// https://stackoverflow.com/questions/36431220/getting-a-list-of-dlls-currently-loaded-in-a-process-c-sharp private static ModuleInfo GetMonoModule(ProcessFacade process) { var modulePointers = Native.GetProcessModulePointers(process); // Collect modules from the process var modules = new List <ModuleInfo>(); foreach (var modulePointer in modulePointers) { var moduleFilePath = new StringBuilder(1024); var errorCode = Native.GetModuleFileNameEx( process.Process.Handle, modulePointer, moduleFilePath, (uint)moduleFilePath.Capacity); if (errorCode == 0) { throw new COMException("Failed to get module file name.", Marshal.GetLastWin32Error()); } var moduleName = Path.GetFileName(moduleFilePath.ToString()); Native.GetModuleInformation( process.Process.Handle, modulePointer, out var moduleInformation, (uint)(IntPtr.Size * modulePointers.Length)); // Convert to a normalized module and add it to our list var module = new ModuleInfo(moduleName, moduleInformation.BaseOfDll, moduleInformation.SizeInBytes); modules.Add(module); } return(modules.FirstOrDefault(module => module.ModuleName == "mono.dll")); }
private static AssemblyImage GetAssemblyImage(ProcessFacade process, string name, int rootDomainFunctionAddress) { var domainAddress = process.ReadPtr((uint)rootDomainFunctionAddress + 1); //// pointer to struct of type _MonoDomain var domain = process.ReadPtr(domainAddress); //// pointer to array of structs of type _MonoAssembly var assemblyArrayAddress = process.ReadPtr(domain + MonoLibraryOffsets.ReferencedAssemblies); for (var assemblyAddress = assemblyArrayAddress; assemblyAddress != Constants.NullPtr; assemblyAddress = process.ReadPtr(assemblyAddress + 0x4)) { var assembly = process.ReadPtr(assemblyAddress); var assemblyNameAddress = process.ReadPtr(assembly + 0x8); var assemblyName = process.ReadAsciiString(assemblyNameAddress); if (assemblyName == name) { return(new AssemblyImage(process, process.ReadPtr(assembly + MonoLibraryOffsets.AssemblyImage))); //return new AssemblyImage(process, process.ReadPtr(assembly + 0x44)); -> CollectionManager is null if we have this //return new AssemblyImage(process, process.ReadPtr(assembly + 0x54)); -> CollectionManager is null if we have this //return new AssemblyImage(process, process.ReadPtr(assembly + 0x6c)); -> CollectionManager is null if we have this //return new AssemblyImage(process, process.ReadPtr(assembly + 0xac)); -> CollectionManager is null if we have this //return new AssemblyImage(process, process.ReadPtr(assembly + 0xac)); } } throw new InvalidOperationException($"Unable to find assembly '{name}'"); }
/// <summary> /// Creates an <see cref="IAssemblyImage"/> that provides access into a Unity application's managed memory. /// </summary> /// <param name="processId"> /// The id of the Unity process to be inspected. /// </param> /// <param name="assemblyName"> /// The name of the assembly to be inspected. The default setting of 'Assembly-CSharp' is probably what you want. /// </param> /// <returns> /// An <see cref="IAssemblyImage"/> that provides access into a Unity application's managed memory. /// </returns> public static IAssemblyImage Create(int processId, string assemblyName = "Assembly-CSharp") { if (Environment.OSVersion.Platform != PlatformID.Win32NT) { throw new InvalidOperationException( "This library reads data directly from a process's memory, so is platform specific " + "and only runs under Windows. It might be possible to get it running under macOS, but..."); } var process = new ProcessFacade(processId); var monoModule = AssemblyImageFactory.GetMonoModule(process); var moduleDump = process.ReadModule(monoModule); var rootDomainFunctionAddress = AssemblyImageFactory.GetRootDomainFunctionAddress(moduleDump, monoModule); return(AssemblyImageFactory.GetAssemblyImage(process, assemblyName, rootDomainFunctionAddress)); }
public static IntPtr[] GetProcessModulePointers(ProcessFacade process) { var modulePointers = new IntPtr[2048 * Constants.SizeOfPtr]; // Determine number of modules if (!Native.EnumProcessModulesEx( process.Process.Handle, modulePointers, modulePointers.Length, out var bytesNeeded, 0x03)) { throw new COMException( "Failed to read modules from the external process.", Marshal.GetLastWin32Error()); } var result = new IntPtr[bytesNeeded / IntPtr.Size]; Buffer.BlockCopy(modulePointers, 0, result, 0, bytesNeeded); return(result); }
public MemoryReadingUtils(ProcessFacade process) { this.process = process; }
private dynamic InstanceProcessFacade(Mock <IProcessStore> mockProcessStore, Mock <IApprovalsLegacyStore> mockApprovalsLegacyStore, Mock <ISecurityStore> mockSecurityStore) { var facade = new ProcessFacade(_mockLogger.Object, mockProcessStore.Object, mockApprovalsLegacyStore.Object, mockSecurityStore.Object); return(facade); }