private void initAddresses(System.Diagnostics.Process process, String moduleName)
{
if (moduleName == null)
{
BaseAddress = (Pointer)process.MainModule.BaseAddress;
ImageSize = process.MainModule.ModuleMemorySize;
return;
}
System.Diagnostics.ProcessModuleCollection Modules = process.Modules;
int moduleCount = Modules.Count;
if (moduleCount == 0)
{
BaseAddress = 0;
ImageSize = 0;
return;
}
for (int i = 0; i < moduleCount; i++)
{
if (Modules[i].ModuleName == moduleName)
{
BaseAddress = (Pointer)Modules[i].BaseAddress;
ImageSize = Modules[i].ModuleMemorySize;
break;
}
}
}
public Modules(ProcessModuleCollection m)
{
InitializeComponent();
for (int x = 0; x < m.Count; x++)
{
lbModules.Items.Add(m[x].ModuleName);
}
}
public uint FindPattern( ProcessModuleCollection pModules, string szPattern, string szMask, char Delimiter ) {
string[] saPattern = szPattern.Split( Delimiter );
byte[] bPattern = new byte[ saPattern.Length ];
for( int i = 0; i < bPattern.Length; i++ )
bPattern[ i ] = Convert.ToByte( saPattern[ i ], 0x10 );
return FindPattern( pModules, bPattern, szMask );
}
/// <summary>
/// Finds a pattern or signature inside another process.
/// </summary>
/// <param name="hProcess">Handle to the process in whose memory pattern will be found.</param>
/// <param name="pMods">An array of modules which will be searched for the pattern.</param>
/// <param name="szPattern">A character-delimited string representing the pattern to be found.</param>
/// <param name="szMask">A string of 'x' (match), '!' (not-match), or '?' (wildcard).</param>
/// <param name="Delimiter">Determines how the string will be split. If null, defaults to ' '.</param>
/// <returns>Returns 0 on failure, or the address of the start of the pattern on success.</returns>
public static uint FindPattern( IntPtr hProcess, ProcessModuleCollection pMods, string szPattern, string szMask, params char[] Delimiter ) {
uint dwRet = 0;
foreach( ProcessModule pMod in pMods )
if( ( dwRet = FindPattern( hProcess, pMod, szPattern, szMask, Delimiter ) ) != 0 )
break;
return dwRet;
}
public uint FindPattern( ProcessModuleCollection pModules, byte[] bPattern, string szMask ) {
uint dwReturn = 0;
foreach( ProcessModule pModule in pModules ) {
dwReturn = FindPattern( pModule, bPattern, szMask );
if( dwReturn != 0 )
break;
}
return dwReturn;
}
/// <summary>Gets an array of module infos for the specified process.</summary>
/// <param name="processId">The ID of the process whose modules should be enumerated.</param>
/// <returns>The array of modules.</returns>
internal static ProcessModuleCollection GetModules(int processId)
{
var modules = new ProcessModuleCollection(0);
// Process from the parsed maps file each entry representing a module
foreach (Interop.procfs.ParsedMapsModule entry in Interop.procfs.ParseMapsModules(processId))
{
int sizeOfImage = (int)(entry.AddressRange.Value - entry.AddressRange.Key);
// A single module may be split across multiple map entries; consolidate based on
// the name and address ranges of sequential entries.
if (modules.Count > 0)
{
ProcessModule module = modules[modules.Count - 1];
if (module.FileName == entry.FileName &&
((long)module.BaseAddress + module.ModuleMemorySize == entry.AddressRange.Key))
{
// Merge this entry with the previous one
module.ModuleMemorySize += sizeOfImage;
continue;
}
}
// It's not a continuation of a previous entry but a new one: add it.
unsafe
{
modules.Add(new ProcessModule()
{
FileName = entry.FileName,
ModuleName = Path.GetFileName(entry.FileName),
BaseAddress = new IntPtr(unchecked ((void *)entry.AddressRange.Key)),
ModuleMemorySize = sizeOfImage,
EntryPointAddress = IntPtr.Zero // unknown
});
}
}
// Return the set of modules found
return(modules);
}
/// <summary>Gets an array of module infos for the specified process.</summary>
/// <param name="processId">The ID of the process whose modules should be enumerated.</param>
/// <returns>The array of modules.</returns>
internal static ProcessModuleCollection GetModules(int processId)
{
var modules = new ProcessModuleCollection(0);
// Process from the parsed maps file each entry representing a module
foreach (Interop.procfs.ParsedMapsModule entry in Interop.procfs.ParseMapsModules(processId))
{
int sizeOfImage = (int)(entry.AddressRange.Value - entry.AddressRange.Key);
// A single module may be split across multiple map entries; consolidate based on
// the name and address ranges of sequential entries.
if (modules.Count > 0)
{
ProcessModule module = modules[modules.Count - 1];
if (module.FileName == entry.FileName &&
((long)module.BaseAddress + module.ModuleMemorySize == entry.AddressRange.Key))
{
// Merge this entry with the previous one
module.ModuleMemorySize += sizeOfImage;
continue;
}
}
// It's not a continuation of a previous entry but a new one: add it.
unsafe
{
modules.Add(new ProcessModule()
{
FileName = entry.FileName,
ModuleName = Path.GetFileName(entry.FileName),
BaseAddress = new IntPtr((void*)entry.AddressRange.Key),
ModuleMemorySize = sizeOfImage,
EntryPointAddress = IntPtr.Zero // unknown
});
}
}
// Return the set of modules found
return modules;
}
/// <summary>Gets an array of module infos for the specified process.</summary>
/// <param name="processId">The ID of the process whose modules should be enumerated.</param>
/// <returns>The array of modules.</returns>
internal static ProcessModuleCollection GetModules(int processId)
{
ProcessModuleCollection modules = Interop.procfs.ParseMapsModules(processId) ?? new(capacity : 0);
// Move the main executable module to be the first in the list if it's not already
string?exePath = Process.GetExePath(processId);
for (int i = 0; i < modules.Count; i++)
{
ProcessModule module = modules[i];
if (module.FileName == exePath)
{
if (i > 0)
{
modules.RemoveAt(i);
modules.Insert(0, module);
}
break;
}
}
// Return the set of modules found
return(modules);
}
/// <summary>
/// Finds a pattern or signature inside another process.
/// </summary>
/// <param name="hProcess">Handle to the process in whose memory pattern will be found.</param>
/// <param name="pMods">An array of modules which will be searched for the pattern.</param>
/// <param name="bPattern">A byte-array representing the pattern to be found.</param>
/// <param name="szMask">A string of 'x' (match), '!' (not-match), or '?' (wildcard).</param>
/// <returns>Returns 0 on failure, or the address of the start of the pattern on success.</returns>
public static uint FindPattern(IntPtr hProcess, ProcessModuleCollection pMods, byte[] bPattern, string szMask)
{
uint dwRet = 0;
foreach (ProcessModule pMod in pMods)
if ((dwRet = FindPattern(hProcess, pMod, bPattern, szMask)) != 0)
break;
return dwRet;
}
private static string GetModulesDescription(ProcessModuleCollection modules)
{
var text = new StringBuilder();
text.AppendLine("Modules Collection:");
foreach (ProcessModule module in modules)
{
text.Append(" ");
text.AppendLine(GetModuleDescription(module));
}
return text.ToString();
}
/// <summary>
/// Closes the handle to the open process (or does nothing if a process has not been opened).
/// </summary>
public void CloseProcess() {
if (mProcess != IntPtr.Zero)
Imports.CloseHandle(mProcess);
mProcess = IntPtr.Zero;
mWnd = IntPtr.Zero;
mProcessId = 0;
mMainModule = null;
mModules = null;
mProcessOpen = false;
#if FASM_MANAGED
Asm.SetProcessHandle(IntPtr.Zero);
#endif
}
public void Refresh()
{
this.processInfo = null;
this.threads = null;
this.modules = null;
this.mainWindowTitle = null;
this.exited = false;
this.signaled = false;
this.haveMainWindow = false;
this.haveWorkingSetLimits = false;
this.haveProcessorAffinity = false;
this.havePriorityClass = false;
this.haveExitTime = false;
this.haveResponding = false;
this.havePriorityBoostEnabled = false;
}
public uint FindPattern(ProcessModuleCollection pModules, string szPattern, string szMask)
{
return FindPattern(pModules, szPattern, szMask, ' ');
}
/// <summary>
/// Opens a process and its main thread for interaction.
/// </summary>
/// <param name="ProcessId">Process Id of process with which we wish to interact.</param>
/// <returns>Returns true on success, false on failure.</returns>
public bool Open(int ProcessId) {
if (ProcessId == 0)
return false;
if (ProcessId == mProcessId)
return true;
if (mProcessOpen)
this.CloseProcess();
if (SetDebugPrivileges)
System.Diagnostics.Process.EnterDebugMode();
mProcessOpen = (mProcess = ProcessHelper.OpenProcess(ProcessId)) != IntPtr.Zero;
if (mProcessOpen) {
mProcessId = ProcessId;
mWnd = WindowHelper.FindWindowByProcessId(ProcessId);
mModules = Process.GetProcessById(mProcessId).Modules;
mMainModule = mModules[0];
#if FASM_MANAGED
if (Asm == null)
Asm = new FasmManaged.ManagedFasm(mProcess);
else
Asm.SetProcessHandle(mProcess);
#endif
}
return mProcessOpen;
}
public static ProcessModule GetFirstModule(int processId)
{
ProcessModuleCollection modules = GetModules(processId, firstModuleOnly: true);
return(modules.Count == 0 ? null : modules[0]);
}
private static ProcessModuleCollection GetModules(int processId, bool firstModuleOnly)
{
// preserving Everett behavior.
if (processId == SystemProcessID || processId == IdleProcessID)
{
// system process and idle process doesn't have any modules
throw new Win32Exception(Interop.Errors.EFail, SR.EnumProcessModuleFailed);
}
SafeProcessHandle processHandle = SafeProcessHandle.InvalidHandle;
try
{
processHandle = ProcessManager.OpenProcess(processId, Interop.Advapi32.ProcessOptions.PROCESS_QUERY_INFORMATION | Interop.Advapi32.ProcessOptions.PROCESS_VM_READ, true);
IntPtr[] moduleHandles = new IntPtr[64];
GCHandle moduleHandlesArrayHandle = new GCHandle();
int moduleCount = 0;
for (;;)
{
bool enumResult = false;
try
{
moduleHandlesArrayHandle = GCHandle.Alloc(moduleHandles, GCHandleType.Pinned);
enumResult = Interop.Kernel32.EnumProcessModules(processHandle, moduleHandlesArrayHandle.AddrOfPinnedObject(), moduleHandles.Length * IntPtr.Size, ref moduleCount);
// The API we need to use to enumerate process modules differs on two factors:
// 1) If our process is running in WOW64.
// 2) The bitness of the process we wish to introspect.
//
// If we are not running in WOW64 or we ARE in WOW64 but want to inspect a 32 bit process
// we can call psapi!EnumProcessModules.
//
// If we are running in WOW64 and we want to inspect the modules of a 64 bit process then
// psapi!EnumProcessModules will return false with ERROR_PARTIAL_COPY (299). In this case we can't
// do the enumeration at all. So we'll detect this case and bail out.
//
// Also, EnumProcessModules is not a reliable method to get the modules for a process.
// If OS loader is touching module information, this method might fail and copy part of the data.
// This is no easy solution to this problem. The only reliable way to fix this is to
// suspend all the threads in target process. Of course we don't want to do this in Process class.
// So we just to try avoid the race by calling the same method 50 (an arbitrary number) times.
//
if (!enumResult)
{
bool sourceProcessIsWow64 = false;
bool targetProcessIsWow64 = false;
SafeProcessHandle hCurProcess = SafeProcessHandle.InvalidHandle;
try
{
hCurProcess = ProcessManager.OpenProcess(unchecked ((int)Interop.Kernel32.GetCurrentProcessId()), Interop.Advapi32.ProcessOptions.PROCESS_QUERY_INFORMATION, true);
bool wow64Ret;
wow64Ret = Interop.Kernel32.IsWow64Process(hCurProcess, ref sourceProcessIsWow64);
if (!wow64Ret)
{
throw new Win32Exception();
}
wow64Ret = Interop.Kernel32.IsWow64Process(processHandle, ref targetProcessIsWow64);
if (!wow64Ret)
{
throw new Win32Exception();
}
if (sourceProcessIsWow64 && !targetProcessIsWow64)
{
// Wow64 isn't going to allow this to happen, the best we can do is give a descriptive error to the user.
throw new Win32Exception(Interop.Errors.ERROR_PARTIAL_COPY, SR.EnumProcessModuleFailedDueToWow);
}
}
finally
{
if (hCurProcess != SafeProcessHandle.InvalidHandle)
{
hCurProcess.Dispose();
}
}
// If the failure wasn't due to Wow64, try again.
for (int i = 0; i < 50; i++)
{
enumResult = Interop.Kernel32.EnumProcessModules(processHandle, moduleHandlesArrayHandle.AddrOfPinnedObject(), moduleHandles.Length * IntPtr.Size, ref moduleCount);
if (enumResult)
{
break;
}
Thread.Sleep(1);
}
}
}
finally
{
moduleHandlesArrayHandle.Free();
}
if (!enumResult)
{
throw new Win32Exception();
}
moduleCount /= IntPtr.Size;
if (moduleCount <= moduleHandles.Length)
{
break;
}
moduleHandles = new IntPtr[moduleHandles.Length * 2];
}
var modules = new ProcessModuleCollection(firstModuleOnly ? 1 : moduleCount);
char[] chars = new char[1024];
for (int i = 0; i < moduleCount; i++)
{
if (i > 0)
{
// If the user is only interested in the main module, break now.
// This avoid some waste of time. In addition, if the application unloads a DLL
// we will not get an exception.
if (firstModuleOnly)
{
break;
}
}
IntPtr moduleHandle = moduleHandles[i];
Interop.Kernel32.NtModuleInfo ntModuleInfo;
if (!Interop.Kernel32.GetModuleInformation(processHandle, moduleHandle, out ntModuleInfo))
{
HandleError();
continue;
}
var module = new ProcessModule()
{
ModuleMemorySize = ntModuleInfo.SizeOfImage,
EntryPointAddress = ntModuleInfo.EntryPoint,
BaseAddress = ntModuleInfo.BaseOfDll
};
int length = Interop.Kernel32.GetModuleBaseName(processHandle, moduleHandle, chars, chars.Length);
if (length == 0)
{
HandleError();
continue;
}
module.ModuleName = new string(chars, 0, length);
length = Interop.Kernel32.GetModuleFileNameEx(processHandle, moduleHandle, chars, chars.Length);
if (length == 0)
{
HandleError();
continue;
}
module.FileName = (length >= 4 && chars[0] == '\\' && chars[1] == '\\' && chars[2] == '?' && chars[3] == '\\') ?
new string(chars, 4, length - 4) :
new string(chars, 0, length);
modules.Add(module);
}
return(modules);
}
finally
{
if (!processHandle.IsInvalid)
{
processHandle.Dispose();
}
}
}
public void SetItems(ProcessModuleCollection processModules)
{
if (this.Created == false) return;
List<ListViewItem> list = new List<ListViewItem>();
List<ProcessModule> processModuleList = processModules.Cast<ProcessModule>().ToList();
processModuleList.Sort(delegate(ProcessModule a, ProcessModule b)
{
return a.BaseAddress.ToInt64().CompareTo(b.BaseAddress.ToInt64());
});
try
{
foreach (ProcessModule processModule in processModuleList)
{
ListViewItem item = new ListViewItem();
item.Text = processModule.ModuleName;
string startAddress = String.Format("0x{0}", processModule.BaseAddress.ToString("X16"));
string endAddress = String.Format("0x{0}", (processModule.BaseAddress.ToInt64() + processModule.ModuleMemorySize).ToString("X16"));
string entryPointAddress = String.Format("0x{0}", processModule.EntryPointAddress.ToString("X16"));
item.SubItems.Add(startAddress);
item.SubItems.Add(endAddress);
item.SubItems.Add(entryPointAddress);
item.SubItems.Add(processModule.FileVersionInfo.ProductVersion);
item.SubItems.Add(processModule.FileVersionInfo.FileVersion);
item.SubItems.Add(processModule.FileVersionInfo.FileDescription);
item.SubItems.Add(processModule.FileVersionInfo.FileName);
try
{
string fileName = processModule.FileVersionInfo.FileName;
string extension = Path.GetExtension(fileName).ToLower();
item.ImageKey = extension;
if (SmallImageList.Images.ContainsKey(extension) == false)
{
Icon icon = IconTools.GetIconForFile(fileName, ShellIconSize.SmallIcon);
if (icon != null)
{
SmallImageList.Images.Add(icon);
SmallImageList.Images.SetKeyName(SmallImageList.Images.Count - 1, extension);
}
}
}
catch
{
}
item.Tag = processModule;
list.Add(item);
}
}
catch
{
}
BeginUpdate();
Items.Clear();
Items.AddRange(list.ToArray());
AutoResizeColumns();
EndUpdate();
}
private static ProcessModuleCollection GetModules(int processId, bool firstModuleOnly)
{
// preserving Everett behavior.
if (processId == SystemProcessID || processId == IdleProcessID)
{
// system process and idle process doesn't have any modules
throw new Win32Exception(Interop.Errors.EFail, SR.EnumProcessModuleFailed);
}
SafeProcessHandle processHandle = SafeProcessHandle.InvalidHandle;
try
{
processHandle = ProcessManager.OpenProcess(processId, Interop.Advapi32.ProcessOptions.PROCESS_QUERY_INFORMATION | Interop.Advapi32.ProcessOptions.PROCESS_VM_READ, true);
IntPtr[] moduleHandles = new IntPtr[64];
GCHandle moduleHandlesArrayHandle = new GCHandle();
int moduleCount = 0;
for (; ; )
{
bool enumResult = false;
try
{
moduleHandlesArrayHandle = GCHandle.Alloc(moduleHandles, GCHandleType.Pinned);
enumResult = Interop.Kernel32.EnumProcessModules(processHandle, moduleHandlesArrayHandle.AddrOfPinnedObject(), moduleHandles.Length * IntPtr.Size, ref moduleCount);
// The API we need to use to enumerate process modules differs on two factors:
// 1) If our process is running in WOW64.
// 2) The bitness of the process we wish to introspect.
//
// If we are not running in WOW64 or we ARE in WOW64 but want to inspect a 32 bit process
// we can call psapi!EnumProcessModules.
//
// If we are running in WOW64 and we want to inspect the modules of a 64 bit process then
// psapi!EnumProcessModules will return false with ERROR_PARTIAL_COPY (299). In this case we can't
// do the enumeration at all. So we'll detect this case and bail out.
//
// Also, EnumProcessModules is not a reliable method to get the modules for a process.
// If OS loader is touching module information, this method might fail and copy part of the data.
// This is no easy solution to this problem. The only reliable way to fix this is to
// suspend all the threads in target process. Of course we don't want to do this in Process class.
// So we just to try avoid the race by calling the same method 50 (an arbitrary number) times.
//
if (!enumResult)
{
bool sourceProcessIsWow64 = false;
bool targetProcessIsWow64 = false;
SafeProcessHandle hCurProcess = SafeProcessHandle.InvalidHandle;
try
{
hCurProcess = ProcessManager.OpenProcess(unchecked((int)Interop.Kernel32.GetCurrentProcessId()), Interop.Advapi32.ProcessOptions.PROCESS_QUERY_INFORMATION, true);
bool wow64Ret;
wow64Ret = Interop.Kernel32.IsWow64Process(hCurProcess, ref sourceProcessIsWow64);
if (!wow64Ret)
{
throw new Win32Exception();
}
wow64Ret = Interop.Kernel32.IsWow64Process(processHandle, ref targetProcessIsWow64);
if (!wow64Ret)
{
throw new Win32Exception();
}
if (sourceProcessIsWow64 && !targetProcessIsWow64)
{
// Wow64 isn't going to allow this to happen, the best we can do is give a descriptive error to the user.
throw new Win32Exception(Interop.Errors.ERROR_PARTIAL_COPY, SR.EnumProcessModuleFailedDueToWow);
}
}
finally
{
if (hCurProcess != SafeProcessHandle.InvalidHandle)
{
hCurProcess.Dispose();
}
}
// If the failure wasn't due to Wow64, try again.
for (int i = 0; i < 50; i++)
{
enumResult = Interop.Kernel32.EnumProcessModules(processHandle, moduleHandlesArrayHandle.AddrOfPinnedObject(), moduleHandles.Length * IntPtr.Size, ref moduleCount);
if (enumResult)
{
break;
}
Thread.Sleep(1);
}
}
}
finally
{
moduleHandlesArrayHandle.Free();
}
if (!enumResult)
{
throw new Win32Exception();
}
moduleCount /= IntPtr.Size;
if (moduleCount <= moduleHandles.Length) break;
moduleHandles = new IntPtr[moduleHandles.Length * 2];
}
var modules = new ProcessModuleCollection(firstModuleOnly ? 1 : moduleCount);
char[] chars = new char[1024];
for (int i = 0; i < moduleCount; i++)
{
if (i > 0)
{
// If the user is only interested in the main module, break now.
// This avoid some waste of time. In addition, if the application unloads a DLL
// we will not get an exception.
if (firstModuleOnly)
{
break;
}
}
IntPtr moduleHandle = moduleHandles[i];
Interop.Kernel32.NtModuleInfo ntModuleInfo;
if (!Interop.Kernel32.GetModuleInformation(processHandle, moduleHandle, out ntModuleInfo))
{
HandleError();
continue;
}
var module = new ProcessModule()
{
ModuleMemorySize = ntModuleInfo.SizeOfImage,
EntryPointAddress = ntModuleInfo.EntryPoint,
BaseAddress = ntModuleInfo.BaseOfDll
};
int length = Interop.Kernel32.GetModuleBaseName(processHandle, moduleHandle, chars, chars.Length);
if (length == 0)
{
HandleError();
continue;
}
module.ModuleName = new string(chars, 0, length);
length = Interop.Kernel32.GetModuleFileNameEx(processHandle, moduleHandle, chars, chars.Length);
if (length == 0)
{
HandleError();
continue;
}
module.FileName = (length >= 4 && chars[0] == '\\' && chars[1] == '\\' && chars[2] == '?' && chars[3] == '\\') ?
new string(chars, 4, length - 4) :
new string(chars, 0, length);
modules.Add(module);
}
return modules;
}
finally
{
#if FEATURE_TRACESWITCH
Debug.WriteLineIf(Process._processTracing.TraceVerbose, "Process - CloseHandle(process)");
#endif
if (!processHandle.IsInvalid)
{
processHandle.Dispose();
}
}
}
private static ProcessModuleCollection GetModules(int processId, bool firstModuleOnly)
{
// preserving Everett behavior.
if (processId == SystemProcessID || processId == IdleProcessID)
{
// system process and idle process doesn't have any modules
throw new Win32Exception(HResults.E_FAIL, SR.EnumProcessModuleFailed);
}
SafeProcessHandle processHandle = SafeProcessHandle.InvalidHandle;
try
{
processHandle = ProcessManager.OpenProcess(processId, Interop.Advapi32.ProcessOptions.PROCESS_QUERY_INFORMATION | Interop.Advapi32.ProcessOptions.PROCESS_VM_READ, true);
bool succeeded = Interop.Kernel32.EnumProcessModules(processHandle, null, 0, out int needed);
// The API we need to use to enumerate process modules differs on two factors:
// 1) If our process is running in WOW64.
// 2) The bitness of the process we wish to introspect.
//
// If we are not running in WOW64 or we ARE in WOW64 but want to inspect a 32 bit process
// we can call psapi!EnumProcessModules.
//
// If we are running in WOW64 and we want to inspect the modules of a 64 bit process then
// psapi!EnumProcessModules will return false with ERROR_PARTIAL_COPY (299). In this case we can't
// do the enumeration at all. So we'll detect this case and bail out.
if (!succeeded)
{
if (!Interop.Kernel32.IsWow64Process(Interop.Kernel32.GetCurrentProcess(), out bool sourceProcessIsWow64))
{
throw new Win32Exception();
}
if (!Interop.Kernel32.IsWow64Process(processHandle, out bool targetProcessIsWow64))
{
throw new Win32Exception();
}
if (sourceProcessIsWow64 && !targetProcessIsWow64)
{
// Wow64 isn't going to allow this to happen, the best we can do is give a descriptive error to the user.
throw new Win32Exception(Interop.Errors.ERROR_PARTIAL_COPY, SR.EnumProcessModuleFailedDueToWow);
}
EnumProcessModulesUntilSuccess(processHandle, null, 0, out needed);
}
int modulesCount = needed / IntPtr.Size;
IntPtr[] moduleHandles = new IntPtr[modulesCount];
while (true)
{
int size = needed;
EnumProcessModulesUntilSuccess(processHandle, moduleHandles, size, out needed);
if (size == needed)
{
break;
}
if (needed > size && needed / IntPtr.Size > modulesCount)
{
modulesCount = needed / IntPtr.Size;
moduleHandles = new IntPtr[modulesCount];
}
}
var modules = new ProcessModuleCollection(firstModuleOnly ? 1 : modulesCount);
char[] chars = ArrayPool <char> .Shared.Rent(1024);
try
{
for (int i = 0; i < modulesCount; i++)
{
if (i > 0)
{
// If the user is only interested in the main module, break now.
// This avoid some waste of time. In addition, if the application unloads a DLL
// we will not get an exception.
if (firstModuleOnly)
{
break;
}
}
IntPtr moduleHandle = moduleHandles[i];
Interop.Kernel32.NtModuleInfo ntModuleInfo;
if (!Interop.Kernel32.GetModuleInformation(processHandle, moduleHandle, out ntModuleInfo))
{
HandleLastWin32Error();
continue;
}
var module = new ProcessModule()
{
ModuleMemorySize = ntModuleInfo.SizeOfImage,
EntryPointAddress = ntModuleInfo.EntryPoint,
BaseAddress = ntModuleInfo.BaseOfDll
};
int length = Interop.Kernel32.GetModuleBaseName(processHandle, moduleHandle, chars, chars.Length);
if (length == 0)
{
HandleLastWin32Error();
continue;
}
module.ModuleName = new string(chars, 0, length);
length = Interop.Kernel32.GetModuleFileNameEx(processHandle, moduleHandle, chars, chars.Length);
if (length == 0)
{
HandleLastWin32Error();
continue;
}
module.FileName = (length >= 4 && chars[0] == '\\' && chars[1] == '\\' && chars[2] == '?' && chars[3] == '\\') ?
new string(chars, 4, length - 4) :
new string(chars, 0, length);
modules.Add(module);
}
}
finally
{
ArrayPool <char> .Shared.Return(chars);
}
return(modules);
}
finally
{
if (!processHandle.IsInvalid)
{
processHandle.Dispose();
}
}
}
//##OPEN###############################################################
/// <summary>
/// Opens a process and its main thread for interaction.
/// </summary>
/// <param name="ProcessId">Process Id of process with which we wish to interact.</param>
/// <returns>Returns true on success, false on failure.</returns>
public bool Open(int ProcessId)
{
if (ProcessId == 0)
return false;
if (ProcessId == m_ProcessId)
return true;
if (m_bProcessOpen)
this.CloseProcess();
if (SetDebugPrivileges)
System.Diagnostics.Process.EnterDebugMode();
m_bProcessOpen = (m_hProcess = SProcess.OpenProcess(ProcessId)) != IntPtr.Zero;
if (m_bProcessOpen)
{
m_ProcessId = ProcessId;
m_hWnd = SWindow.FindWindowByProcessId(ProcessId);
m_Modules = Process.GetProcessById(m_ProcessId).Modules;
m_MainModule = m_Modules[0];
if (Asm == null)
Asm = new ManagedFasm(m_hProcess);
else
Asm.SetProcessHandle(m_hProcess);
}
return m_bProcessOpen;
}
ProcessModule GetModule(ProcessModuleCollection mods, string name)
{
name = name.ToLower();
foreach (ProcessModule mod in mods)
{
if (mod.ModuleName.ToLower() == name)
return mod;
}
return null;
}
/// <summary>
/// Closes the handle to the open process (or does nothing if a process has not been opened).
/// </summary>
public void CloseProcess()
{
if (m_hProcess != IntPtr.Zero)
Imports.CloseHandle(m_hProcess);
m_hProcess = IntPtr.Zero;
m_hWnd = IntPtr.Zero;
m_ProcessId = 0;
m_MainModule = null;
m_Modules = null;
m_bProcessOpen = false;
Asm.SetProcessHandle(IntPtr.Zero);
}
