public int DumpProcState(int pid, string filename)
{
AllocConsole();
//查找进程相关的所有线程
System.Diagnostics.Process process = System.Diagnostics.Process.GetProcessById(pid);
System.Diagnostics.ProcessThread[] processthread = new System.Diagnostics.ProcessThread[500];
System.Diagnostics.ProcessThreadCollection threadcollection = new System.Diagnostics.ProcessThreadCollection(processthread);
threadcollection = process.Threads;
int count = threadcollection.Count;
CONTEXT[] context = new CONTEXT[count];
//间文件流
System.IO.FileStream stream = null;
stream = new System.IO.FileStream(filename, System.IO.FileMode.Create);
string procdescription = process.MainModule.FileName;
char[] description = procdescription.ToCharArray();
byte[] bytedescription = new byte[procdescription.Length];
for (int j = 0; j < procdescription.Length; j++)
{
bytedescription[j] = Convert.ToByte(description[j]);
}
byte[] descriptioncount = new byte[1];
descriptioncount[0] = Convert.ToByte(procdescription.Length);
//写入exe文件路径的长度
stream.Write(descriptioncount, 0, descriptioncount.Length);
//写入exe文件路径
stream.Write(bytedescription, 0, bytedescription.Length);
byte[] bytecount = new byte[1];
bytecount[0] = Convert.ToByte(count);
//写入线程数
stream.Write(bytecount, 0, bytecount.Length);
//挂起所有线程
for (int ii = 0; ii < count; ii++)
{
IntPtr ptr = OpenThread(ThreadAccess.SUSPEND_RESUME, false, (uint)threadcollection[ii].Id);
SuspendThread(ptr);
CloseHandle(ptr);
}
for (int i = 0; i < count; i++)
{
context[i].ContextFlags = (uint)CONTEXT_FLAGS.CONTEXT_ALL;
IntPtr hThread = OpenThread(ThreadAccess.GET_CONTEXT, false, (uint)(threadcollection[i].Id));
Console.WriteLine(hThread);
string stringhandle = Convert.ToString(hThread);
char[] charhandle = stringhandle.ToCharArray();
byte[] byteahandle = new byte[stringhandle.Length+1];
byteahandle[0] = Convert.ToByte(stringhandle.Length);
for (int bi = 0; bi < stringhandle.Length; bi++)
{
byteahandle[bi + 1] = Convert.ToByte(charhandle[bi]);
}
//写入线程句柄
stream.Write(byteahandle, 0, byteahandle.Length);
if (GetThreadContext(hThread, ref context[i]))
{
Console.WriteLine("Ebp : {0}", context[i].Ebp);
Console.WriteLine("Eip : {0}", context[i].Eip);
Console.WriteLine("SegCs : {0}", context[i].SegCs);
Console.WriteLine("EFlags : {0}", context[i].EFlags);
Console.WriteLine("Esp : {0}", context[i].Esp);
Console.WriteLine("SegSs : {0}", context[i].SegSs);
byte[] bydata = Serialize(context[i]);
//写入上写文
stream.Write(bydata, 0, bydata.Length);
}
else
{
Console.WriteLine("A problem occurred!");
}
CloseHandle(hThread);
}
stream.Close();
Console.WriteLine("read over!");
//dump内存
DumpProcMemory(pid, filename);
//恢复线程
for (int iii = 0; iii < count; iii++)
{
IntPtr ptrr = OpenThread(ThreadAccess.SUSPEND_RESUME, false, (uint)threadcollection[iii].Id);
ResumeThread(ptrr);
CloseHandle(ptrr);
}
return 0;
}
public int ResumeProcState(int pid, string filename)
{
AllocConsole();
//建文件流
System.IO.FileStream stream = null;
stream = new System.IO.FileStream(filename, System.IO.FileMode.Open);
byte[] descriptioncount = new byte[1];
//读出exe文件路径长度
stream.Read(descriptioncount, 0, descriptioncount.Length);
int descount = Convert.ToInt32(descriptioncount[0]);
char[] procdescription = new char[descount];
byte[] bytedescription = new byte[descount];
//读出exe文件路径
stream.Read(bytedescription, 0, bytedescription.Length);
for (int j = 0; j < descount; j++)
{
procdescription[j] = Convert.ToChar(bytedescription[j]);
}
string description = new string(procdescription);
//新建进程
SECURITY_ATTRIBUTES process = new SECURITY_ATTRIBUTES();
SECURITY_ATTRIBUTES thread = new SECURITY_ATTRIBUTES();
STARTUPINFO info = new STARTUPINFO();
PROCESS_INFORMATION proinfo = new PROCESS_INFORMATION();
if (CreateProcess(
null,
description,
ref process,
ref thread,
false,
(uint)CreateProcessFlags.NORMAL_PRIORITY_CLASS,
(IntPtr)null,
null,
ref info,
out proinfo))
{
IntPtr prohandle = proinfo.hProcess;
IntPtr thrhandle = proinfo.hThread;
System.Threading.Thread.Sleep(5000);
SuspendThread(thrhandle);
//打印信息
CONTEXT tt = new CONTEXT();
tt.ContextFlags = (uint)CONTEXT_FLAGS.CONTEXT_ALL;
GetThreadContext(thrhandle, ref tt);
Console.WriteLine(thrhandle);
Console.WriteLine("Ebp : {0}", tt.Ebp);
Console.WriteLine("Eip : {0}", tt.Eip);
Console.WriteLine("SegCs : {0}", tt.SegCs);
Console.WriteLine("EFlags : {0}", tt.EFlags);
Console.WriteLine("Esp : {0}", tt.Esp);
Console.WriteLine("SegSs : {0}", tt.SegSs);
Console.WriteLine("Dr0 : {0}", tt.Dr0);
Console.WriteLine("Dr1 : {0}", tt.Dr1);
Console.WriteLine("Dr2 : {0}", tt.Dr2);
Console.WriteLine("Dr3 : {0}", tt.Dr3);
Console.WriteLine("Dr6 : {0}", tt.Dr6);
Console.WriteLine("Dr7 : {0}", tt.Dr7);
Console.WriteLine("SegGs : {0}", tt.SegGs);
Console.WriteLine("SegFs : {0}", tt.SegFs);
Console.WriteLine("Seges : {0}", tt.SegEs);
Console.WriteLine("SegDs : {0}", tt.SegDs);
Console.WriteLine("Edi : {0}", tt.Edi);
Console.WriteLine("Esi : {0}", tt.Esi);
Console.WriteLine("Ebx : {0}", tt.Ebx);
Console.WriteLine("Edx : {0}", tt.Edx);
Console.WriteLine("Ecx : {0}", tt.Ecx);
Console.WriteLine("Eax : {0}", tt.Eax);
ResumeThread(thrhandle);
System.Threading.Thread.Sleep(5000);
SuspendThread(thrhandle);
CONTEXT ttt = new CONTEXT();
ttt.ContextFlags = (uint)CONTEXT_FLAGS.CONTEXT_ALL;
GetThreadContext(thrhandle, ref ttt);
Console.WriteLine(thrhandle);
Console.WriteLine("Ebp : {0}", ttt.Ebp);
Console.WriteLine("Eip : {0}", ttt.Eip);
Console.WriteLine("SegCs : {0}", ttt.SegCs);
Console.WriteLine("EFlags : {0}", ttt.EFlags);
Console.WriteLine("Esp : {0}", ttt.Esp);
Console.WriteLine("SegSs : {0}", ttt.SegSs);
Console.WriteLine("Dr0 : {0}", ttt.Dr0);
Console.WriteLine("Dr1 : {0}", ttt.Dr1);
Console.WriteLine("Dr2 : {0}", ttt.Dr2);
Console.WriteLine("Dr3 : {0}", ttt.Dr3);
Console.WriteLine("Dr6 : {0}", ttt.Dr6);
Console.WriteLine("Dr7 : {0}", ttt.Dr7);
Console.WriteLine("SegGs : {0}", ttt.SegGs);
Console.WriteLine("SegFs : {0}", ttt.SegFs);
Console.WriteLine("Seges : {0}", ttt.SegEs);
Console.WriteLine("SegDs : {0}", ttt.SegDs);
Console.WriteLine("Edi : {0}", ttt.Edi);
Console.WriteLine("Esi : {0}", ttt.Esi);
Console.WriteLine("Ebx : {0}", ttt.Ebx);
Console.WriteLine("Edx : {0}", ttt.Edx);
Console.WriteLine("Ecx : {0}", ttt.Ecx);
Console.WriteLine("Eax : {0}", ttt.Eax);
//读取线程数
byte[] bytecount = new byte[1];
stream.Read(bytecount, 0, bytecount.Length);
int count = Convert.ToInt32(bytecount[0]);
int threadid = proinfo.dwThreadId;
CONTEXT[] context = new CONTEXT[count];
for (int i = 0; i < count; i++)
{
//读取原先的线程句柄
byte[] byteAgohandlecount = new byte[1];
stream.Read(byteAgohandlecount, 0, byteAgohandlecount.Length);
int Agohandlecount = Convert.ToInt32(byteAgohandlecount[0]);
Console.WriteLine(Agohandlecount);
byte[] byteAgohandle = new byte[Agohandlecount];
stream.Read(byteAgohandle, 0, byteAgohandle.Length);
char[] charAgohandle = new char[Agohandlecount];
for (int bi = 0; bi < Agohandlecount; bi++)
{
charAgohandle[bi] = Convert.ToChar(byteAgohandle[bi]);
}
string stringAgohandle = new string(charAgohandle);
IntPtr Agohandle = (IntPtr)Convert.ToInt32(stringAgohandle);
Console.WriteLine(Agohandle);
//读上下文
byte[] bydata = new byte[Marshal.SizeOf(context[i])];
stream.Read(bydata, 0, bydata.Length);
context[i] = Deserialize(bydata);
Console.WriteLine("Ebp : {0}", context[i].Ebp);
Console.WriteLine("Eip : {0}", context[i].Eip);
Console.WriteLine("SegCs : {0}", context[i].SegCs);
Console.WriteLine("EFlags : {0}", context[i].EFlags);
Console.WriteLine("Esp : {0}", context[i].Esp);
Console.WriteLine("SegSs : {0}", context[i].SegSs);
Console.WriteLine("Dr0 : {0}", context[i].Dr0);
Console.WriteLine("Dr1 : {0}", context[i].Dr1);
Console.WriteLine("Dr2 : {0}", context[i].Dr2);
Console.WriteLine("Dr3 : {0}", context[i].Dr3);
Console.WriteLine("Dr6 : {0}", context[i].Dr6);
Console.WriteLine("Dr7 : {0}", context[i].Dr7);
Console.WriteLine("SegGs : {0}", context[i].SegGs);
Console.WriteLine("SegFs : {0}", context[i].SegFs);
Console.WriteLine("Seges : {0}", context[i].SegEs);
Console.WriteLine("SegDs : {0}", context[i].SegDs);
Console.WriteLine("Edi : {0}", context[i].Edi);
Console.WriteLine("Esi : {0}", context[i].Esi);
Console.WriteLine("Ebx : {0}", context[i].Ebx);
Console.WriteLine("Edx : {0}", context[i].Edx);
Console.WriteLine("Ecx : {0}", context[i].Ecx);
Console.WriteLine("Eax : {0}", context[i].Eax);
context[i].ContextFlags = (uint)CONTEXT_FLAGS.CONTEXT_ALL;
IntPtr Nowhandle = OpenThread(ThreadAccess.SET_CONTEXT, false, (uint)threadid);
// Console.WriteLine(Nowhandle);
// context[i] = HandleToHandle(Agohandle, Nowhandle, context[i]);
tt.Eax = context[i].Eax;
tt.Ebx = context[i].Ebx;
tt.Ecx = context[i].Ecx;
tt.Edx = context[i].Edx;
//tt.Ebp = context[i].Ebp;
//tt.Esp = context[i].Esp;
//tt.Esi = context[i].Esi;
//SetThreadContext(Agohandle, ref tt);
CloseHandle(Nowhandle);
//建立新线程
if (i + 1 < count)
{
IntPtr lpThreadID = (IntPtr)0;
StartThread threadfunc = null;
ThreadStartDelegate threadFunc = null;
unsafe
{
thrhandle = CreateRemoteThread(prohandle, (IntPtr)null, 0, threadFunc, (IntPtr)null,
(uint)CreateProcessFlags.CREATE_SUSPENDED, lpThreadID);
}
threadid = (int)lpThreadID;
}
}
// ResumeThread(thrhandle);
//读入内存状态
SYSTEM_INFO systeminfo = new SYSTEM_INFO();
GetSystemInfo(out systeminfo);
long MaxAddress = (long)systeminfo.lpMaximumApplicationAddress;
long address = 0;
int countcount = 0;
do
{
MEMORY_BASIC_INFORMATION memory;
int result = VirtualQueryEx(prohandle, (IntPtr)address, out memory, (uint)Marshal.SizeOf(typeof(MEMORY_BASIC_INFORMATION)));
if (address == (long)memory.BaseAddress + (long)memory.RegionSize)
break;
if (memory.State == (uint)StateEnum.MEM_COMMIT)
{
switch (memory.AllocationProtect)
{
case (uint)AllocationProtect.PAGE_READWRITE:
byte[] buffer = new byte[(int)memory.RegionSize];
Console.WriteLine("now");
Console.WriteLine(memory.BaseAddress);
Console.WriteLine(memory.AllocationBase);
Console.WriteLine(memory.RegionSize);
Console.WriteLine(memory.Type);
Console.WriteLine(memory.Protect);
stream.Read(buffer, 0, buffer.Length);
UIntPtr byteread;
WriteProcessMemory(prohandle, memory.BaseAddress, buffer, (uint)memory.RegionSize, out byteread);
Console.WriteLine("ago");
Console.WriteLine(memory.BaseAddress);
Console.WriteLine(memory.AllocationBase);
Console.WriteLine(memory.RegionSize);
Console.WriteLine(memory.Type);
Console.WriteLine(memory.Protect);
countcount++;
break;
default:
break;
}
}
address = (long)memory.BaseAddress + (long)memory.RegionSize;
}
while (address <= MaxAddress);
stream.Close();
CloseHandle(prohandle);
Console.WriteLine("write over!");
Console.WriteLine(countcount);
}
//恢复线程运行
System.Diagnostics.Process proc = System.Diagnostics.Process.GetProcessById(proinfo.dwProcessId);
System.Diagnostics.ProcessThread[] processthread = new System.Diagnostics.ProcessThread[500];
System.Diagnostics.ProcessThreadCollection threadcollection = new System.Diagnostics.ProcessThreadCollection(processthread);
threadcollection = proc.Threads;
for (int k = 0; k < threadcollection.Count; k++)
{
IntPtr ptrr = OpenThread(ThreadAccess.SUSPEND_RESUME, false, (uint)threadcollection[k].Id);
ResumeThread(ptrr);
CloseHandle(ptrr);
}
return 0;
}
public int Add(System.Diagnostics.ProcessThread thread)
{
throw null;
}
public bool Contains(System.Diagnostics.ProcessThread thread)
{
throw null;
}
public void Remove(System.Diagnostics.ProcessThread thread)
{
}
public void Insert(int index, System.Diagnostics.ProcessThread thread)
{
}
public int IndexOf(System.Diagnostics.ProcessThread thread)
{
throw null;
}
public int IndexOf(System.Diagnostics.ProcessThread thread)
{
return(default(int));
}
public bool Contains(System.Diagnostics.ProcessThread thread)
{
return(default(bool));
}
