static GenericRemotePtr() { ProcessMemory m = new mwg.InterProcess.ProcessMemory("notepad"); if (!m.Available) { return; } Diag::ProcessModule mod = null; foreach (Diag::ProcessModule mod2 in m.Process.Modules) { if (mod2.ModuleName.ToString() == "nodepad.exe") { continue; } mod = mod2; break; } if (mod == null) { return; } #if RemoteBytePtr mNotepad1 = (RemoteBytePtr)m + mod.BaseAddress; #endif mNotepad2 = (RemotePtr <byte>)m + (long)mod.BaseAddress; }
public Module(ProcessMemory mem, Diag::ProcessModule mod) { this.mem = mem; this.mod = mod; this.mbase = mem.GetPtr(mod.BaseAddress); // DOS Header this.dhead = mbase.Reinterpret <IMAGE.DOS_HEADER>(); if (dhead[0].magic != IMAGE.SIGNATURE.DOS) { dhead = default(RemotePtr <IMAGE.DOS_HEADER>); return; } // COFF Header remote_ptr ptr = mbase + dhead[0].lfanew; if (ptr.Read <uint>() != (uint)IMAGE.SIGNATURE.NT) { return; } this.chead = (ptr + 4).Reinterpret <IMAGE.FILE_HEADER>(); // Optional Header ohead = (chead + 1).Reinterpret <IMAGE.STD_OPTIONAL_HEADER>(); omagic = ohead[0].Magic; }
private static Diag::ProcessModule GetNotepadModule(Log log, out ProcessMemory m) { const string TARGET = "notepad.exe"; m = new mwg.InterProcess.ProcessMemory(TARGET); if (!m.Available) { log.WriteLine("!現在 notepad.exe が利用出来ません。起動しているかどうか確認して下さい。"); return(null); } Diag::ProcessModule mod = null; foreach (Diag::ProcessModule mod2 in m.Process.Modules) { //log.Lock(); //try{dumpModuleHeader(log,m,mod2);} //finally{log.Unlock();} if (mod2.ModuleName.ToString() != TARGET) { continue; } mod = mod2; break; } if (mod == null) { log.WriteLine("!プロセス notepad.exe 内にモジュール 'notepad.exe' が見つかりませんでした。"); return(null); } return(mod); }
private unsafe static void dumpModuleHeader1(Log log, ProcessMemory m, Diag::ProcessModule mod) { log.WriteLine("モジュール " + mod.ModuleName + ":"); log.AddIndent(); log.WriteVar("Base-Address", "0x" + mod.BaseAddress.ToString("X8")); log.WriteVar("Module-Size", "0x" + mod.ModuleMemorySize.ToString("X8")); try{ RemotePtr <byte> mbase = (RemotePtr <byte>)m + mod.BaseAddress; IMAGE.DOS_HEADER dosHeader = mbase.Read <IMAGE.DOS_HEADER>(); if (dosHeader.magic != IMAGE.SIGNATURE.DOS) { log.WriteLine("!モジュールの先頭が DOS Header ではありません。"); return; } RemotePtr <byte> pe = mbase + dosHeader.lfanew; if (pe.Read <uint>() != (uint)IMAGE.SIGNATURE.NT) { log.WriteLine("!IMAGE Header が見つかりません。"); return; } IMAGE.FILE_HEADER coffHeader = (pe += 4).Read <IMAGE.FILE_HEADER>(); log.WriteLine("IMAGE 形式: COFF Header"); log.AddIndent(); log.WriteVar("対象機種", coffHeader.MachineDescription); log.WriteVar("セクション数", coffHeader.NumberOfSections); log.WriteVar("タイムスタンプ", coffHeader.TimeDateStamp); log.WriteVar("シンボル表の位置", "0x" + coffHeader.PointerToSymbolTable.ToString("X8")); log.WriteVar("シンボルの数", coffHeader.NumberOfSymbols); log.WriteVar("拡張ヘッダの大きさ", "0x" + coffHeader.SizeOfOptionalHeader.ToString("X4")); log.WriteVar("属性", coffHeader.Characteristics); log.RemoveIndent(); switch ((pe += sizeof(IMAGE.FILE_HEADER)).Read <IMAGE.OPTIONAL_MAGIC>()) { case IMAGE.OPTIONAL_MAGIC.NT_HDR32: log.WriteLine("種別: PE32"); dumpPE32Header(log, mbase, pe); break; case IMAGE.OPTIONAL_MAGIC.ROM_HDR: log.WriteLine("種別: Rom Image"); break; case IMAGE.OPTIONAL_MAGIC.NT_HDR64: log.WriteLine("種別: PE32+"); break; default: log.WriteLine("未知の拡張ヘッダです。"); break; } }finally{ log.RemoveIndent(); } }
private static void dumpModuleHeader2(Log log, ProcessMemory m, Diag::ProcessModule mod) { Module module = new Module(m, mod); ImageImportDirectory import = null; foreach (ImageDataDirectory dir in module.Directories) { if (dir.pData.IsNull) { continue; } log.WriteLine("DirectoryEntry: " + afh.Enum.GetDescription(dir.DirectoryType)); log.AddIndent(); log.WriteVar("RVA of Data", "0x" + dir.pData.Address.ToString("X8")); log.WriteVar("Size of Data", "0x" + dir.DataSize.ToString("X8")); log.RemoveIndent(); if (dir is ImageImportDirectory) { import = (ImageImportDirectory)dir; } } if (import == null) { return; } log.WriteLine("============================================================"); log.WriteLine(" IMPORT TABLE "); log.WriteLine("============================================================"); foreach (ImageImportDirectory.ImportModule imod in import) { log.WriteVar("Importing from", imod.Name); log.WriteVar("ForwarderChain", imod.ForwarderChain); log.WriteVar("TimeDateStamp", imod.TimeDateStamp); foreach (ImageImportDirectory.ImportFunction ifunc in imod) { log.WriteLine( "dllimport {0} \t@ 0x{1:X8}", ifunc.Name, (uint)(System.IntPtr)ifunc.pFptr[0] ); } log.WriteLine("------------------------------------------------------------"); } }
public static void chkProcessMemory(Log log) { ProcessMemory m; Diag::ProcessModule mod = GetNotepadModule(log, out m); if (mod == null) { return; } log.Lock(); try{ dumpModuleHeader2(log, m, mod); }finally{ log.Unlock(); } }
public static void chkProcessMemory2(Log log) { ProcessMemory mem; Diag::ProcessModule mod = GetNotepadModule(log, out mem); if (mod == null) { return; } Module module = new Module(mem, mod); Forms::Form f = new System.Windows.Forms.Form(); Forms::PropertyGrid grid = new System.Windows.Forms.PropertyGrid(); grid.Dock = Forms::DockStyle.Fill; grid.SelectedObject = module; f.Controls.Add(grid); f.ShowDialog(); f.Dispose(); }