private void btInject_Click(object sender, EventArgs e)
{
if (!File.Exists(_assemblyPath))
{
return;
}
if (cmbEntryPoint.SelectedItem is null)
{
return;
}
string typeName = _entryPoint.FullName.Substring(_entryPoint.FullName.IndexOf(' ') + 1);
typeName = typeName.Substring(0, typeName.IndexOf(':'));
if (chkWaitReturn.Checked)
{
btInject.Enabled = false;
Text += _resources.GetString("StrWaiting");
new Thread(() => {
if (_process.InjectManaged(_assemblyPath, typeName, _entryPoint.Name, _argument, out int ret))
{
Invoke((Action)(() => MessageBoxStub.Show($"{_resources.GetString("StrInjectSuccessfully")}\n{_resources.GetString("StrReturnValue")} {ret}", MessageBoxIcon.Information)));
}
else
{
Invoke((Action)(() => MessageBoxStub.Show(_resources.GetString("StrFailToInject"), MessageBoxIcon.Error)));
}
Invoke((Action)(() => {
btInject.Enabled = true;
Text = Text.Substring(0, Text.Length - 6);
}));
})
{
IsBackground = true
}.Start();
private void DumpModule(IntPtr moduleHandle, string filePath)
{
bool result;
result = DumperFactory.GetDumper(_processId, _dumperCore.Value).DumpModule(moduleHandle, filePath);
MessageBoxStub.Show(result ? $"{_resources.GetString("StrDumpModuleSuccessfully")}{Environment.NewLine}{filePath}" : _resources.GetString("StrFailToDumpModule"), result ? MessageBoxIcon.Information : MessageBoxIcon.Error);
}
private void mnuViewModules_Click(object sender, EventArgs e)
{
if (lvwProcesses.SelectedIndices.Count == 0)
{
return;
}
ListViewItem.ListViewSubItem processNameItem;
processNameItem = lvwProcesses.GetFirstSelectedSubItem(chProcessName.Index);
if (Environment.Is64BitProcess && processNameItem.BackColor == Cache.DotNetColor && processNameItem.Text.EndsWith(_resources.GetString("Str32Bit"), StringComparison.Ordinal))
{
MessageBoxStub.Show(_resources.GetString("StrViewModulesSwitchTo32Bit"), MessageBoxIcon.Error);
}
else
{
ModulesForm modulesForm;
#pragma warning disable IDE0067
modulesForm = new ModulesForm(uint.Parse(lvwProcesses.GetFirstSelectedSubItem(chProcessId.Index).Text), processNameItem.Text, processNameItem.BackColor == Cache.DotNetColor, _dumperType);
#pragma warning restore IDE0067
modulesForm.FormClosed += (v1, v2) => modulesForm.Dispose();
modulesForm.Show();
}
}
private void DumpModule(IntPtr moduleHandle, string filePath)
{
bool result;
result = DumperFactory.GetDumper(_processId, _dumperCore.Value).DumpModule(moduleHandle, filePath);
MessageBoxStub.Show(result ? $"成功!文件被转储在:{Environment.NewLine}{filePath}" : "失败!", result ? MessageBoxIcon.Information : MessageBoxIcon.Error);
}
private void DumpModule(IntPtr moduleHandle, ImageLayout imageLayout, string filePath)
{
using var dumper = DumperFactory.GetDumper(_process.Id, _dumperType.Value);
bool result = dumper.DumpModule(moduleHandle, imageLayout, filePath);
MessageBoxStub.Show(result ? $"Dump module successfully. Image was saved in:{Environment.NewLine}{filePath}" : "Fail to dump module.", result ? MessageBoxIcon.Information : MessageBoxIcon.Error);
}
private void DumpModule(IntPtr moduleHandle, ImageLayout imageLayout, string filePath)
{
bool result;
using (IDumper dumper = DumperFactory.GetDumper(_process.Id, _dumperType.Value))
result = dumper.DumpModule(moduleHandle, imageLayout, filePath);
MessageBoxStub.Show(result ? $"{_resources.GetString("StrDumpModuleSuccessfully")}{Environment.NewLine}{filePath}" : _resources.GetString("StrFailToDumpModule"), result ? MessageBoxIcon.Information : MessageBoxIcon.Error);
}
private void DumpProcess(uint processId, string directoryPath)
{
if (!Directory.Exists(directoryPath))
{
Directory.CreateDirectory(directoryPath);
}
using (var dumper = DumperFactory.GetDumper(processId, _dumperType))
MessageBoxStub.Show($"{dumper.DumpProcess(directoryPath)} {_resources.GetString("StrDumpFilesSuccess")}{Environment.NewLine}{directoryPath}", MessageBoxIcon.Information);
}
private static void ShowDetailException(Exception ex)
{
StringBuilder message;
message = new StringBuilder();
message.AppendLine("Message:\n" + ex.Message);
message.AppendLine("Source:\n" + ex.Source);
message.AppendLine("StackTrace:\n" + ex.StackTrace);
message.AppendLine("TargetSite:\n" + ex.TargetSite.ToString());
MessageBoxStub.Show(message.ToString(), MessageBoxIcon.Error);
}
private void btInject_Click(object sender, EventArgs e)
{
string typeName;
if (!File.Exists(_assemblyPath))
{
return;
}
if (cmbEntryPoint.SelectedItem == null)
{
return;
}
if (chkWaitReturn.Checked)
{
btInject.Enabled = false;
Text += "等待中...";
new Thread(() =>
{
int ret;
typeName = _entryPoint.FullName.Substring(_entryPoint.FullName.IndexOf(' ') + 1);
typeName = typeName.Substring(0, typeName.IndexOf(':'));
if (Injector.InjectManaged(_processId, _assemblyPath, typeName, _entryPoint.Name, _argument, out ret))
{
Invoke((Action)(() => MessageBoxStub.Show($"注入成功\n返回值: {ret.ToString()}", MessageBoxIcon.Information)));
}
else
{
Invoke((Action)(() => MessageBoxStub.Show("注入失败", MessageBoxIcon.Error)));
}
Invoke((Action)(() =>
{
btInject.Enabled = true;
Text = Text.Substring(0, Text.Length - 6);
}));
})
{
IsBackground = true
}.Start();
}
else
{
typeName = _entryPoint.FullName.Substring(_entryPoint.FullName.IndexOf(' '));
typeName = typeName.Substring(0, typeName.IndexOf(':'));
if (Injector.InjectManaged(_processId, _assemblyPath, typeName, _entryPoint.Name, _argument))
{
MessageBoxStub.Show($"注入成功", MessageBoxIcon.Information);
}
else
{
MessageBoxStub.Show("注入失败", MessageBoxIcon.Error);
}
}
}
private void mnuViewModules_Click(object sender, EventArgs e)
{
if (lvwProcesses.SelectedIndices.Count == 0)
{
return;
}
if (Environment.Is64BitProcess && lvwProcesses.SelectedItems[0].BackColor == Cache.DotNetColor && lvwProcesses.SelectedItems[0].Text.EndsWith(_resources.GetString("Str32Bit"), StringComparison.Ordinal))
{
MessageBoxStub.Show(_resources.GetString("StrViewModulesSwitchTo32Bit"), MessageBoxIcon.Error);
}
else
{
new ModulesForm(uint.Parse(lvwProcesses.SelectedItems[0].SubItems[1].Text), lvwProcesses.SelectedItems[0].Text, lvwProcesses.SelectedItems[0].BackColor == Cache.DotNetColor, _dumperCore).Show();
}
}
private void mnuViewModules_Click(object sender, EventArgs e)
{
if (lvwProcesses.SelectedIndices.Count == 0)
{
return;
}
if (Environment.Is64BitProcess && lvwProcesses.SelectedItems[0].BackColor == Cache.DotNetColor && lvwProcesses.SelectedItems[0].Text.EndsWith("(32 位)", StringComparison.Ordinal))
{
MessageBoxStub.Show("要查看32位.Net进程的模块请切换到32位模式", MessageBoxIcon.Error);
}
else
{
new ModulesForm(uint.Parse(lvwProcesses.SelectedItems[0].SubItems[1].Text), lvwProcesses.SelectedItems[0].Text, lvwProcesses.SelectedItems[0].BackColor == Cache.DotNetColor, _dumperCore).Show();
}
}
private void mnuViewModules_Click(object sender, EventArgs e)
{
if (lvwProcesses.SelectedIndices.Count == 0)
{
return;
}
var processNameItem = lvwProcesses.GetFirstSelectedSubItem(chProcessName.Index);
if (Environment.Is64BitProcess && processNameItem.BackColor == Cache.DotNetColor && processNameItem.Text.EndsWith(_resources.GetString("Str32Bit"), StringComparison.Ordinal))
{
MessageBoxStub.Show(_resources.GetString("StrViewModulesSwitchTo32Bit"), MessageBoxIcon.Error);
}
else
{
var modulesForm = new ModulesForm(uint.Parse(lvwProcesses.GetFirstSelectedSubItem(chProcessId.Index).Text), processNameItem.Text, processNameItem.BackColor == Cache.DotNetColor, _dumperType);
modulesForm.Show();
}
}
private void mnuDebugPrivilege_Click(object sender, EventArgs e)
{
if (!_isAdministrator)
{
MessageBoxStub.Show("请以管理员模式启动" + Application.ProductName, MessageBoxIcon.Error);
return;
}
if (FastWin32Settings.EnableDebugPrivilege())
{
mnuDebugPrivilege.Checked = true;
mnuDebugPrivilege.Enabled = false;
Text = Text.Substring(0, Text.Length - 1) + ", SeDebugPrivilege)";
MessageBoxStub.Show("成功", MessageBoxIcon.Information);
}
else
{
MessageBoxStub.Show("失败,请关闭杀软后重试", MessageBoxIcon.Error);
}
}
private void mnuDebugPrivilege_Click(object sender, EventArgs e)
{
if (!_isAdministrator)
{
MessageBoxStub.Show(_resources.GetString("StrRunAsAdmin") + Application.ProductName, MessageBoxIcon.Error);
return;
}
if (FastWin32Settings.EnableDebugPrivilege())
{
mnuDebugPrivilege.Checked = true;
mnuDebugPrivilege.Enabled = false;
Text = Text.Substring(0, Text.Length - 1) + ", SeDebugPrivilege)";
MessageBoxStub.Show(_resources.GetString("StrSuccess"), MessageBoxIcon.Information);
}
else
{
MessageBoxStub.Show(_resources.GetString("StrFailed"), MessageBoxIcon.Error);
}
}
private void LoadAssembly()
{
MethodSig methodSig;
try {
_manifestModule = ModuleDefMD.Load(_assemblyPath);
}
catch {
MessageBoxStub.Show(_resources.GetString("StrInvalidAssembly"), MessageBoxIcon.Error);
_manifestModule = null;
return;
}
cmbEntryPoint.Items.Clear();
foreach (TypeDef typeDef in _manifestModule.GetTypes())
{
foreach (MethodDef methodDef in typeDef.Methods)
{
if (!methodDef.IsStatic)
{
continue;
}
if (methodDef.IsGetter || methodDef.IsSetter)
{
continue;
}
methodSig = (MethodSig)methodDef.Signature;
if (methodSig.Params.Count != 1 || methodSig.Params[0].FullName != "System.String")
{
continue;
}
if (methodSig.RetType.FullName != "System.Int32")
{
continue;
}
cmbEntryPoint.Items.Add(methodDef);
}
}
if (cmbEntryPoint.Items.Count == 1)
{
cmbEntryPoint.SelectedIndex = 0;
}
}
private void mnuGotoLocation_Click(object sender, EventArgs e)
{
if (lvwModules.SelectedIndices.Count == 0)
{
return;
}
string filePath = lvwModules.SelectedItems[0].SubItems[3].Text;
if (filePath == "模块仅在内存中")
{
MessageBoxStub.Show("模块仅在内存中,可以在转储之后查看", MessageBoxIcon.Error);
}
else
{
if (!Environment.Is64BitProcess && Cache.Is64BitOperatingSystem)
{
MessageBoxStub.Show("文件位置被重定向,资源管理器中显示的不一定是真实位置", MessageBoxIcon.Information);
}
Process.Start("explorer.exe", @"/select, " + filePath);
}
}
private void mnuDebugPrivilege_Click(object sender, EventArgs e)
{
if (_hasSeDebugPrivilege)
{
return;
}
if (!IsAdministrator)
{
MessageBoxStub.Show(_resources.GetString("StrRunAsAdmin") + Application.ProductName, MessageBoxIcon.Error);
return;
}
try {
Process.EnterDebugMode();
_hasSeDebugPrivilege = true;
mnuDebugPrivilege.Checked = true;
mnuDebugPrivilege.Enabled = false;
Text = Text.Substring(0, Text.Length - 1) + ", SeDebugPrivilege)";
MessageBoxStub.Show(_resources.GetString("StrSuccess"), MessageBoxIcon.Information);
}
catch {
MessageBoxStub.Show(_resources.GetString("StrFailed"), MessageBoxIcon.Error);
}
}
private void RefreshModuleList()
{
lvwModules.Items.Clear();
ListViewItem listViewItem;
if (!mnuOnlyDotNetModule.Checked)
{
var moduleEntry32 = MODULEENTRY32.Default;
var snapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, _process.Id);
if (snapshotHandle == INVALID_HANDLE_VALUE)
{
return;
}
if (!Module32First(snapshotHandle, ref moduleEntry32))
{
return;
}
do
{
listViewItem = new ListViewItem(moduleEntry32.szModule);
// Name
listViewItem.SubItems.Add(string.Empty);
// Domain Name
listViewItem.SubItems.Add(string.Empty);
// CLR Version
listViewItem.SubItems.Add(Utils.FormatPointer(moduleEntry32.modBaseAddr));
// BaseAddress
listViewItem.SubItems.Add(Utils.FormatHex(moduleEntry32.modBaseSize));
// Size
listViewItem.SubItems.Add(moduleEntry32.szExePath);
// Path
lvwModules.Items.Add(listViewItem);
} while (Module32Next(snapshotHandle, ref moduleEntry32));
}
if (_isDotNetProcess)
{
try {
using var dataTarget = DataTarget.AttachToProcess((int)_process.Id, false);
foreach (var clrModule in dataTarget.ClrVersions.Select(t => t.CreateRuntime()).SelectMany(t => t.AppDomains).SelectMany(t => t.Modules))
{
if (clrModule.ImageBase == 0)
{
continue;
}
string name = clrModule.Name;
bool inMemory;
if (!string.IsNullOrEmpty(name))
{
inMemory = name.Contains(",");
}
else
{
name = "<<EmptyName>>";
inMemory = true;
}
string moduleName = !inMemory?Path.GetFileName(name) : name.Split(',')[0];
listViewItem = new ListViewItem(moduleName);
// Name
listViewItem.SubItems.Add(clrModule.AppDomain.Name);
// Domain Name
listViewItem.SubItems.Add($"v{clrModule.AppDomain.Runtime.ClrInfo.Version}");
// CLR Version
listViewItem.SubItems.Add(Utils.FormatPointer(clrModule.ImageBase));
// BaseAddress
listViewItem.SubItems.Add(Utils.FormatHex((uint)clrModule.Size));
// Size
listViewItem.SubItems.Add(!inMemory ? name : "InMemory");
// Path
listViewItem.BackColor = Utils.DotNetColor;
lvwModules.Items.Add(listViewItem);
}
}
catch {
MessageBoxStub.Show("Fail to get .NET modules", MessageBoxIcon.Error);
}
}
lvwModules.AutoResizeColumns(false);
}
private void DumpProcess(uint processId, string directoryPath) => MessageBoxStub.Show($"{DumperFactory.GetDumper(processId, _dumperCore.Value).DumpProcess(directoryPath).ToString()} 个文件被转储在:{Environment.NewLine}{directoryPath}", MessageBoxIcon.Information);
private void RefreshModuleList()
{
lvwModules.Items.Clear();
ListViewItem listViewItem;
if (!mnuOnlyDotNetModule.Checked)
{
var moduleEntry32 = MODULEENTRY32.Default;
var snapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, _process.Id);
if (snapshotHandle == INVALID_HANDLE_VALUE)
{
return;
}
if (!Module32First(snapshotHandle, ref moduleEntry32))
{
return;
}
do
{
listViewItem = new ListViewItem(moduleEntry32.szModule);
// Name
listViewItem.SubItems.Add(string.Empty);
// Domain Name
listViewItem.SubItems.Add(string.Empty);
// CLR Version
listViewItem.SubItems.Add("0x" + moduleEntry32.modBaseAddr.ToString(Cache.Is64BitProcess ? "X16" : "X8"));
// BaseAddress
listViewItem.SubItems.Add("0x" + moduleEntry32.modBaseSize.ToString("X8"));
// Size
listViewItem.SubItems.Add(moduleEntry32.szExePath);
// Path
lvwModules.Items.Add(listViewItem);
} while (Module32Next(snapshotHandle, ref moduleEntry32));
}
if (_isDotNetProcess)
{
try {
using (var dataTarget = DataTarget.AttachToProcess((int)_process.Id, 1000, AttachFlag.Passive)) {
dataTarget.SymbolLocator = DummySymbolLocator.Instance;
foreach (var clrModule in dataTarget.ClrVersions.Select(t => t.CreateRuntime()).SelectMany(t => t.AppDomains).SelectMany(t => t.Modules))
{
string name = clrModule.Name;
bool inMemory;
if (!string.IsNullOrEmpty(name))
{
inMemory = name.Contains(",");
}
else
{
name = "EmptyName";
inMemory = true;
}
string moduleName = !inMemory?Path.GetFileName(name) : name.Split(',')[0];
listViewItem = new ListViewItem(moduleName);
// Name
listViewItem.SubItems.Add(string.Join(", ", clrModule.AppDomains.Select(t => t.Name)));
// Domain Name
listViewItem.SubItems.Add(clrModule.Runtime.ClrInfo.Version.ToString());
// CLR Version
listViewItem.SubItems.Add("0x" + clrModule.ImageBase.ToString(Cache.Is64BitProcess ? "X16" : "X8"));
// BaseAddress
listViewItem.SubItems.Add("0x" + clrModule.Size.ToString("X8"));
// Size
listViewItem.SubItems.Add(!inMemory ? name : "InMemory");
// Path
listViewItem.BackColor = Cache.DotNetColor;
lvwModules.Items.Add(listViewItem);
}
}
}
catch {
MessageBoxStub.Show(_resources.GetString("StrFailToGetDotNetModules"), MessageBoxIcon.Error);
}
}
lvwModules.AutoResizeColumns(false);
}
private void DumpProcess(uint processId, string directoryPath)
{
using (IDumper dumper = DumperFactory.GetDumper(processId, _dumperType.Value))
MessageBoxStub.Show($"{dumper.DumpProcess(directoryPath).ToString()} {_resources.GetString("StrDumpFilesSuccess")}{Environment.NewLine}{directoryPath}", MessageBoxIcon.Information);
}
