/// <summary> /// 枚举模块导出函数 /// </summary> /// <param name="processId">进程ID</param> /// <param name="moduleHandle">模块句柄</param> /// <param name="callback">回调函数</param> /// <returns></returns> public static bool EnumFunctions(uint processId, IntPtr moduleHandle, EnumFunctionsCallback callback) { if (callback == null) { throw new ArgumentNullException(); } SafeNativeHandle processHandle; using (processHandle = OpenProcessVMReadQuery(processId)) if (processHandle.IsValid) { return(EnumFunctionsInternal(processHandle, moduleHandle, callback)); } else { return(false); } }
/// <summary> /// 枚举模块导出函数 /// </summary> /// <param name="processHandle">进程句柄</param> /// <param name="moduleHandle">模块句柄</param> /// <param name="callback">回调函数</param> /// <returns></returns> internal static bool EnumFunctionsInternal(IntPtr processHandle, IntPtr moduleHandle, EnumFunctionsCallback callback) { int ntHeaderOffset; bool is64; int iedRVA; IMAGE_EXPORT_DIRECTORY ied; int[] nameOffsets; string functionName; short ordinal; int addressOffset; if (!MemoryIO.ReadInt32Internal(processHandle, moduleHandle + 0x3C, out ntHeaderOffset)) { return(false); } if (!Process32.Is64BitProcessInternal(processHandle, out is64)) { return(false); } if (is64) { if (!MemoryIO.ReadInt32Internal(processHandle, moduleHandle + ntHeaderOffset + 0x88, out iedRVA)) { return(false); } } else { if (!MemoryIO.ReadInt32Internal(processHandle, moduleHandle + ntHeaderOffset + 0x78, out iedRVA)) { return(false); } } if (!ReadProcessMemory(processHandle, moduleHandle + iedRVA, &ied, (size_t)40, null)) { return(false); } if (ied.NumberOfNames == 0) { //无按名称导出函数 return(true); } nameOffsets = new int[ied.NumberOfNames]; fixed(void *p = &nameOffsets[0]) if (!ReadProcessMemory(processHandle, moduleHandle + (int)ied.AddressOfNames, p, (size_t)(ied.NumberOfNames * 4), null)) return(false); for (int i = 0; i < ied.NumberOfNames; i++) { if (!MemoryIO.ReadStringInternal(processHandle, moduleHandle + nameOffsets[i], out functionName, 40, false, Encoding.ASCII)) { return(false); } if (!MemoryIO.ReadInt16Internal(processHandle, moduleHandle + ((int)ied.AddressOfNameOrdinals + i * 2), out ordinal)) { return(false); } if (!MemoryIO.ReadInt32Internal(processHandle, moduleHandle + ((int)ied.AddressOfFunctions + ordinal * 4), out addressOffset)) { return(false); } if (!callback(moduleHandle + addressOffset, functionName, ordinal)) { return(true); } } return(true); }
/// <summary> /// 枚举模块导出函数 /// </summary> /// <param name="processHandle">进程句柄</param> /// <param name="moduleName">模块名</param> /// <param name="callback">回调函数</param> /// <returns></returns> internal static bool EnumFunctionsInternal(IntPtr processHandle, string moduleName, EnumFunctionsCallback callback) { IntPtr moduleHandle; moduleHandle = GetHandleInternal(processHandle, false, moduleName); if (moduleHandle == IntPtr.Zero) { return(false); } return(EnumFunctionsInternal(processHandle, moduleHandle, callback)); }