private static byte[] DumpDotNetModule(NativeProcess process, void *address, ImageLayout imageLayout, out string fileName)
{
try
{
byte[] data = PEImageDumper.Dump(process, address, ref imageLayout);
data = PEImageDumper.ConvertImageLayout(data, imageLayout, ImageLayout.File);
bool isDotNet;
using (var peImage = new PEImage(data, true))
{
// 确保为有效PE文件
fileName = peImage.GetOriginalFilename() ?? ((IntPtr)address).ToString((ulong)address > uint.MaxValue ? "X16" : "X8");
isDotNet = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14].VirtualAddress != 0;
if (isDotNet)
{
try
{
using (var moduleDef = ModuleDefMD.Load(peImage))
{
}
// 再次验证是否为.NET程序集
}
catch
{
isDotNet = false;
}
}
}
return(isDotNet ? data : null);
}
catch
{
fileName = default;
return(null);
}
}
public void DumpModule(IntPtr moduleHandle, ImageLayout imageLayout, string filePath)
{
byte[] peImage = PEImageDumper.Dump(_process, (void *)moduleHandle, ref imageLayout);
peImage = PEImageDumper.ConvertImageLayout(peImage, imageLayout, ImageLayout.File);
File.WriteAllBytes(filePath, peImage);
}
