public static extern bool Module32Next(ToolHelpHandle hSnapshot, ref MODULEENTRY32 lpme);
public static extern bool Module32Next(IntPtr hSnapshot, ref MODULEENTRY32 lpme);
public IEnumerable<ModuleInfo> GetModuleInfos() { ToolHelpHandle ptr = null; var list = new List<ModuleInfo>(); try { ptr = CreateToolhelp32Snapshot(0x8, ProcessId); if (ptr.IsInvalid) { throw new Win32Exception(); } var me32 = new MODULEENTRY32(); me32.dwSize = (uint)Marshal.SizeOf(me32); if (Module32First(ptr, ref me32)) { do { ModuleInfo info = new ModuleInfo { baseName = me32.szModule, fileName = me32.szExePath, baseOfDll = me32.modBaseAddr, sizeOfImage = (int)me32.modBaseSize, Id = (int)me32.th32ModuleID }; list.Add(info); me32.dwSize = (uint)Marshal.SizeOf(me32); } while (Module32Next(ptr, ref me32)); } if (Marshal.GetLastWin32Error() != 18) //ERROR_NO_MORE_FILES throw new Win32Exception(); } finally { if (ptr != null && !ptr.IsInvalid) { ptr.Close(); } } return list; }
public static extern bool Module32Next([System.Runtime.InteropServices.InAttribute()] System.IntPtr hSnapshot, ref MODULEENTRY32 lpme);
public virtual void UnInjectDll() { if (explorerProcess != null) { MODULEENTRY32 stModuleEntry = new MODULEENTRY32(); bool bFlag = true; IntPtr hFindModule = IntPtr.Zero; stModuleEntry.dwSize = (uint)System.Runtime.InteropServices.Marshal.SizeOf(stModuleEntry); var hModuleSnap = API.CreateToolhelp32Snapshot(0x00000008, explorerProcess.Id); bFlag = API.Module32First(hModuleSnap, ref stModuleEntry); for (; bFlag;) { if (stModuleEntry.szExePath.ToLower() == dllname.ToLower()) { hFindModule = stModuleEntry.hModule; break; } bFlag = API.Module32Next(hModuleSnap, ref stModuleEntry); } var freeAddr = API.GetProcAddress(API.GetModuleHandleA("Kernel32"), "FreeLibrary"); API.CreateRemoteThread(explorerProcess.Handle, IntPtr.Zero, 0, new IntPtr(freeAddr), hFindModule, 0, 0); } }
static public extern bool Module32Next(ToolHelpHandle hSnapshot, ref MODULEENTRY32 lpme);
/// <summary> /// 获取模块地址 /// </summary> /// <param name="PID">目标进程PID</param> /// <param name="ModuleName">需获取到的模块名</param> /// <returns>返回个int类型的吧.想怎么转换看你们自己了.</returns> private int GetModelAddress(IntPtr PID, string ModuleName) { PROCESSENTRY32 pr = new PROCESSENTRY32(); MODULEENTRY32 mo = new MODULEENTRY32(); IntPtr LM; if (ModuleName == "") { //如果模块空,直接88 返回-2 因为2.. return -2; } pr.dwSize = (uint)Marshal.SizeOf(typeof(PROCESSENTRY32)); LM = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID); if (LM.ToInt32() > 0) { mo.dwSize = (uint)Marshal.SizeOf(typeof(MODULEENTRY32)); if (Module32First(LM, ref mo)) { do { if (mo.szModule == ModuleName) { CloseHandle(LM); return mo.modBaseAddr.ToInt32(); } } while (Module32Next(LM, ref mo)); } CloseHandle(LM); } //获取不到.或者遍历不到.都返回-1 return -1; }
static public extern bool Module32Next(int hSnapshot, ref MODULEENTRY32 lpme);
public static extern bool Module32Next(HSNAPSHOT hSnapshot, out MODULEENTRY32 lpme);
static extern bool Module32First(IntPtr hSnapshot, ref MODULEENTRY32 lpme);
private static bool HasJ(int processId) { // calling CreateToolhelp32Snapshot directly is significantly (~5x) faster than accessing // Process.Modules. This gets called during the Debug->attach to process API so that ends // up being a difference of less than 1 sec vs. 5 seconds. IntPtr h = CreateToolhelp32Snapshot(SnapshotFlags.Module, (uint)processId); if (h != INVALID_HANDLE_VALUE) { uint marshalSize = (uint)Marshal.SizeOf(typeof(MODULEENTRY32)); MODULEENTRY32 me = new MODULEENTRY32(); me.dwSize = (uint)marshalSize; if (Module32First(h, ref me)) { do { if (IsJModule(me.szModule)) { return true; } me.dwSize = marshalSize; } while (Module32Next(h, ref me)); } CloseHandle(h); } return false; }
public static extern IntPtr Module32Next(IntPtr hSnapShot, ref MODULEENTRY32 me32);