"""probe_iter3_fast.py Fast version: uses bytes.find() to locate vtable bytes in each region, then evaluates predicate only on those candidates.""" import ctypes, ctypes.wintypes as wt, sys, struct PROCESS_VM_READ = 0x10 PROCESS_QUERY_INFORMATION = 0x400 k = ctypes.windll.kernel32 k.OpenProcess.argtypes = [wt.DWORD, wt.BOOL, wt.DWORD]; k.OpenProcess.restype = wt.HANDLE k.ReadProcessMemory.argtypes = [wt.HANDLE, wt.LPCVOID, wt.LPVOID, ctypes.c_size_t, ctypes.POINTER(ctypes.c_size_t)] k.ReadProcessMemory.restype = wt.BOOL k.VirtualQueryEx.argtypes = [wt.HANDLE, wt.LPCVOID, ctypes.c_void_p, ctypes.c_size_t] k.VirtualQueryEx.restype = ctypes.c_size_t class MBI(ctypes.Structure): _fields_ = [ ("BaseAddress", ctypes.c_void_p), ("AllocationBase", ctypes.c_void_p), ("AllocationProtect", wt.DWORD), ("RegionSize", ctypes.c_size_t), ("State", wt.DWORD), ("Protect", wt.DWORD), ("Type", wt.DWORD), ] MEM_COMMIT = 0x1000 MEM_PRIVATE = 0x20000 CPHYS_VTABLE_BYTES = struct.pack(' len(data): break n_total += 1 parent = struct.unpack_from('= 0x80000000: break k.CloseHandle(h) print(f"pid {pid}: regions_scanned={region_scan} total_CPhysicsObj={n_total} iter-3-triple={n_triple}") print() print(f" {'bucket':45s} {'count':>6}") for label, count in buckets.items(): print(f" {label:45s} {count:>6}") print() print("Sample dumps (up to 3 per bucket):") for label, samples_list in samples.items(): if not samples_list: continue print(f" [{label}]") for obj_va, obj_id, state, transtate, movmgr, weenie in samples_list: print(f" @0x{obj_va:08x} id=0x{obj_id:08x} state=0x{state:08x} ts=0x{transtate:08x} movmgr=0x{movmgr:08x} weenie=0x{weenie:08x}")