private = 0 mapped = 0 image = 0 total = 0 for mbi in memoryMap: size = mbi.RegionSize if not mbi.is_free(): total += size if mbi.is_readable(): readable += size if mbi.is_writeable(): writeable += size if mbi.is_executable(): executable += size if mbi.is_private(): private += size if mbi.is_mapped(): mapped += size if mbi.is_image(): image += size width = len(str(total)) log.debug(" %%%ds bytes of readable memory" % width) % int(readable) log.debug(" %%%ds bytes of writeable memory" % width) % int(writeable) log.debug(" %%%ds bytes of executable memory" % width) % int(executable) log.debug(" %%%ds bytes of private memory" % width) % int(private) log.debug(" %%%ds bytes of mapped memory" % width) % int(mapped) log.debug(" %%%ds bytes of image memory" % width) % int(image) log.debug(" %%%ds bytes of total memory" % width) % int(total) log.debug('') return
def main(): print "Process memory map" print "by Mario Vilas (mvilas at gmail.com)" print if len(sys.argv) < 2 or "-h" in sys.argv or "--help" in sys.argv: script = os.path.basename(sys.argv[0]) print "Usage:" print " %s <pid>..." % script print " %s <process.exe>..." % script return s = System() s.request_debug_privileges() s.scan_processes() targets = set() for token in sys.argv[1:]: try: pid = HexInput.integer(token) if not s.has_process(pid): print "Process not found: %s" % token return targets.add(pid) except ValueError: pl = s.find_processes_by_filename(token) if not pl: print "Process not found: %s" % token return for p, n in pl: pid = p.get_pid() targets.add(pid) targets = list(targets) targets.sort() for pid in targets: process = Process(pid) fileName = process.get_filename() memoryMap = process.get_memory_map() mappedFilenames = process.get_mapped_filenames() if fileName: print "Memory map for %d (%s):" % (pid, fileName) else: print "Memory map for %d:" % pid print ## print CrashDump.dump_memory_map(memoryMap), print CrashDump.dump_memory_map(memoryMap, mappedFilenames) readable = 0 writeable = 0 executable = 0 private = 0 mapped = 0 image = 0 total = 0 for mbi in memoryMap: size = mbi.RegionSize if not mbi.is_free(): total += size if mbi.is_readable(): readable += size if mbi.is_writeable(): writeable += size if mbi.is_executable(): executable += size if mbi.is_private(): private += size if mbi.is_mapped(): mapped += size if mbi.is_image(): image += size width = len(number(total)) print (" %%%ds bytes of readable memory" % width) % number(readable) print (" %%%ds bytes of writeable memory" % width) % number(writeable) print (" %%%ds bytes of executable memory" % width) % number(executable) print (" %%%ds bytes of private memory" % width) % number(private) print (" %%%ds bytes of mapped memory" % width) % number(mapped) print (" %%%ds bytes of image memory" % width) % number(image) print (" %%%ds bytes of total memory" % width) % number(total) print