Added heap sections and faster lookup.

Author: KN4CK3R

Memory/NodeDissector.cs

@@ -116,18 +116,18 @@ private static Type GuessPointerType(IntPtr address, MemoryBuffer memory)
 			var section = memory.Process.GetSectionToPointer(address);
 			if (section != null) // If the address points to a section it's valid memory.
 			{
-				if (section.Category == RemoteProcess.SectionCategory.Code) // If the section contains code, it should be a function pointer.
+				if (section.Category == RemoteProcess.SectionCategory.CODE) // If the section contains code, it should be a function pointer.
 				{
 					return typeof(FunctionPtrNode);
 				}
-				else if (section.Category == RemoteProcess.SectionCategory.Data) // If the section contains data, it is at least a pointer to a class or something.
+				else if (section.Category == RemoteProcess.SectionCategory.DATA) // If the section contains data, it is at least a pointer to a class or something.
 				{
 					// Check if it is a vtable. Check if the first 3 values are pointers to a code section.
 					bool valid = true;
 					for (var i = 0; i < 3; ++i)
 					{
 						var pointee = memory.Process.ReadRemoteObject<IntPtr>(address);
-						if (memory.Process.GetSectionToPointer(pointee)?.Category != RemoteProcess.SectionCategory.Code)
+						if (memory.Process.GetSectionToPointer(pointee)?.Category != RemoteProcess.SectionCategory.CODE)
 						{
 							valid = false;
 							break;

Memory/RemoteProcess.cs

@@ -41,8 +41,8 @@ public class Module
 		public enum SectionCategory
 		{
 			Unknown,
-			Code,
-			Data
+			CODE,
+			DATA
 		}
 
 		public class Section
@@ -377,20 +377,15 @@ public Section GetSectionToPointer(IntPtr address)
 		{
 			lock (sections)
 			{
-				return sections
-					.Where(s => s.Category != SectionCategory.Unknown)
-					.Where(s => address.InRange(s.Start, s.End))
-					.FirstOrDefault();
+				return sections.BinaryFind(s => address.CompareToRange(s.Start, s.End));
 			}
 		}
 
 		public Module GetModuleToPointer(IntPtr address)
 		{
 			lock (modules)
 			{
-				return modules
-					.Where(m => address.InRange(m.Start, m.End))
-					.FirstOrDefault();
+				return modules.BinaryFind(m => address.CompareToRange(m.Start, m.End));
 			}
 		}
 
@@ -412,7 +407,14 @@ public string GetNamedAddress(IntPtr address)
 			var section = GetSectionToPointer(address);
 			if (section != null)
 			{
-				return $"<{section.Category}>{section.ModuleName}.{address.ToString("X")}";
+				if (section.Category != SectionCategory.Unknown)
+				{
+					return $"<{section.Category}>{section.ModuleName}.{address.ToString("X")}";
+				}
+				else if (section.Type == NativeMethods.TypeEnum.MEM_PRIVATE)
+				{
+					return $"<HEAP>{address.ToString("X")}";
+				}
 			}
 			var module = GetModuleToPointer(address);
 			if (module != null)
@@ -470,13 +472,13 @@ public Task UpdateProcessInformationsAsync()
 						{
 							case ".text":
 							case "code":
-								section.Category = SectionCategory.Code;
+								section.Category = SectionCategory.CODE;
 								break;
 							case ".data":
 							case "data":
 							case ".rdata":
 							case ".idata":
-								section.Category = SectionCategory.Data;
+								section.Category = SectionCategory.DATA;
 								break;
 						}
 						newSections.Add(section);
@@ -493,6 +495,9 @@ public Task UpdateProcessInformationsAsync()
 					}
 				);
 
+				newModules.Sort((m1, m2) => m1.Start.CompareTo(m2.Start));
+				newSections.Sort((s1, s2) => s1.Start.CompareTo(s2.Start));
+
 				lock (modules)
 				{
 					modules.Clear();

NativeHelper/dllmain.cpp

@@ -213,32 +213,23 @@ EXTERN_DLL_EXPORT VOID __stdcall EnumerateRemoteSectionsAndModules(HANDLE proces
 	};
 	std::vector<SectionInfo> sections;
 
-	SYSTEM_INFO sysInfo;
-	GetSystemInfo(&sysInfo);
-
-	MEMORY_BASIC_INFORMATION memInfo;
-	size_t address = (size_t)sysInfo.lpMinimumApplicationAddress;
-	while (address < (size_t)sysInfo.lpMaximumApplicationAddress)
+	MEMORY_BASIC_INFORMATION memInfo = { 0 };
+	memInfo.RegionSize = 0x1000;
+	size_t address = 0;
+	while (VirtualQueryEx(process, (LPCVOID)address, &memInfo, sizeof(MEMORY_BASIC_INFORMATION)) != 0 && address + memInfo.RegionSize > address)
 	{
-		if (VirtualQueryEx(process, (LPCVOID)address, &memInfo, sizeof(MEMORY_BASIC_INFORMATION)) != 0)
-		{
-			if (memInfo.State == MEM_COMMIT /*&& memInfo.Type == MEM_PRIVATE*/)
-			{
-				SectionInfo section = {};
-				section.BaseAddress = memInfo.BaseAddress;
-				section.RegionSize = memInfo.RegionSize;
-				section.State = memInfo.State;
-				section.Protection = memInfo.Protect;
-				section.Type = memInfo.Type;
-
-				sections.push_back(std::move(section));
-			}
-			address = (ULONG_PTR)memInfo.BaseAddress + memInfo.RegionSize;
-		}
-		else
+		if (memInfo.State == MEM_COMMIT)
 		{
-			address += 1024;
+			SectionInfo section = {};
+			section.BaseAddress = memInfo.BaseAddress;
+			section.RegionSize = memInfo.RegionSize;
+			section.State = memInfo.State;
+			section.Protection = memInfo.Protect;
+			section.Type = memInfo.Type;
+
+			sections.push_back(std::move(section));
 		}
+		address = (size_t)memInfo.BaseAddress + memInfo.RegionSize;
 	}
 
 	auto handle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetProcessId(process));

Util/Extensions.cs

@@ -129,6 +129,26 @@ public static bool InRange(this IntPtr address, IntPtr start, IntPtr end)
 #endif
 		}
 
+		[Pure]
+		public static int CompareTo(this IntPtr lhs, IntPtr rhs)
+		{
+#if WIN64
+			return ((ulong)lhs.ToInt64()).CompareTo((ulong)rhs.ToInt64());
+#else
+			return ((uint)lhs.ToInt32()).CompareTo((uint)rhs.ToInt32());
+#endif
+		}
+
+		[Pure]
+		public static int CompareToRange(this IntPtr address, IntPtr start, IntPtr end)
+		{
+			if (InRange(address, start, end))
+			{
+				return 0;
+			}
+			return CompareTo(address, start);
+		}
+
 		#endregion
 
 		#region String
@@ -259,6 +279,36 @@ public static bool IsNearlyEqual(this double val, double other, double epsilon)
 
 		#endregion
 
+		#region List
+
+		public static T BinaryFind<T>(this IList<T> tf, Func<T, int> comparer)
+		{
+			var lo = 0;
+			var hi = tf.Count - 1;
+
+			while (lo <= hi)
+			{
+				var median = lo + (hi - lo >> 1);
+				var num = comparer(tf[median]);
+				if (num == 0)
+				{
+					return tf[median];
+				}
+				if (num > 0)
+				{
+					lo = median + 1;
+				}
+				else
+				{
+					hi = median - 1;
+				}
+			}
+
+			return default(T);
+		}
+
+		#endregion
+
 		#region Linq
 
 		[DebuggerStepThrough]