#!~/.wine/drive_c/Python25/python.exe # -*- coding: utf-8 -*- # Copyright (c) 2009-2014, Mario Vilas # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: # # * Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above copyright # notice,this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # * Neither the name of the copyright holder nor the names of its # contributors may be used to endorse or promote products derived from # this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # $Id: 10_memory_map.py 1299 2013-12-20 09:30:55Z qvasimodo $ from winappdbg import win32, Process, HexDump def print_memory_map( pid ): # Instance a Process object. process = Process( pid ) # Find out if it's a 32 or 64 bit process. bits = process.get_bits() # Get the process memory map. memoryMap = process.get_memory_map() # Now you could do this... # # from winappdbg import CrashDump # print CrashDump.dump_memory_map( memoryMap ), # # ...but let's do it the hard way: # For each memory block in the map... print "Address \tSize \tState \tAccess \tType" for mbi in memoryMap: # Address and size of memory block. BaseAddress = HexDump.address(mbi.BaseAddress, bits) RegionSize = HexDump.address(mbi.RegionSize, bits) # State (free or allocated). if mbi.State == win32.MEM_RESERVE: State = "Reserved " elif mbi.State == win32.MEM_COMMIT: State = "Commited " elif mbi.State == win32.MEM_FREE: State = "Free " else: State = "Unknown " # Page protection bits (R/W/X/G). if mbi.State != win32.MEM_COMMIT: Protect = " " else: ## Protect = "0x%.08x" % mbi.Protect if mbi.Protect & win32.PAGE_NOACCESS: Protect = "--- " elif mbi.Protect & win32.PAGE_READONLY: Protect = "R-- " elif mbi.Protect & win32.PAGE_READWRITE: Protect = "RW- " elif mbi.Protect & win32.PAGE_WRITECOPY: Protect = "RC- " elif mbi.Protect & win32.PAGE_EXECUTE: Protect = "--X " elif mbi.Protect & win32.PAGE_EXECUTE_READ: Protect = "R-X " elif mbi.Protect & win32.PAGE_EXECUTE_READWRITE: Protect = "RWX " elif mbi.Protect & win32.PAGE_EXECUTE_WRITECOPY: Protect = "RCX " else: Protect = "??? " if mbi.Protect & win32.PAGE_GUARD: Protect += "G" else: Protect += "-" if mbi.Protect & win32.PAGE_NOCACHE: Protect += "N" else: Protect += "-" if mbi.Protect & win32.PAGE_WRITECOMBINE: Protect += "W" else: Protect += "-" Protect += " " # Type (file mapping, executable image, or private memory). if mbi.Type == win32.MEM_IMAGE: Type = "Image " elif mbi.Type == win32.MEM_MAPPED: Type = "Mapped " elif mbi.Type == win32.MEM_PRIVATE: Type = "Private " elif mbi.Type == 0: Type = "Free " else: Type = "Unknown " # Print the memory block information. fmt = "%s\t%s\t%s\t%s\t%s" print fmt % ( BaseAddress, RegionSize, State, Protect, Type ) # When invoked from the command line, # the first argument is a process ID. if __name__ == "__main__": import sys print_memory_map( int( sys.argv[1] ) )