kernel32/VirtualQueryEx.ps1
|
function VirtualQueryEx { <# .SYNOPSIS Retrieves information about a range of pages within the virtual address space of a specified process. .PARAMETER ProcessHandle A handle to the process whose memory information is queried. The handle must have been opened with the PROCESS_QUERY_INFORMATION access right, which enables using the handle to read information from the process object. .PARAMETER BaseAddress The base address of the region of pages to be queried. This value is rounded down to the next page boundary. .NOTES Author: Jared Atkinson (@jaredcatkinson) License: BSD 3-Clause Required Dependencies: PSReflect, MEMORY_BASIC_INFORMATION (Structure), MEMORY_PROTECTION (Enumeration), MEMORY_STATE (Enumeration), MEMORY_TYPE (Enumeration) Optional Dependencies: None (func kernel32 VirtualQueryEx ([Int32]) @( [IntPtr], #_In_ HANDLE hProcess, [IntPtr], #_In_opt_ LPCVOID lpAddress, $MEMORY_BASIC_INFORMATION.MakeByRefType(), #_Out_ PMEMORY_BASIC_INFORMATION lpBuffer, [UInt32] #_In_ SIZE_T dwLength ) -EntryPoint VirtualQueryEx -SetLastError) .LINK https://msdn.microsoft.com/en-us/library/windows/desktop/aa366907(v=vs.85).aspx .EXAMPLE #> param ( [Parameter(Mandatory = $true)] [IntPtr] $ProcessHandle, [Parameter(Mandatory = $true)] [IntPtr] $BaseAddress ) $memory_basic_info = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION) $Success = $Kernel32::VirtualQueryEx($ProcessHandle, $BaseAddress, [Ref]$memory_basic_info, $MEMORY_BASIC_INFORMATION::GetSize()); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() if(-not $Success) { throw "VirtualQueryEx Error: $(([ComponentModel.Win32Exception] $LastError).Message)" } Write-Output $memory_basic_info } |