C# (CSharp) ExtremeDumper.Dumping PEImageDumper Examples

Example #1

File: NormalDumper.cs Project: keke7106/ExtremeDumper

 private static byte[] DumpDotNetModule(NativeProcess process, void *address, ImageLayout imageLayout, out string fileName)
 {
     try {
         byte[] data = PEImageDumper.Dump(process, address, ref imageLayout);
         data = PEImageDumper.ConvertImageLayout(data, imageLayout, ImageLayout.File);
         bool isDotNet;
         using (var peImage = new PEImage(data, true)) {
             // 确保为有效PE文件
             fileName = peImage.GetOriginalFilename() ?? ((IntPtr)address).ToString((ulong)address > uint.MaxValue ? "X16" : "X8");
             isDotNet = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14].VirtualAddress != 0;
             if (isDotNet)
             {
                 try {
                     using (var moduleDef = ModuleDefMD.Load(peImage)) {
                     }
                     // 再次验证是否为.NET程序集
                 }
                 catch {
                     isDotNet = false;
                 }
             }
         }
         return(isDotNet ? data : null);
     }
     catch {
         fileName = default;
         return(null);
     }
 }

Example #2

File: NormalDumper.cs Project: keke7106/ExtremeDumper

 public bool DumpModule(IntPtr moduleHandle, ImageLayout imageLayout, string filePath)
 {
     try {
         byte[] peImage = PEImageDumper.Dump(_process, (void *)moduleHandle, ref imageLayout);
         peImage = PEImageDumper.ConvertImageLayout(peImage, imageLayout, ImageLayout.File);
         File.WriteAllBytes(filePath, peImage);
         return(true);
     }
     catch {
         return(false);
     }
 }

Example #3

File: NormalDumper.cs Project: keke7106/ExtremeDumper

 private static ImageLayout GetProbableImageLayout(byte[] firstPage)
 {
     try {
         uint imageSize = PEImageDumper.GetImageSize(firstPage, ImageLayout.File);
         // 获取文件格式大小
         var imageLayout = imageSize >= (uint)firstPage.Length ? ImageLayout.Memory : ImageLayout.File;
         // 如果文件格式大小大于页面大小，说明在内存中是内存格式的，反之为文件格式
         // 这种判断不准确，如果文件文件大小小于最小页面大小，判断会出错
         return(imageLayout);
     }
     catch {
         return(ImageLayout.Memory);
     }
 }

Example #4

        private static byte[] DumpDotNetModule(NativeProcess process, void *address, ImageLayout imageLayout, out string fileName)
        {
            fileName = default;
            try {
                byte[] data = PEImageDumper.Dump(process, address, ref imageLayout);
                if (data is null)
                {
                    return(null);
                }

                data = PEImageDumper.ConvertImageLayout(data, imageLayout, ImageLayout.File);
                bool isDotNet;
                using var peImage = new PEImage(data, true);
                // 确保为有效PE文件
                isDotNet = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14].VirtualAddress != 0;
                if (isDotNet)
                {
                    try {
                        using var moduleDef = ModuleDefMD.Load(peImage);
                        // 再次验证是否为.NET程序集
                        if (string.IsNullOrEmpty(fileName))
                        {
                            fileName = moduleDef.Assembly.Name + (moduleDef.EntryPoint is null ? ".dll" : ".exe");
                        }
                    }
                    catch {
                        isDotNet = false;
                    }
                }
                if (string.IsNullOrEmpty(fileName))
                {
                    fileName = ((IntPtr)address).ToString((ulong)address > uint.MaxValue ? "X16" : "X8");
                }
                return(isDotNet ? data : null);
            }
            catch {
                return(null);
            }
        }