public int DumpProcess(string directoryPath)
{
int count;
count = 0;
foreach (PageInfo pageInfo in _process.EnumeratePageInfos())
{
ushort magic;
byte[] peHeaderData;
NativeModule module;
ImageLayout imageLayout;
byte[] peImageData;
string fileName;
string filePath;
if ((ulong)pageInfo.Size > int.MaxValue)
{
continue;
}
if (!_process.TryReadUInt16(pageInfo.Address, out magic))
{
continue;
}
if (magic != 0x5A4D)
{
// MZ
continue;
}
peHeaderData = new byte[(uint)pageInfo.Size];
if (!_process.TryReadBytes(pageInfo.Address, peHeaderData))
{
continue;
}
module = _process.UnsafeGetModule(pageInfo.Address);
imageLayout = GetProbableImageLayout(peHeaderData);
peImageData = DumpDotNetModule(module, imageLayout, out fileName);
if (peImageData is null)
{
// 也许判断有误,尝试一下另一种格式
if (imageLayout == ImageLayout.Memory)
{
peImageData = DumpDotNetModule(module, ImageLayout.File, out fileName);
}
else
{
peImageData = DumpDotNetModule(module, ImageLayout.Memory, out fileName);
}
}
if (peImageData is null)
{
continue;
}
filePath = Path.Combine(directoryPath, EnsureNoRepeatFileName(directoryPath, EnsureValidFileName(fileName)));
File.WriteAllBytes(filePath, peImageData);
count++;
}
return(count);
}