Esempio n. 1
0
 public static extern bool Module32Next(ToolHelpHandle hSnapshot, ref MODULEENTRY32 lpme);
Esempio n. 2
0
 public static extern bool Module32Next(IntPtr hSnapshot, ref MODULEENTRY32 lpme);
Esempio n. 3
0
		public IEnumerable<ModuleInfo> GetModuleInfos()
		{
			ToolHelpHandle ptr = null;
			var list = new List<ModuleInfo>();
			try
			{
				ptr = CreateToolhelp32Snapshot(0x8, ProcessId);
				if (ptr.IsInvalid)
				{
					throw new Win32Exception();
				}
				var me32 = new MODULEENTRY32();
				me32.dwSize = (uint)Marshal.SizeOf(me32);

				if (Module32First(ptr, ref me32))
				{
					do
					{
						ModuleInfo info = new ModuleInfo
						{
							baseName = me32.szModule,
							fileName = me32.szExePath,
							baseOfDll = me32.modBaseAddr,
							sizeOfImage = (int)me32.modBaseSize,
							Id = (int)me32.th32ModuleID
						};
						list.Add(info);
						me32.dwSize = (uint)Marshal.SizeOf(me32);
					}
					while (Module32Next(ptr, ref me32));
				}
				if (Marshal.GetLastWin32Error() != 18) //ERROR_NO_MORE_FILES
					throw new Win32Exception();
			}
			finally
			{
				if (ptr != null && !ptr.IsInvalid)
				{
					ptr.Close();
				}
			}
			return list;
		}
Esempio n. 4
0
 public static extern bool Module32Next([System.Runtime.InteropServices.InAttribute()] System.IntPtr hSnapshot, ref MODULEENTRY32 lpme);
Esempio n. 5
0
        public virtual void UnInjectDll()
        {
            if (explorerProcess != null)
            {
                MODULEENTRY32 stModuleEntry = new MODULEENTRY32();
                bool bFlag = true;
                IntPtr hFindModule = IntPtr.Zero;

                stModuleEntry.dwSize = (uint)System.Runtime.InteropServices.Marshal.SizeOf(stModuleEntry);

                var hModuleSnap = API.CreateToolhelp32Snapshot(0x00000008, explorerProcess.Id);
                bFlag = API.Module32First(hModuleSnap, ref stModuleEntry);
                for (; bFlag;)
                {
                    if (stModuleEntry.szExePath.ToLower() == dllname.ToLower())
                    {
                        hFindModule = stModuleEntry.hModule;
                        break;
                    }
                    bFlag = API.Module32Next(hModuleSnap, ref stModuleEntry);
                }

                var freeAddr = API.GetProcAddress(API.GetModuleHandleA("Kernel32"), "FreeLibrary");
                API.CreateRemoteThread(explorerProcess.Handle, IntPtr.Zero, 0, new IntPtr(freeAddr), hFindModule, 0, 0);
            }
        }
Esempio n. 6
0
 static public extern bool Module32Next(ToolHelpHandle hSnapshot, ref MODULEENTRY32 lpme);
Esempio n. 7
0
 /// <summary>
 /// 获取模块地址
 /// </summary>
 /// <param name="PID">目标进程PID</param>
 /// <param name="ModuleName">需获取到的模块名</param>
 /// <returns>返回个int类型的吧.想怎么转换看你们自己了.</returns>
 private int GetModelAddress(IntPtr PID, string ModuleName)
 {
     PROCESSENTRY32 pr = new PROCESSENTRY32();
     MODULEENTRY32 mo = new MODULEENTRY32();
     IntPtr LM;
     if (ModuleName == "")
     {
         //如果模块空,直接88 返回-2 因为2..
         return -2;
     }
     pr.dwSize = (uint)Marshal.SizeOf(typeof(PROCESSENTRY32));
     LM = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID);
     if (LM.ToInt32() > 0)
     {
         mo.dwSize = (uint)Marshal.SizeOf(typeof(MODULEENTRY32));
         if (Module32First(LM, ref mo))
         {
             do
             {
                 if (mo.szModule == ModuleName)
                 {
                     CloseHandle(LM);
                     return mo.modBaseAddr.ToInt32();
                 }
             }
             while (Module32Next(LM, ref mo));
         }
         CloseHandle(LM);
     }
     //获取不到.或者遍历不到.都返回-1
     return -1;
 }
Esempio n. 8
0
 static public extern bool Module32Next(int hSnapshot, ref MODULEENTRY32 lpme);
Esempio n. 9
0
 public static extern bool Module32Next(IntPtr hSnapshot, ref MODULEENTRY32 lpme);
Esempio n. 10
0
 public static extern bool Module32Next(HSNAPSHOT hSnapshot, out MODULEENTRY32 lpme);
Esempio n. 11
0
 static extern bool Module32First(IntPtr hSnapshot, ref MODULEENTRY32 lpme);
Esempio n. 12
0
 static extern bool Module32First(IntPtr hSnapshot, ref MODULEENTRY32 lpme);
Esempio n. 13
0
        private static bool HasJ(int processId)
        {
            // calling CreateToolhelp32Snapshot directly is significantly (~5x) faster than accessing
            // Process.Modules.  This gets called during the Debug->attach to process API so that ends
            // up being a difference of less than 1 sec vs. 5 seconds.
            IntPtr h = CreateToolhelp32Snapshot(SnapshotFlags.Module, (uint)processId);
            if (h != INVALID_HANDLE_VALUE) {
                uint marshalSize = (uint)Marshal.SizeOf(typeof(MODULEENTRY32));
                MODULEENTRY32 me = new MODULEENTRY32();
                me.dwSize = (uint)marshalSize;
                if (Module32First(h, ref me)) {
                    do {
                        if (IsJModule(me.szModule)) {
                            return true;
                        }

                        me.dwSize = marshalSize;
                    } while (Module32Next(h, ref me));
                }
                CloseHandle(h);
            }
            return false;
        }
Esempio n. 14
0
 public static extern IntPtr Module32Next(IntPtr hSnapShot, ref MODULEENTRY32 me32);