public static SModuleEntry32[] ListModule(IntPtr hModule)
{
FObjects <SModuleEntry32> mes = new FObjects <SModuleEntry32>();
Nullable <SImageNtHeaders> ntHeaders = GetNtHeaders(hModule);
SImageDataDirectory idd = ntHeaders.Value.OptionalHeader.DataDirectory[(int)EImageDirectoryEntry.Import];
if (idd.VirtualAddress == 0)
{
return(mes.ToArray());
}
// Import
uint maddress = (uint)hModule.ToInt32();
IntPtr pIdHeader = (IntPtr)(maddress + idd.VirtualAddress);
int idSize = Marshal.SizeOf(typeof(SImageImportDescriptor));
while (true)
{
SImageImportDescriptor impDesc = (SImageImportDescriptor)Marshal.PtrToStructure(pIdHeader, typeof(SImageImportDescriptor));
if (impDesc.Name == 0)
{
break;
}
IntPtr namePtr = (IntPtr)(maddress + impDesc.Name);
SModuleEntry32 me = new SModuleEntry32();
me.modBaseAddr = impDesc.FirstThunk;
me.szModule = Marshal.PtrToStringAnsi(namePtr, 260);
mes.Push(me);
pIdHeader = (IntPtr)(pIdHeader.ToInt32() + idSize);
}
return(mes.ToArray());
}
protected bool ReadOptionalImport(FByteFile file)
{
FModuleInfoCollection modules = _import.Modules;
modules.Clear();
SImageDataDirectory idd = _ntHeader.OptionalHeader.DataDirectory[(int)EImageDirectoryEntry.Import];
if (idd.VirtualAddress == 0)
{
return(false);
}
// Read modules
int vaddress = ConvertRva(idd.VirtualAddress);
int size = Marshal.SizeOf(typeof(SImageImportDescriptor));
while (true)
{
SImageImportDescriptor impDesc = (SImageImportDescriptor)file.GetStruct(vaddress, typeof(SImageImportDescriptor));
if (impDesc.Name == 0)
{
break;
}
FModuleInfo module = new FModuleInfo();
module.NameAddress = impDesc.Name;
module.Name = file.GetString(ConvertRva(impDesc.Name));
module.FirstThunk = impDesc.FirstThunk;
module.OriginalFirstThunk = impDesc.OriginalFirstThunk;
ReadTrunks(file, module);
modules.Push(module);
vaddress += size;
}
return(true);
}
public static FTrunkInfo[] FetchTrunks(IntPtr hModule)
{
Nullable <SImageNtHeaders> ntHeaders = GetNtHeaders(hModule);
SImageDataDirectory idd = ntHeaders.Value.OptionalHeader.DataDirectory[(int)EImageDirectoryEntry.Import];
if (idd.VirtualAddress == 0)
{
return(null);
}
// Import
uint maddress = (uint)hModule.ToInt32();
IntPtr pIdHeader = (IntPtr)(maddress + idd.VirtualAddress);
SImageImportDescriptor impDesc = (SImageImportDescriptor)Marshal.PtrToStructure(pIdHeader, typeof(SImageImportDescriptor));
if (impDesc.Name == 0)
{
return(null);
}
// Get module Name
// IntPtr moduleNamePtr = (IntPtr)(maddress + impDesc.Name);
// Trunk
IntPtr pOrgFt = (IntPtr)(maddress + impDesc.OriginalFirstThunk);
IntPtr pFt = (IntPtr)(maddress + impDesc.FirstThunk);
int ftSize = Marshal.SizeOf(typeof(SImageThunkData32));
int miSize = Marshal.SizeOf(typeof(SMemoryBasicInformation));
FObjects <FTrunkInfo> infos = new FObjects <FTrunkInfo>();
while (true)
{
SImageThunkData32 origThunk = (SImageThunkData32)Marshal.PtrToStructure(pOrgFt, typeof(SImageThunkData32));
SImageThunkData32 realThunk = (SImageThunkData32)Marshal.PtrToStructure(pFt, typeof(SImageThunkData32));
if (origThunk.Function == 0)
{
break;
}
if ((origThunk.Ordinal & 0x80000000) == 0x80000000)
{
break;
}
/*uint arrd = (uint)(maddress + origThunk.AddressOfData);
* if ((arrd & 0x80000000) == 0x80000000) {
* break;
* }*/
// Read name
IntPtr pName = (IntPtr)(maddress + origThunk.AddressOfData);
SImageImportByName byName = (SImageImportByName)Marshal.PtrToStructure(pName, typeof(SImageImportByName));
if (byName.Name[0] == 0)
{
break;
}
// Read memory state
SMemoryBasicInformation mbi = new SMemoryBasicInformation();
//RKernel32.VirtualQuery((uint)pFt.ToInt32(), ref mbi, miSize);
RKernel32.VirtualQuery(realThunk.Function, ref mbi, miSize);
// TrunkInfo
FTrunkInfo info = new FTrunkInfo();
info.Name = RAscii.GetString(byName.Name);
info.Address = origThunk.Function;
//info.Entry = (IntPtr)(maddress + origThunk.Function);
info.Entry = (IntPtr)realThunk.Function;
info.Hint = byName.Hint;
info.MemAllocationBase = mbi.AllocationBase;
info.MemAllocationProtect = mbi.AllocationProtect;
info.MemBaseAddress = mbi.BaseAddress;
info.MemProtect = mbi.Protect;
info.MemRegionSize = mbi.RegionSize;
info.MemState = mbi.State;
info.MemType = mbi.Type;
infos.Push(info);
// Loop
pOrgFt = (IntPtr)(pOrgFt.ToInt32() + ftSize);
pFt = (IntPtr)(pFt.ToInt32() + ftSize);
}
return(infos.ToArray());
}
public bool Open()
{
// Dos header
SImageDosHeader dosHeader = _process.ReadStructure <SImageDosHeader>(_handle);
if (dosHeader.e_magic != (uint)EImageSignature.Dos)
{
return(false);
}
_dosHeader = dosHeader;
// Nt header
IntPtr pNtHeader = (IntPtr)(_handle.ToInt32() + dosHeader.e_lfanew);
SImageNtHeaders ntHeaders = _process.ReadStructure <SImageNtHeaders>(pNtHeader);
if (ntHeaders.Signature != (uint)EImageSignature.Nt)
{
return(false);
}
_ntHeaders = ntHeaders;
// Fetch trunks
SImageDataDirectory idd = ntHeaders.OptionalHeader.DataDirectory[(int)EImageDirectoryEntry.Import];
if (idd.VirtualAddress == 0)
{
return(false);
}
// Import
uint maddress = (uint)_handle.ToInt32();
IntPtr pIdHeader = (IntPtr)(maddress + idd.VirtualAddress);
SImageImportDescriptor impDesc = _process.ReadStructure <SImageImportDescriptor>(pIdHeader);
if (impDesc.Name == 0)
{
return(false);
}
// Get module Name
// IntPtr moduleNamePtr = (IntPtr)(maddress + impDesc.Name);
// Trunk
IntPtr pOrgFt = (IntPtr)(maddress + impDesc.OriginalFirstThunk);
IntPtr pFt = (IntPtr)(maddress + impDesc.FirstThunk);
int ftSize = Marshal.SizeOf(typeof(SImageThunkData32));
int miSize = Marshal.SizeOf(typeof(SMemoryBasicInformation));
_trunks = new FTrunkInfoCollection();
while (true)
{
SImageThunkData32 origThunk = _process.ReadStructure <SImageThunkData32>(pOrgFt);
SImageThunkData32 realThunk = _process.ReadStructure <SImageThunkData32>(pFt);
if (origThunk.Function == 0)
{
break;
}
if ((origThunk.Ordinal & 0x80000000) == 0x80000000)
{
break;
}
// Read name
IntPtr pName = (IntPtr)(maddress + origThunk.AddressOfData);
SImageImportByName byName = _process.ReadStructure <SImageImportByName>(pName);
if (byName.Name[0] == 0)
{
break;
}
// Read memory state
SMemoryBasicInformation mbi = new SMemoryBasicInformation();
//RKernel32.VirtualQuery((uint)pFt.ToInt32(), ref mbi, miSize);
RKernel32.VirtualQueryEx(_process.Handle, realThunk.Function, ref mbi, miSize);
// TrunkInfo
FTrunkInfo trunk = new FTrunkInfo();
trunk.Name = RAscii.GetString(byName.Name);
trunk.Address = origThunk.Function;
//info.Entry = (IntPtr)(maddress + origThunk.Function);
trunk.Entry = (IntPtr)realThunk.Function;
trunk.EntryPtr = pFt;
trunk.Hint = byName.Hint;
trunk.MemAllocationBase = mbi.AllocationBase;
trunk.MemAllocationProtect = mbi.AllocationProtect;
trunk.MemBaseAddress = mbi.BaseAddress;
trunk.MemProtect = mbi.Protect;
trunk.MemRegionSize = mbi.RegionSize;
trunk.MemState = mbi.State;
trunk.MemType = mbi.Type;
_trunks.Push(trunk);
// Loop
pOrgFt = (IntPtr)(pOrgFt.ToInt32() + ftSize);
pFt = (IntPtr)(pFt.ToInt32() + ftSize);
}
return(true);
}
