TheLeftExit
diff --git a/‎Trickster.sln‎
Lines changed: 9 additions & 3 deletions b/‎Trickster.sln‎
Lines changed: 9 additions & 3 deletions
diff --git a/‎Trickster/MainForm.cs‎
Lines changed: 0 additions & 128 deletions b/‎Trickster/MainForm.cs‎
Lines changed: 0 additions & 128 deletions
diff --git a/‎Trickster/Memory/RttiScanner.cs‎
Lines changed: 72 additions & 0 deletions b/‎Trickster/Memory/RttiScanner.cs‎
Lines changed: 72 additions & 0 deletions
diff --git a/‎Trickster/Memory/Trickster.cs‎
Lines changed: 163 additions & 0 deletions b/‎Trickster/Memory/Trickster.cs‎
Lines changed: 163 additions & 0 deletions
@@ -1,18 +1,24 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Version 16
-VisualStudioVersion = 16.0.31702.278
+# Visual Studio Version 17
+VisualStudioVersion = 17.0.31919.166
 MinimumVisualStudioVersion = 10.0.40219.1
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Trickster", "Trickster\Trickster.csproj", "{1FF948A3-7E4B-48D9-A551-C8EC0D84A39F}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Trickster", "Trickster\Trickster.csproj", "{1FF948A3-7E4B-48D9-A551-C8EC0D84A39F}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
 		Debug|x64 = Debug|x64
+		Release|Any CPU = Release|Any CPU
 		Release|x64 = Release|x64
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{1FF948A3-7E4B-48D9-A551-C8EC0D84A39F}.Debug|Any CPU.ActiveCfg = Debug|x64
+		{1FF948A3-7E4B-48D9-A551-C8EC0D84A39F}.Debug|Any CPU.Build.0 = Debug|x64
 		{1FF948A3-7E4B-48D9-A551-C8EC0D84A39F}.Debug|x64.ActiveCfg = Debug|x64
 		{1FF948A3-7E4B-48D9-A551-C8EC0D84A39F}.Debug|x64.Build.0 = Debug|x64
+		{1FF948A3-7E4B-48D9-A551-C8EC0D84A39F}.Release|Any CPU.ActiveCfg = Release|x64
+		{1FF948A3-7E4B-48D9-A551-C8EC0D84A39F}.Release|Any CPU.Build.0 = Release|x64
 		{1FF948A3-7E4B-48D9-A551-C8EC0D84A39F}.Release|x64.ActiveCfg = Release|x64
 		{1FF948A3-7E4B-48D9-A551-C8EC0D84A39F}.Release|x64.Build.0 = Release|x64
 	EndGlobalSection
 
@@ -0,0 +1,72 @@
+using System;
+using System.Diagnostics;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+using System.Text;
+using Windows.Win32;
+using Windows.Win32.Foundation;
+
+namespace TheLeftExit.Trickster.Memory {
+    public unsafe struct RttiScanner : IDisposable {
+        private nuint _baseAddress;
+        private nuint _size;
+        private byte* _pointer;
+        public RttiScanner(HANDLE handle, nuint mainModuleBaseAddress, nuint mainModuleSize) {
+            _baseAddress = mainModuleBaseAddress;
+            _size = mainModuleSize;
+            _pointer = (byte*)NativeMemory.Alloc(mainModuleSize);
+            if (!Kernel32.ReadProcessMemory(handle, (void*)mainModuleBaseAddress, _pointer, mainModuleSize))
+                throw new ApplicationException();
+        }
+
+        public void Dispose() {
+            NativeMemory.Free(_pointer);
+        }
+
+        public unsafe bool TryRead(ulong address, int count, void* buffer) {
+            if (address >= _baseAddress && address + (uint)count < _baseAddress + _size) {
+                void* sourceAddress = _pointer + (address - _baseAddress);
+                Unsafe.CopyBlock(buffer, sourceAddress, (uint)count);
+                return true;
+            }
+            return false;
+        }
+
+        public bool TryRead<T>(ulong address, out T result) where T : unmanaged {
+            fixed (void* ptr = &result)
+                return TryRead(address, sizeof(T), ptr);
+        }
+        public bool TryRead<T>(ulong address, Span<T> buffer) where T : unmanaged {
+            fixed (void* ptr = buffer)
+                return TryRead(address, buffer.Length * sizeof(T), ptr);
+        }
+
+        private const int BUFFER_SIZE = 60;
+
+        public string GetClassName64(ulong address) {
+            if (!TryRead(address - 0x08, out ulong object_locator)) return null;
+            if (!TryRead(object_locator + 0x14, out ulong base_offset)) return null;
+            ulong base_address = object_locator - base_offset;
+            if (!TryRead(object_locator + 0x0C, out uint type_descriptor_offset)) return null;
+            ulong class_name = base_address + type_descriptor_offset + 0x10 + 0x04;
+            byte* buffer = stackalloc byte[BUFFER_SIZE];
+            buffer[0] = (byte)'?';
+            if (!TryRead(class_name, BUFFER_SIZE - 1, buffer + 1)) return null;
+            byte* target = stackalloc byte[BUFFER_SIZE];
+            uint len = DbgHelp.UnDecorateSymbolName(new PCSTR(buffer), new PSTR(target), BUFFER_SIZE, 0x1800);
+            return len != 0 ? Encoding.UTF8.GetString(target, (int)len) : null;
+        }
+
+        public string GetClassName32(ulong address) {
+            if (!TryRead(address - 0x04, out uint object_locator)) return null;
+            if (!TryRead(object_locator + 0x06, out uint type_descriptor)) return null;
+            ulong class_name = type_descriptor + 0x0C + 0x03;
+            byte* buffer = stackalloc byte[BUFFER_SIZE];
+            buffer[0] = (byte)'?';
+            if (!TryRead(class_name, BUFFER_SIZE - 1, buffer + 1)) return null;
+            byte* target = stackalloc byte[BUFFER_SIZE];
+            uint len = DbgHelp.UnDecorateSymbolName(new PCSTR(buffer), new PSTR(target), BUFFER_SIZE, 0x1000);
+            return len != 0 ? Encoding.UTF8.GetString(target, (int)len) : null;
+        }
+    }
+}
@@ -0,0 +1,163 @@
+using System;
+using System.Diagnostics;
+using System.Linq;
+
+using Windows.Win32;
+using Windows.Win32.Foundation;
+using Windows.Win32.System.Threading;
+using Windows.Win32.System.Memory;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using System.Threading;
+using System.Runtime.InteropServices;
+
+namespace TheLeftExit.Trickster.Memory {
+    public class TricksterException : Exception { }
+
+    public record struct TypeInfo(string Name, nuint Address, nuint Offset) {
+        public override string ToString() {
+            return $"{Name} - {Offset:X}";
+        }
+    }
+
+    public unsafe struct MemoryRegionInfo {
+        public void* BaseAddress;
+        public nuint Size;
+        public MemoryRegionInfo(void* baseAddress, nuint size) { BaseAddress = baseAddress; Size = size; }
+    }
+
+    public unsafe struct MemoryRegion {
+        public void* Pointer;
+        public void* BaseAddress;
+        public nuint Size;
+        public MemoryRegion(void* pointer, void* baseAddress, nuint size) { Pointer = pointer; BaseAddress = baseAddress; Size = size; }
+    }
+
+    public unsafe class Trickster : IDisposable {
+        private HANDLE _processHandle;
+
+        private nuint _mainModuleBaseAddress;
+        private nuint _mainModuleSize;
+        private bool _is32Bit;
+
+        public TypeInfo[] ScannedTypes;
+        public MemoryRegion[] Regions;
+
+        public Trickster(Process process) {
+            _processHandle = Kernel32.OpenProcess(PROCESS_ACCESS_RIGHTS.PROCESS_ALL_ACCESS, true, (uint)process.Id);
+            if (_processHandle.IsNull) throw new TricksterException();
+
+            _mainModuleBaseAddress = (nuint)process.MainModule.BaseAddress.ToPointer();
+            _mainModuleSize = (nuint)process.MainModule.ModuleMemorySize;
+
+            BOOL is32Bit; Kernel32.IsWow64Process(_processHandle, &is32Bit); _is32Bit = is32Bit;
+        }
+
+        private TypeInfo[] ScanTypesCore() {
+            List<TypeInfo> list = new();
+
+            using (RttiScanner processMemory = new(_processHandle, _mainModuleBaseAddress, _mainModuleSize)) {
+                nuint inc = (nuint)(_is32Bit ? 4 : 8);
+                Func<ulong, string> getClassName = _is32Bit ? processMemory.GetClassName32 : processMemory.GetClassName64;
+                for (nuint offset = inc; offset < _mainModuleSize; offset += inc) {
+                    nuint address = _mainModuleBaseAddress + offset;
+                    if (getClassName(address) is string className) {
+                        list.Add(new TypeInfo(className, address, offset));
+                    }
+                }
+            }
+
+            return list.ToArray();
+        }
+
+        private MemoryRegionInfo[] ScanRegionInfoCore() {
+            ulong stop = _is32Bit ? uint.MaxValue : 0x7ffffffffffffffful;
+            nuint size = (nuint)sizeof(MEMORY_BASIC_INFORMATION);
+
+            List<MemoryRegionInfo> list = new();
+
+            MEMORY_BASIC_INFORMATION mbi;
+            nuint address = 0;
+
+
+            while (address < stop && Kernel32.VirtualQueryEx(_processHandle, (void*)address, &mbi, size) > 0 && address + mbi.RegionSize > address) {
+                if (mbi.State == VIRTUAL_ALLOCATION_TYPE.MEM_COMMIT &&
+                    !mbi.Protect.HasFlag(PAGE_PROTECTION_FLAGS.PAGE_NOACCESS) &&
+                    !mbi.Protect.HasFlag(PAGE_PROTECTION_FLAGS.PAGE_GUARD) &&
+                    !mbi.Protect.HasFlag(PAGE_PROTECTION_FLAGS.PAGE_NOCACHE))
+                    list.Add(new MemoryRegionInfo(mbi.BaseAddress, mbi.RegionSize));
+                address += mbi.RegionSize;
+            }
+
+            return list.ToArray();
+        }
+
+        private MemoryRegion[] ReadRegionsCore(MemoryRegionInfo[] infoArray) {
+            MemoryRegion[] regionArray = new MemoryRegion[infoArray.Length];
+            for(int i = 0; i < regionArray.Length; i++) {
+                void* baseAddress = infoArray[i].BaseAddress;
+                nuint size = infoArray[i].Size;
+                void* pointer = NativeMemory.Alloc(size);
+                Kernel32.ReadProcessMemory(_processHandle, baseAddress, pointer, size);
+                regionArray[i] = new(pointer, baseAddress, size);
+            }
+            return regionArray;
+        }
+
+        private void FreeRegionsCore(MemoryRegion[] regionArray) {
+            for(int i = 0; i < regionArray.Length; i++) {
+                NativeMemory.Free(regionArray[i].Pointer);
+            }
+        }
+
+        private ulong[] ScanRegionsCore(MemoryRegion[] regionArray, ulong value) {
+            List<ulong> list = new();
+
+            Parallel.For(0, regionArray.Length, i => {
+                MemoryRegion region = regionArray[i];
+                byte* start = (byte*)region.Pointer;
+                byte* end = start + region.Size;
+                if (_is32Bit) {
+                    for (byte* a = start; a < end; a += 4)
+                        if (*(uint*)a == value)
+                            lock (list) {
+                                ulong result = (ulong)region.BaseAddress + (ulong)(a - start);
+                                list.Add(result);
+                            }
+                } else {
+                    for (byte* a = start; a < end; a += 8)
+                        if (*(ulong*)a == value)
+                            lock (list) {
+                                ulong result = (ulong)region.BaseAddress + (ulong)(a - start);
+                                list.Add(result);
+                            }
+                }
+            });
+
+            return list.ToArray();
+        }
+
+        public void ScanTypes() {
+            ScannedTypes = ScanTypesCore();
+        }
+
+        public void ReadRegions() {
+            if(Regions is not null) {
+                FreeRegionsCore(Regions);
+            }
+
+            MemoryRegionInfo[] scannedRegions = ScanRegionInfoCore();
+            Regions = ReadRegionsCore(scannedRegions);
+        }
+
+        public ulong[] ScanRegions(ulong value) {
+            return ScanRegionsCore(Regions, value);
+        }
+
+        public void Dispose() {
+            if (Regions is not null) {
+                FreeRegionsCore(Regions);
+            }
+        }
+    }
+}