Search code examples
.netwinapic#-2.0readprocessmemory

What's the fastest way to ReadProcessMemory?


I'm trying to search for all instances of a null-terminated string the memory of a process. I enumed all the alloced memory areas with VirtualQueryEx, then I read them with ReadProcessMemory to a byte array and search using this algo (which I found here and the author claims to be the fastest)

    public static unsafe List<long> IndexesOf(byte[] Haystack, byte[] Needle) {
        List<long> Indexes = new List<long>();
        fixed (byte* H = Haystack) fixed (byte* N = Needle) {
            long i = 0;
            for (byte* hNext = H, hEnd = H + Haystack.LongLength; hNext < hEnd; i++, hNext++) {
                bool Found = true;
                for (byte* hInc = hNext, nInc = N, nEnd = N + Needle.LongLength; Found && nInc < nEnd; Found = *nInc == *hInc, nInc++, hInc++) ;
                if (Found) Indexes.Add(i);
            }
            return Indexes;
        }
    }

It works, but it's too slow. Is there a way to memory map the process or somehow search faster in its memory?


Solution

  • From an external process, you pretty much have the correct approach. However, if you're looking for a string you probably don't care about certain regions (eg. executable memory) so you can exclude them from your search region. Most likely you are really only interested in PAGE_READONLY and PAGE_READWRITE.

    You should read the memory in as big blocks as possible with ReadProcessMemory(). The main bottleneck will be disk IO (from swapping) and there's not much you can do about that really. Multi-threading it will speed it up because then you'll be 'buffering a read' whilst processing the previous read.

    If you really need speed, the correct way to do it is not via an external process as you are doing right now. You should inject a DLL so you have direct access to the process' virtual memory space.

    In your search algorithm, you can also do little tricks. For example if you know the string is always allocated on a 4 byte alignment then you can just search those. The biggest speedup you'll get is from multi-threading and/or DLL injection.