static void Main(string[] args)
{
var list = (new int[0]).Select(dummy => new { moduleHandle = default(IntPtr), moduleName = default(string), pFunction = default(IntPtr), functionName = default(string), ordinal = default(short) }).ToList();
Module32.EnumModules(Process32.GetCurrentProcessId(), (IntPtr moduleHandle, string moduleName, string filePath) =>
{
list.Clear();
Module32.EnumFunctions(Process32.GetCurrentProcessId(), moduleHandle, (IntPtr pFunction, string functionName, short ordinal) =>
{
list.Add(new { moduleHandle, moduleName, pFunction, functionName, ordinal });
return(true);
});
list = list.OrderBy(item => item.moduleName).ToList();
list.ForEach(item => Console.WriteLine($"MH:{item.moduleHandle.ToString("X16")} MN:{item.moduleName} PF:{item.pFunction.ToString("X16")} FN:{item.functionName} OD:{item.ordinal.ToString()}"));
return(true);
});
Console.ReadKey();
}
public static IDumper GetDumper(uint processId, DumperCore dumperCore)
{
bool is64;
switch (dumperCore)
{
case DumperCore.MegaDumper:
if (!Process32.Is64BitProcess(processId, out is64))
{
throw new Win32Exception();
}
if (is64)
{
return(new MegaDumper64(processId));
}
else
{
return(new MegaDumper32(processId));
}
case DumperCore.PassiveDumper:
return(new PassiveDumper(processId));
case DumperCore.DbgDumper:
return(new DbgDumper(processId));
case DumperCore.ProfDumper:
throw new NotImplementedException();
case DumperCore.InjectingDumper:
return(new DumperInjector(processId));
default:
throw new InvalidEnumArgumentException();
}
}
private void mnuRequireAdministrator_Click(object sender, EventArgs e) => Process32.SelfElevate(Handle);
private void RefreshProcessList()
{
SCROLLBARINFO s = new SCROLLBARINFO {
cbSize = (uint)System.Runtime.InteropServices.Marshal.SizeOf(typeof(SCROLLBARINFO))
};
GetScrollBarInfo(lvwProcesses.Handle, unchecked ((int)0xFFFFFFFA), ref s);
uint[] processIds;
IntPtr snapshotHandle;
MODULEENTRY32 moduleEntry32;
ListViewItem listViewItem;
string t;
bool isDotNetProcess;
bool is64;
lvwProcesses.Items.Clear();
processIds = Process32.GetAllProcessIds();
if (processIds == null)
{
return;
}
moduleEntry32 = MODULEENTRY32.Default;
foreach (uint processId in processIds)
{
if (processId == 0)
{
continue;
}
snapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, processId);
if (snapshotHandle == INVALID_HANDLE_VALUE)
{
continue;
}
if (!Module32First(snapshotHandle, ref moduleEntry32))
{
continue;
}
listViewItem = new ListViewItem(moduleEntry32.szModule);
listViewItem.SubItems.Add(processId.ToString());
listViewItem.SubItems.Add(moduleEntry32.szExePath);
isDotNetProcess = false;
while (Module32Next(snapshotHandle, ref moduleEntry32))
{
if ((t = moduleEntry32.szModule.ToUpperInvariant()) == "MSCORJIT.DLL" || t == "MSCOREE.DLL" || t == "MSCORWKS.DLL" || t == "CLR.DLL" || t == "CLRJIT.DLL")
{
listViewItem.BackColor = Cache.DotNetColor;
isDotNetProcess = true;
if (Cache.Is64BitOperatingSystem && Is64BitPE(moduleEntry32.szExePath, out is64) && !is64)
{
listViewItem.Text += " (32 位)";
}
break;
}
}
if (Cache.Is64BitOperatingSystem && !isDotNetProcess && Is64BitPE(listViewItem.SubItems[2].Text, out is64) && !is64)
{
listViewItem.Text += " (32 位)";
}
if (!mnuOnlyDotNetProcess.Checked || isDotNetProcess)
{
lvwProcesses.Items.Add(listViewItem);
}
}
lvwProcesses.AutoResizeColumns(false);
}
