public int DumpProcState(int pid, string filename) { AllocConsole(); //查找进程相关的所有线程 System.Diagnostics.Process process = System.Diagnostics.Process.GetProcessById(pid); System.Diagnostics.ProcessThread[] processthread = new System.Diagnostics.ProcessThread[500]; System.Diagnostics.ProcessThreadCollection threadcollection = new System.Diagnostics.ProcessThreadCollection(processthread); threadcollection = process.Threads; int count = threadcollection.Count; CONTEXT[] context = new CONTEXT[count]; //间文件流 System.IO.FileStream stream = null; stream = new System.IO.FileStream(filename, System.IO.FileMode.Create); string procdescription = process.MainModule.FileName; char[] description = procdescription.ToCharArray(); byte[] bytedescription = new byte[procdescription.Length]; for (int j = 0; j < procdescription.Length; j++) { bytedescription[j] = Convert.ToByte(description[j]); } byte[] descriptioncount = new byte[1]; descriptioncount[0] = Convert.ToByte(procdescription.Length); //写入exe文件路径的长度 stream.Write(descriptioncount, 0, descriptioncount.Length); //写入exe文件路径 stream.Write(bytedescription, 0, bytedescription.Length); byte[] bytecount = new byte[1]; bytecount[0] = Convert.ToByte(count); //写入线程数 stream.Write(bytecount, 0, bytecount.Length); //挂起所有线程 for (int ii = 0; ii < count; ii++) { IntPtr ptr = OpenThread(ThreadAccess.SUSPEND_RESUME, false, (uint)threadcollection[ii].Id); SuspendThread(ptr); CloseHandle(ptr); } for (int i = 0; i < count; i++) { context[i].ContextFlags = (uint)CONTEXT_FLAGS.CONTEXT_ALL; IntPtr hThread = OpenThread(ThreadAccess.GET_CONTEXT, false, (uint)(threadcollection[i].Id)); Console.WriteLine(hThread); string stringhandle = Convert.ToString(hThread); char[] charhandle = stringhandle.ToCharArray(); byte[] byteahandle = new byte[stringhandle.Length+1]; byteahandle[0] = Convert.ToByte(stringhandle.Length); for (int bi = 0; bi < stringhandle.Length; bi++) { byteahandle[bi + 1] = Convert.ToByte(charhandle[bi]); } //写入线程句柄 stream.Write(byteahandle, 0, byteahandle.Length); if (GetThreadContext(hThread, ref context[i])) { Console.WriteLine("Ebp : {0}", context[i].Ebp); Console.WriteLine("Eip : {0}", context[i].Eip); Console.WriteLine("SegCs : {0}", context[i].SegCs); Console.WriteLine("EFlags : {0}", context[i].EFlags); Console.WriteLine("Esp : {0}", context[i].Esp); Console.WriteLine("SegSs : {0}", context[i].SegSs); byte[] bydata = Serialize(context[i]); //写入上写文 stream.Write(bydata, 0, bydata.Length); } else { Console.WriteLine("A problem occurred!"); } CloseHandle(hThread); } stream.Close(); Console.WriteLine("read over!"); //dump内存 DumpProcMemory(pid, filename); //恢复线程 for (int iii = 0; iii < count; iii++) { IntPtr ptrr = OpenThread(ThreadAccess.SUSPEND_RESUME, false, (uint)threadcollection[iii].Id); ResumeThread(ptrr); CloseHandle(ptrr); } return 0; }
public int ResumeProcState(int pid, string filename) { AllocConsole(); //建文件流 System.IO.FileStream stream = null; stream = new System.IO.FileStream(filename, System.IO.FileMode.Open); byte[] descriptioncount = new byte[1]; //读出exe文件路径长度 stream.Read(descriptioncount, 0, descriptioncount.Length); int descount = Convert.ToInt32(descriptioncount[0]); char[] procdescription = new char[descount]; byte[] bytedescription = new byte[descount]; //读出exe文件路径 stream.Read(bytedescription, 0, bytedescription.Length); for (int j = 0; j < descount; j++) { procdescription[j] = Convert.ToChar(bytedescription[j]); } string description = new string(procdescription); //新建进程 SECURITY_ATTRIBUTES process = new SECURITY_ATTRIBUTES(); SECURITY_ATTRIBUTES thread = new SECURITY_ATTRIBUTES(); STARTUPINFO info = new STARTUPINFO(); PROCESS_INFORMATION proinfo = new PROCESS_INFORMATION(); if (CreateProcess( null, description, ref process, ref thread, false, (uint)CreateProcessFlags.NORMAL_PRIORITY_CLASS, (IntPtr)null, null, ref info, out proinfo)) { IntPtr prohandle = proinfo.hProcess; IntPtr thrhandle = proinfo.hThread; System.Threading.Thread.Sleep(5000); SuspendThread(thrhandle); //打印信息 CONTEXT tt = new CONTEXT(); tt.ContextFlags = (uint)CONTEXT_FLAGS.CONTEXT_ALL; GetThreadContext(thrhandle, ref tt); Console.WriteLine(thrhandle); Console.WriteLine("Ebp : {0}", tt.Ebp); Console.WriteLine("Eip : {0}", tt.Eip); Console.WriteLine("SegCs : {0}", tt.SegCs); Console.WriteLine("EFlags : {0}", tt.EFlags); Console.WriteLine("Esp : {0}", tt.Esp); Console.WriteLine("SegSs : {0}", tt.SegSs); Console.WriteLine("Dr0 : {0}", tt.Dr0); Console.WriteLine("Dr1 : {0}", tt.Dr1); Console.WriteLine("Dr2 : {0}", tt.Dr2); Console.WriteLine("Dr3 : {0}", tt.Dr3); Console.WriteLine("Dr6 : {0}", tt.Dr6); Console.WriteLine("Dr7 : {0}", tt.Dr7); Console.WriteLine("SegGs : {0}", tt.SegGs); Console.WriteLine("SegFs : {0}", tt.SegFs); Console.WriteLine("Seges : {0}", tt.SegEs); Console.WriteLine("SegDs : {0}", tt.SegDs); Console.WriteLine("Edi : {0}", tt.Edi); Console.WriteLine("Esi : {0}", tt.Esi); Console.WriteLine("Ebx : {0}", tt.Ebx); Console.WriteLine("Edx : {0}", tt.Edx); Console.WriteLine("Ecx : {0}", tt.Ecx); Console.WriteLine("Eax : {0}", tt.Eax); ResumeThread(thrhandle); System.Threading.Thread.Sleep(5000); SuspendThread(thrhandle); CONTEXT ttt = new CONTEXT(); ttt.ContextFlags = (uint)CONTEXT_FLAGS.CONTEXT_ALL; GetThreadContext(thrhandle, ref ttt); Console.WriteLine(thrhandle); Console.WriteLine("Ebp : {0}", ttt.Ebp); Console.WriteLine("Eip : {0}", ttt.Eip); Console.WriteLine("SegCs : {0}", ttt.SegCs); Console.WriteLine("EFlags : {0}", ttt.EFlags); Console.WriteLine("Esp : {0}", ttt.Esp); Console.WriteLine("SegSs : {0}", ttt.SegSs); Console.WriteLine("Dr0 : {0}", ttt.Dr0); Console.WriteLine("Dr1 : {0}", ttt.Dr1); Console.WriteLine("Dr2 : {0}", ttt.Dr2); Console.WriteLine("Dr3 : {0}", ttt.Dr3); Console.WriteLine("Dr6 : {0}", ttt.Dr6); Console.WriteLine("Dr7 : {0}", ttt.Dr7); Console.WriteLine("SegGs : {0}", ttt.SegGs); Console.WriteLine("SegFs : {0}", ttt.SegFs); Console.WriteLine("Seges : {0}", ttt.SegEs); Console.WriteLine("SegDs : {0}", ttt.SegDs); Console.WriteLine("Edi : {0}", ttt.Edi); Console.WriteLine("Esi : {0}", ttt.Esi); Console.WriteLine("Ebx : {0}", ttt.Ebx); Console.WriteLine("Edx : {0}", ttt.Edx); Console.WriteLine("Ecx : {0}", ttt.Ecx); Console.WriteLine("Eax : {0}", ttt.Eax); //读取线程数 byte[] bytecount = new byte[1]; stream.Read(bytecount, 0, bytecount.Length); int count = Convert.ToInt32(bytecount[0]); int threadid = proinfo.dwThreadId; CONTEXT[] context = new CONTEXT[count]; for (int i = 0; i < count; i++) { //读取原先的线程句柄 byte[] byteAgohandlecount = new byte[1]; stream.Read(byteAgohandlecount, 0, byteAgohandlecount.Length); int Agohandlecount = Convert.ToInt32(byteAgohandlecount[0]); Console.WriteLine(Agohandlecount); byte[] byteAgohandle = new byte[Agohandlecount]; stream.Read(byteAgohandle, 0, byteAgohandle.Length); char[] charAgohandle = new char[Agohandlecount]; for (int bi = 0; bi < Agohandlecount; bi++) { charAgohandle[bi] = Convert.ToChar(byteAgohandle[bi]); } string stringAgohandle = new string(charAgohandle); IntPtr Agohandle = (IntPtr)Convert.ToInt32(stringAgohandle); Console.WriteLine(Agohandle); //读上下文 byte[] bydata = new byte[Marshal.SizeOf(context[i])]; stream.Read(bydata, 0, bydata.Length); context[i] = Deserialize(bydata); Console.WriteLine("Ebp : {0}", context[i].Ebp); Console.WriteLine("Eip : {0}", context[i].Eip); Console.WriteLine("SegCs : {0}", context[i].SegCs); Console.WriteLine("EFlags : {0}", context[i].EFlags); Console.WriteLine("Esp : {0}", context[i].Esp); Console.WriteLine("SegSs : {0}", context[i].SegSs); Console.WriteLine("Dr0 : {0}", context[i].Dr0); Console.WriteLine("Dr1 : {0}", context[i].Dr1); Console.WriteLine("Dr2 : {0}", context[i].Dr2); Console.WriteLine("Dr3 : {0}", context[i].Dr3); Console.WriteLine("Dr6 : {0}", context[i].Dr6); Console.WriteLine("Dr7 : {0}", context[i].Dr7); Console.WriteLine("SegGs : {0}", context[i].SegGs); Console.WriteLine("SegFs : {0}", context[i].SegFs); Console.WriteLine("Seges : {0}", context[i].SegEs); Console.WriteLine("SegDs : {0}", context[i].SegDs); Console.WriteLine("Edi : {0}", context[i].Edi); Console.WriteLine("Esi : {0}", context[i].Esi); Console.WriteLine("Ebx : {0}", context[i].Ebx); Console.WriteLine("Edx : {0}", context[i].Edx); Console.WriteLine("Ecx : {0}", context[i].Ecx); Console.WriteLine("Eax : {0}", context[i].Eax); context[i].ContextFlags = (uint)CONTEXT_FLAGS.CONTEXT_ALL; IntPtr Nowhandle = OpenThread(ThreadAccess.SET_CONTEXT, false, (uint)threadid); // Console.WriteLine(Nowhandle); // context[i] = HandleToHandle(Agohandle, Nowhandle, context[i]); tt.Eax = context[i].Eax; tt.Ebx = context[i].Ebx; tt.Ecx = context[i].Ecx; tt.Edx = context[i].Edx; //tt.Ebp = context[i].Ebp; //tt.Esp = context[i].Esp; //tt.Esi = context[i].Esi; //SetThreadContext(Agohandle, ref tt); CloseHandle(Nowhandle); //建立新线程 if (i + 1 < count) { IntPtr lpThreadID = (IntPtr)0; StartThread threadfunc = null; ThreadStartDelegate threadFunc = null; unsafe { thrhandle = CreateRemoteThread(prohandle, (IntPtr)null, 0, threadFunc, (IntPtr)null, (uint)CreateProcessFlags.CREATE_SUSPENDED, lpThreadID); } threadid = (int)lpThreadID; } } // ResumeThread(thrhandle); //读入内存状态 SYSTEM_INFO systeminfo = new SYSTEM_INFO(); GetSystemInfo(out systeminfo); long MaxAddress = (long)systeminfo.lpMaximumApplicationAddress; long address = 0; int countcount = 0; do { MEMORY_BASIC_INFORMATION memory; int result = VirtualQueryEx(prohandle, (IntPtr)address, out memory, (uint)Marshal.SizeOf(typeof(MEMORY_BASIC_INFORMATION))); if (address == (long)memory.BaseAddress + (long)memory.RegionSize) break; if (memory.State == (uint)StateEnum.MEM_COMMIT) { switch (memory.AllocationProtect) { case (uint)AllocationProtect.PAGE_READWRITE: byte[] buffer = new byte[(int)memory.RegionSize]; Console.WriteLine("now"); Console.WriteLine(memory.BaseAddress); Console.WriteLine(memory.AllocationBase); Console.WriteLine(memory.RegionSize); Console.WriteLine(memory.Type); Console.WriteLine(memory.Protect); stream.Read(buffer, 0, buffer.Length); UIntPtr byteread; WriteProcessMemory(prohandle, memory.BaseAddress, buffer, (uint)memory.RegionSize, out byteread); Console.WriteLine("ago"); Console.WriteLine(memory.BaseAddress); Console.WriteLine(memory.AllocationBase); Console.WriteLine(memory.RegionSize); Console.WriteLine(memory.Type); Console.WriteLine(memory.Protect); countcount++; break; default: break; } } address = (long)memory.BaseAddress + (long)memory.RegionSize; } while (address <= MaxAddress); stream.Close(); CloseHandle(prohandle); Console.WriteLine("write over!"); Console.WriteLine(countcount); } //恢复线程运行 System.Diagnostics.Process proc = System.Diagnostics.Process.GetProcessById(proinfo.dwProcessId); System.Diagnostics.ProcessThread[] processthread = new System.Diagnostics.ProcessThread[500]; System.Diagnostics.ProcessThreadCollection threadcollection = new System.Diagnostics.ProcessThreadCollection(processthread); threadcollection = proc.Threads; for (int k = 0; k < threadcollection.Count; k++) { IntPtr ptrr = OpenThread(ThreadAccess.SUSPEND_RESUME, false, (uint)threadcollection[k].Id); ResumeThread(ptrr); CloseHandle(ptrr); } return 0; }
public int Add(System.Diagnostics.ProcessThread thread) { throw null; }
public bool Contains(System.Diagnostics.ProcessThread thread) { throw null; }
public void Remove(System.Diagnostics.ProcessThread thread) { }
public void Insert(int index, System.Diagnostics.ProcessThread thread) { }
public int IndexOf(System.Diagnostics.ProcessThread thread) { throw null; }
public int IndexOf(System.Diagnostics.ProcessThread thread) { return(default(int)); }
public bool Contains(System.Diagnostics.ProcessThread thread) { return(default(bool)); }