C++

Forum

 
VirtualQueryEx and ReadProcessMemory - Why this code works so slow ?

eclesiastes (3)
Hello
I would greatly appreciate any help regarding this.
This code works fine but it takes about 10 minutes to search through all processes, which is too slow. It should not take more than a minute.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 
unsigned char *p = NULL;
	MEMORY_BASIC_INFORMATION info;
	for (p = NULL; VirtualQueryEx(hProcess, p, &info, sizeof(info)) == sizeof(info); p += info.RegionSize)
	{
if (info.State == MEM_COMMIT && (info.Type == MEM_MAPPED || info.Type == MEM_PRIVATE))
{

	if ((info.Protect == PAGE_GUARD || info.Protect == PAGE_NOCACHE || info.Protect == PAGE_NOACCESS) != true) {

DWORD bytes_read;
std::string buffer;
buffer.resize(info.RegionSize);
ReadProcessMemory(hProcess, p, &buffer[0], info.RegionSize, &bytes_read);
buffer.resize(bytes_read);

regex rx("\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b");
sregex_token_iterator mail2ter(buffer.begin(), buffer.end(), rx, 0);
sregex_token_iterator end;
for (; mail2ter != end; ++mail2ter)
{
	_tprintf(TEXT("Process %s Mail %s \n"), szProcessName, *mail2ter);
}
	}

It works very slow but not sure why, maybe because i call ReadProcessMemory for every block. Any idea would help a lot!
Last edited on
JLBorges (13770)
> It works very slow but not sure why, maybe because i call ReadProcessMemory for every block.

Yes.

If we try to read every block in the virtual address space of another process, a lot of the pages that we want would be pages that have been paged out. To satisfy the request, the kernel would have to put the thread into a wait state, read the data from the paging/mapped file into that processes address space, before it can copy those pages into our address space. To make space for these pages, other pages which are in the working set of that process may have to be paged out first (and we could be asking for those pages to be copied into our address space next).

It will be slow.
eclesiastes (3)
Is there any way to make it work faster ?
JLBorges (13770)
> Is there any way to make it work faster ?

By not looking at every block of memory? Only those blocks which may contain the information of interest.

I'm sure that a kernel mode driver which has access to MDLs could be gainfully employed. However, my knowledge about anything after NT 4.1 is very sketchy, woefully inadequate.
eclesiastes (3)
thanks for suggestion though
gsoc (1)
Can you post the complete code?
Topic archived. No new replies allowed.