public static void LoadProcessWow64Modules(this SymbolProvider symbols, int pid) { using (var buffer = new ProcessHacker.Native.Debugging.DebugBuffer()) { buffer.Query(pid, ProcessHacker.Native.Api.RtlQueryProcessDebugFlags.Modules32); foreach (var module in buffer.GetModules()) { try { symbols.LoadModule(module.FileName, module.BaseAddress, module.Size); } catch (Exception ex) { Logging.Log(ex); } } } }
public static void LoadProcessWow64Modules(this SymbolProvider symbols, int pid) { using (var buffer = new ProcessHacker.Native.Debugging.DebugBuffer()) { buffer.Query( pid, ProcessHacker.Native.Api.RtlQueryProcessDebugFlags.Modules32 | ProcessHacker.Native.Api.RtlQueryProcessDebugFlags.NonInvasive ); foreach (var module in buffer.GetModules()) { try { symbols.LoadModule(module.FileName, module.BaseAddress, module.Size); } catch (Exception ex) { Logging.Log(ex); } } } }
private static void DumpProcessModules(MemoryObject processMo, int pid) { if (pid <= 0) { return; } using (var modules = processMo.CreateChild("Modules")) { if (pid != 4) { var baseAddressList = new Dictionary <IntPtr, object>(); bool isWow64 = false; using (var phandle = new ProcessHandle(pid, Program.MinProcessQueryRights | ProcessAccess.VmRead)) { if (OSVersion.Architecture == OSArch.Amd64) { isWow64 = phandle.IsWow64(); } phandle.EnumModules((module) => { if (!baseAddressList.ContainsKey(module.BaseAddress)) { DumpProcessModule(modules, module); baseAddressList.Add(module.BaseAddress, null); } return(true); }); } try { using (var phandle = new ProcessHandle(pid, ProcessAccess.QueryInformation | ProcessAccess.VmRead)) { phandle.EnumMemory((memory) => { if (memory.Type == MemoryType.Mapped) { if (!baseAddressList.ContainsKey(memory.BaseAddress)) { string fileName = phandle.GetMappedFileName(memory.BaseAddress); if (fileName != null) { fileName = FileUtils.GetFileName(fileName); DumpProcessModule(modules, new ProcessModule( memory.BaseAddress, memory.RegionSize.ToInt32(), IntPtr.Zero, 0, Path.GetFileName(fileName), fileName )); baseAddressList.Add(memory.BaseAddress, null); } } } return(true); }); } } catch { } if (isWow64) { try { using (var buffer = new ProcessHacker.Native.Debugging.DebugBuffer()) { buffer.Query( pid, RtlQueryProcessDebugFlags.Modules32 | RtlQueryProcessDebugFlags.NonInvasive ); buffer.EnumModules((module) => { if (!baseAddressList.ContainsKey(module.BaseAddress)) { DumpProcessModule(modules, module); baseAddressList.Add(module.BaseAddress, null); } return(true); }); } } catch { } } } else { foreach (var module in Windows.GetKernelModules()) { DumpProcessModule(modules, module); } } } }