public unsafe static void GetModules(IntPtr ProcessHandle, string dllName)
{
MemoryBasicInformation mbi = new MemoryBasicInformation();
MEMORY_SECTION_NAME usSectionName = new MEMORY_SECTION_NAME();
int dwStartAddr = 0x00000000;
do
{
int rt1 = 0;
if (ZwQueryVirtualMemory(ProcessHandle, dwStartAddr, MemoryInformationClass.MemoryBasicInformation, &mbi, Marshal.SizeOf(mbi), out rt1) >= 0)
{
if (mbi.lType == (int)MbiType.MEM_IMAGE)
{
byte[] bt = new byte[260 * 2];
int rt = 0;
int result = ZwQueryVirtualMemory(ProcessHandle, dwStartAddr, MemoryInformationClass.MemorySectionName, out usSectionName, bt.Length, out rt);
if (result >= 0)
{
UnicodeEncoding une = new UnicodeEncoding();
string path = une.GetString(usSectionName.bt).TrimEnd('\0');
if (path.Trim().ToLower().LastIndexOf(dllName) != -1)
{
dllBaseInfo.BaseAddress = mbi.AllocationBase;
dllBaseInfo.path = path;
break;
}
}
else
{
break;
}
dwStartAddr += (int)mbi.RegionSize;
dwStartAddr -= ((int)mbi.RegionSize % 0x10000);
}
}
dwStartAddr += 0x10000;
} while (dwStartAddr < 0x7FFEFFFF);
}
public extern static int ZwQueryVirtualMemory(IntPtr ProcessHandle, int BaseAddress, MemoryInformationClass _MemoryInformationClass, [Out] out MEMORY_SECTION_NAME mbi, Int32 MemoryInformationLength, out int Zero);
