public static bool ListMemory(FMemoryInfos memories, int processId)
{
memories.Clear();
// List modules
FModuleInfoCollection modules = RModule.ListProcess(processId);
// List memory
uint address = 0;
SMemoryBasicInformation mbi = new SMemoryBasicInformation();
int size = Marshal.SizeOf(mbi);
IntPtr process = RKernel32.OpenProcess(EProcessAccess.QueryInformation, true, processId);
if (!RApi.IsValidHandle(process))
{
return(false);
}
while (RKernel32.VirtualQueryEx(process, address, ref mbi, size) > 0)
{
FMemoryInfo memory = new FMemoryInfo();
memory.AllocationBase = mbi.AllocationBase;
memory.AllocationProtect = mbi.AllocationProtect;
memory.BaseAddress = mbi.BaseAddress;
memory.Protect = mbi.Protect;
memory.RegionSize = mbi.RegionSize;
memory.State = mbi.State;
memory.Type = mbi.Type;
memory.Module = modules.FindByAddress(mbi.AllocationBase);
memories.Push(memory);
address = mbi.BaseAddress + mbi.RegionSize;
}
;
RKernel32.CloseHandle(process);
return(true);
}
public static FTrunkInfo[] FetchTrunks(IntPtr hModule)
{
Nullable <SImageNtHeaders> ntHeaders = GetNtHeaders(hModule);
SImageDataDirectory idd = ntHeaders.Value.OptionalHeader.DataDirectory[(int)EImageDirectoryEntry.Import];
if (idd.VirtualAddress == 0)
{
return(null);
}
// Import
uint maddress = (uint)hModule.ToInt32();
IntPtr pIdHeader = (IntPtr)(maddress + idd.VirtualAddress);
SImageImportDescriptor impDesc = (SImageImportDescriptor)Marshal.PtrToStructure(pIdHeader, typeof(SImageImportDescriptor));
if (impDesc.Name == 0)
{
return(null);
}
// Get module Name
// IntPtr moduleNamePtr = (IntPtr)(maddress + impDesc.Name);
// Trunk
IntPtr pOrgFt = (IntPtr)(maddress + impDesc.OriginalFirstThunk);
IntPtr pFt = (IntPtr)(maddress + impDesc.FirstThunk);
int ftSize = Marshal.SizeOf(typeof(SImageThunkData32));
int miSize = Marshal.SizeOf(typeof(SMemoryBasicInformation));
FObjects <FTrunkInfo> infos = new FObjects <FTrunkInfo>();
while (true)
{
SImageThunkData32 origThunk = (SImageThunkData32)Marshal.PtrToStructure(pOrgFt, typeof(SImageThunkData32));
SImageThunkData32 realThunk = (SImageThunkData32)Marshal.PtrToStructure(pFt, typeof(SImageThunkData32));
if (origThunk.Function == 0)
{
break;
}
if ((origThunk.Ordinal & 0x80000000) == 0x80000000)
{
break;
}
/*uint arrd = (uint)(maddress + origThunk.AddressOfData);
* if ((arrd & 0x80000000) == 0x80000000) {
* break;
* }*/
// Read name
IntPtr pName = (IntPtr)(maddress + origThunk.AddressOfData);
SImageImportByName byName = (SImageImportByName)Marshal.PtrToStructure(pName, typeof(SImageImportByName));
if (byName.Name[0] == 0)
{
break;
}
// Read memory state
SMemoryBasicInformation mbi = new SMemoryBasicInformation();
//RKernel32.VirtualQuery((uint)pFt.ToInt32(), ref mbi, miSize);
RKernel32.VirtualQuery(realThunk.Function, ref mbi, miSize);
// TrunkInfo
FTrunkInfo info = new FTrunkInfo();
info.Name = RAscii.GetString(byName.Name);
info.Address = origThunk.Function;
//info.Entry = (IntPtr)(maddress + origThunk.Function);
info.Entry = (IntPtr)realThunk.Function;
info.Hint = byName.Hint;
info.MemAllocationBase = mbi.AllocationBase;
info.MemAllocationProtect = mbi.AllocationProtect;
info.MemBaseAddress = mbi.BaseAddress;
info.MemProtect = mbi.Protect;
info.MemRegionSize = mbi.RegionSize;
info.MemState = mbi.State;
info.MemType = mbi.Type;
infos.Push(info);
// Loop
pOrgFt = (IntPtr)(pOrgFt.ToInt32() + ftSize);
pFt = (IntPtr)(pFt.ToInt32() + ftSize);
}
return(infos.ToArray());
}
public bool Open()
{
// Dos header
SImageDosHeader dosHeader = _process.ReadStructure <SImageDosHeader>(_handle);
if (dosHeader.e_magic != (uint)EImageSignature.Dos)
{
return(false);
}
_dosHeader = dosHeader;
// Nt header
IntPtr pNtHeader = (IntPtr)(_handle.ToInt32() + dosHeader.e_lfanew);
SImageNtHeaders ntHeaders = _process.ReadStructure <SImageNtHeaders>(pNtHeader);
if (ntHeaders.Signature != (uint)EImageSignature.Nt)
{
return(false);
}
_ntHeaders = ntHeaders;
// Fetch trunks
SImageDataDirectory idd = ntHeaders.OptionalHeader.DataDirectory[(int)EImageDirectoryEntry.Import];
if (idd.VirtualAddress == 0)
{
return(false);
}
// Import
uint maddress = (uint)_handle.ToInt32();
IntPtr pIdHeader = (IntPtr)(maddress + idd.VirtualAddress);
SImageImportDescriptor impDesc = _process.ReadStructure <SImageImportDescriptor>(pIdHeader);
if (impDesc.Name == 0)
{
return(false);
}
// Get module Name
// IntPtr moduleNamePtr = (IntPtr)(maddress + impDesc.Name);
// Trunk
IntPtr pOrgFt = (IntPtr)(maddress + impDesc.OriginalFirstThunk);
IntPtr pFt = (IntPtr)(maddress + impDesc.FirstThunk);
int ftSize = Marshal.SizeOf(typeof(SImageThunkData32));
int miSize = Marshal.SizeOf(typeof(SMemoryBasicInformation));
_trunks = new FTrunkInfoCollection();
while (true)
{
SImageThunkData32 origThunk = _process.ReadStructure <SImageThunkData32>(pOrgFt);
SImageThunkData32 realThunk = _process.ReadStructure <SImageThunkData32>(pFt);
if (origThunk.Function == 0)
{
break;
}
if ((origThunk.Ordinal & 0x80000000) == 0x80000000)
{
break;
}
// Read name
IntPtr pName = (IntPtr)(maddress + origThunk.AddressOfData);
SImageImportByName byName = _process.ReadStructure <SImageImportByName>(pName);
if (byName.Name[0] == 0)
{
break;
}
// Read memory state
SMemoryBasicInformation mbi = new SMemoryBasicInformation();
//RKernel32.VirtualQuery((uint)pFt.ToInt32(), ref mbi, miSize);
RKernel32.VirtualQueryEx(_process.Handle, realThunk.Function, ref mbi, miSize);
// TrunkInfo
FTrunkInfo trunk = new FTrunkInfo();
trunk.Name = RAscii.GetString(byName.Name);
trunk.Address = origThunk.Function;
//info.Entry = (IntPtr)(maddress + origThunk.Function);
trunk.Entry = (IntPtr)realThunk.Function;
trunk.EntryPtr = pFt;
trunk.Hint = byName.Hint;
trunk.MemAllocationBase = mbi.AllocationBase;
trunk.MemAllocationProtect = mbi.AllocationProtect;
trunk.MemBaseAddress = mbi.BaseAddress;
trunk.MemProtect = mbi.Protect;
trunk.MemRegionSize = mbi.RegionSize;
trunk.MemState = mbi.State;
trunk.MemType = mbi.Type;
_trunks.Push(trunk);
// Loop
pOrgFt = (IntPtr)(pOrgFt.ToInt32() + ftSize);
pFt = (IntPtr)(pFt.ToInt32() + ftSize);
}
return(true);
}