/// <summary> /// Gets all modules in the opened process. /// </summary> /// <returns>A collection of modules in the process.</returns> public IEnumerable <NormalizedModule> GetModules(Process process) { // Query all modules in the target process IntPtr[] modulePointers = new IntPtr[0]; Int32 bytesNeeded = 0; List <NormalizedModule> modules = new List <NormalizedModule>(); if (process == null) { return(modules); } if (this.ModuleCache.Contains(process.Id) && this.ModuleCache.TryGetValue(process.Id, out modules)) { return(modules); } try { // Determine number of modules if (!NativeMethods.EnumProcessModulesEx(process.Handle, modulePointers, 0, out bytesNeeded, (UInt32)Enumerations.ModuleFilter.ListModulesAll)) { // Failure, return our current empty list return(modules); } Int32 totalNumberofModules = bytesNeeded / IntPtr.Size; modulePointers = new IntPtr[totalNumberofModules]; if (NativeMethods.EnumProcessModulesEx(process.Handle, modulePointers, bytesNeeded, out bytesNeeded, (UInt32)Enumerations.ModuleFilter.ListModulesAll)) { for (Int32 index = 0; index < totalNumberofModules; index++) { StringBuilder moduleFilePath = new StringBuilder(1024); NativeMethods.GetModuleFileNameEx(process.Handle, modulePointers[index], moduleFilePath, (UInt32)moduleFilePath.Capacity); ModuleInformation moduleInformation = new ModuleInformation(); NativeMethods.GetModuleInformation(process.Handle, modulePointers[index], out moduleInformation, (UInt32)(IntPtr.Size * modulePointers.Length)); // Ignore modules in 64-bit address space for WoW64 processes if (process.Is32Bit() && moduleInformation.ModuleBase.ToUInt64() > Int32.MaxValue) { continue; } // Convert to a normalized module and add it to our list NormalizedModule module = new NormalizedModule(moduleFilePath.ToString(), moduleInformation.ModuleBase.ToUInt64(), (Int32)moduleInformation.SizeOfImage); modules.Add(module); } } } catch (Exception ex) { Logger.Log(LogLevel.Error, "Unable to fetch modules from selected process", ex); } this.ModuleCache.Add(process.Id, modules); return(modules); }
/// <summary> /// Gets all modules in the opened process. /// </summary> /// <returns>A collection of modules in the process.</returns> public IEnumerable <NormalizedModule> GetModules() { // Query all modules in the target process IntPtr[] modulePointers = new IntPtr[0]; Int32 bytesNeeded = 0; List <NormalizedModule> modules = new List <NormalizedModule>(); if (this.SystemProcess == null) { return(modules); } try { // Determine number of modules if (!NativeMethods.EnumProcessModulesEx(this.SystemProcess.Handle, modulePointers, 0, out bytesNeeded, (UInt32)Enumerations.ModuleFilter.ListModulesAll)) { return(modules); } Int32 totalNumberofModules = bytesNeeded / IntPtr.Size; modulePointers = new IntPtr[totalNumberofModules]; if (NativeMethods.EnumProcessModulesEx(this.SystemProcess.Handle, modulePointers, bytesNeeded, out bytesNeeded, (UInt32)Enumerations.ModuleFilter.ListModulesAll)) { for (Int32 index = 0; index < totalNumberofModules; index++) { StringBuilder moduleFilePath = new StringBuilder(1024); NativeMethods.GetModuleFileNameEx(this.SystemProcess.Handle, modulePointers[index], moduleFilePath, (UInt32)moduleFilePath.Capacity); String moduleName = Path.GetFileName(moduleFilePath.ToString()); ModuleInformation moduleInformation = new ModuleInformation(); NativeMethods.GetModuleInformation(this.SystemProcess.Handle, modulePointers[index], out moduleInformation, (UInt32)(IntPtr.Size * modulePointers.Length)); // Ignore modules in 64-bit address space for WoW64 processes if (EngineCore.GetInstance().Processes.IsOpenedProcess32Bit() && moduleInformation.ModuleBase.ToUInt64() > Int32.MaxValue) { continue; } // Convert to a normalized module and add it to our list NormalizedModule module = new NormalizedModule(moduleName, moduleInformation.ModuleBase, (Int32)moduleInformation.SizeOfImage); modules.Add(module); } } } catch (Exception ex) { OutputViewModel.GetInstance().Log(OutputViewModel.LogLevel.Error, "Unable to fetch modules from selected process", ex); AnalyticsService.GetInstance().SendEvent(AnalyticsService.AnalyticsAction.General, ex); } return(modules); }
/// <summary> /// Converts an address to a module and an address offset. /// </summary> /// <param name="address">The original address.</param> /// <param name="moduleName">The module name containing this address, if there is one. Otherwise, empty string.</param> /// <returns>The module name and address offset. If not contained by a module, the original address is returned.</returns> public UInt64 AddressToModule(Process process, UInt64 address, out String moduleName) { NormalizedModule containingModule = this.GetModules(process) .Select(module => module) .Where(module => module.ContainsAddress(address)) .FirstOrDefault(); moduleName = containingModule?.Name ?? String.Empty; return(containingModule == null ? address : address - containingModule.BaseAddress); }
/// <summary> /// Converts an address to a module and an address offset. /// </summary> /// <param name="address">The original address.</param> /// <param name="moduleName">The module name containing this address, if there is one. Otherwise, empty string.</param> /// <returns>The module name and address offset. If not contained by a module, the original address is returned.</returns> public UInt64 AddressToModule(UInt64 address, out String moduleName) { NormalizedModule containingModule = EngineCore.GetInstance().VirtualMemory.GetModules() .Select(module => module) .Where(module => module.ContainsAddress(address)) .FirstOrDefault(); moduleName = containingModule?.Name ?? String.Empty; return(containingModule == null ? address : address - containingModule.BaseAddress.ToUInt64()); }
/// <summary> /// Gets all modules in the opened process /// </summary> /// <returns>A collection of modules in the process</returns> public IEnumerable <NormalizedModule> GetModules() { List <NormalizedModule> normalizedModules = new List <NormalizedModule>(); if (this.SystemProcess == null) { return(normalizedModules); } // Query all modules in the target process IntPtr[] modulePointers = new IntPtr[0]; Int32 bytesNeeded = 0; try { // Determine number of modules if (!Native.NativeMethods.EnumProcessModulesEx(this.SystemProcess.Handle, modulePointers, 0, out bytesNeeded, (UInt32)Enumerations.ModuleFilter.ListModulesAll)) { return(normalizedModules); } Int32 totalNumberofModules = bytesNeeded / IntPtr.Size; modulePointers = new IntPtr[totalNumberofModules]; if (Native.NativeMethods.EnumProcessModulesEx(this.SystemProcess.Handle, modulePointers, bytesNeeded, out bytesNeeded, (UInt32)Enumerations.ModuleFilter.ListModulesAll)) { for (Int32 index = 0; index < totalNumberofModules; index++) { StringBuilder moduleFilePath = new StringBuilder(1024); Native.NativeMethods.GetModuleFileNameEx(this.SystemProcess.Handle, modulePointers[index], moduleFilePath, (UInt32)moduleFilePath.Capacity); String moduleName = Path.GetFileName(moduleFilePath.ToString()); ModuleInformation moduleInformation = new ModuleInformation(); Native.NativeMethods.GetModuleInformation(this.SystemProcess.Handle, modulePointers[index], out moduleInformation, (UInt32)(IntPtr.Size * modulePointers.Length)); // Convert to a normalized module and add it to our list NormalizedModule module = new NormalizedModule(moduleName, moduleInformation.ModuleBase, unchecked ((Int32)moduleInformation.SizeOfImage)); normalizedModules.Add(module); } } } catch (Exception ex) { OutputViewModel.GetInstance().Log(OutputViewModel.LogLevel.Error, "Error fetching modules from selected process: " + ex.ToString()); } return(normalizedModules); }